Walkthrough of a Linux machine exploitation attacking a CMS Remote File Inclusion vulnerability topping up with tar wildcard privilege escalation.
Deploying and compromising the vulnerable machine
As usual we start with an Nmap scan.
We have a couple of ports to start with, 22, 80, 110, 139, 143, 445. Let us start with the SMB first as the scan reveals that the message signing is disabled which is always a good sign from an attacker perspective.
SMB enumeration
A quick look into the Enum4Linux and a TCP port 139 SMB specific Nmap scan results shows that anonymous access is also allowed.
So, let’s try that out real quick downloading the interesting text file by Mr. Miles which asks the users to change their passwords.
Let’s dig a bit deeper and check the log files in the logs directory as well hoping to see something related to the password change. There are some potential password variations in the logs.
HTTP enumeration
First of all we need to analyse the file structure of the site. Numerous tools are available for this but we choose Gobuster for now. There are a couple of interesting folders to look into, for example “squirrelmail”
Let’s navigate to the URL and we can see that there is a login page of the mail service.
Let us try a dictionary attack with Hydra on the milesdyson account with the earlier obtained wordlist.
What is Miles password for his emails?
It not only works, but we also manage to find his SMB password.
Login into his SMB account we manage to find his notes in which amongst many important ones an interesting one.
Back to SMB
What is the hidden directory?
Let’s check whether it exists..
Cuppa CMS RFI exploit
We shall do some further fuzzing to check whether something else hidden is under that directory.
Let’s check the admin page found.
Having not much to go on now but to find potential vulnerabilities we check searchsploit.
The description of the exploit says that the /etc/passwd file can be accessed with the [http://TARGET/TARGET/TARGET/alerts/alertConfigField.php?urlConfig=../../../../../../../../../etc/passwd ] payload template on websites built with Cuppa CMS.
And it works..
So, this is the LFI vulnerability on the site, but how would we tweak it to RFI. The answer is not too difficult, all we need to do is to map the vulnerable [/alerts/alertConfigField.php] part to a crafted reverse-shell payload instead of the local [etc/passwd] file. First let’s search for a PHP reverse shell payload on Kali then copy that to our working directory.
Then change the IP-address to yours and if needed the port number as well.
Then let’s spin up our HTTP server from the working directory and also a Netcat listener on the same port which we have in the reverse-shell payload. Let’s also change the target path of the PHP code injection from local to remote pointing to our attacker machine.
Upon inserting and running the tainted link in the browsers address bar first our PHP reverse-shell file gets uploaded to the victim computer and it gets injected into the Cuppa CMS PHP code resulting a reverse shell on our Netcat listener.
Privilege Escalation
Let’s spawn an interactive shell with the python pty import script. After this we should elevate our privileges. This could be achieved by exploiting a cron backup rutin against the tar command-line tool being run as root with the aim of compressing the entire [/var/www/html] folder and saving it to miles’ home directory. We might use a wildcard injection against this tool by forcing it to change 2 checkpoint options and malforming the execution to our needs. First let’s create a bash script to add our current “www-data” user to sudoers then let’s create two checkpoint files which will serve as arguments for the tar utility. A more elaborate explanation can be found on the GTFOBins site. After waiting a couple of minutes and entering “sudo su” we should get an elevated root shell back.
What is the user flag?
What is the root flag?
Thanks for reading and as always, any feedback is most welcome.