Exfiltrated

Nmap Scan

$ nmap -sC -sV -p 1-65535 -Pn -oN allports-nmap 192.168.160.163
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-05-29 15:21 +08
Nmap scan report for 192.168.160.163
Host is up (0.0087s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.46 seconds

Initial Access

Port 80

If we try to access using the IP address, it will return us this.

So the next step is to run this command to add this domain into our host files.

echo "192.168.160.163 exfiltrated.offsec" | sudo tee -a /etc/hosts

After refreshing, we are able to see the website.

If we scroll all the way down, we can see that the website is powered by Subrion CMS.

From the scan, we also know there is robots.txt on the website. So, we will look what is the content there.

After trying all the links below, only /panel/ will return something interesting.

We can also see the version that the Subrion CMS is running on.

The next thing we will try is trying to login as admin:admin and it works.

CVE-2018-19422

GitHub - hev0x/CVE-2018-19422-SubrionCMS-RCE: CVE-2018-19422 Authenticated Remote Code ExecutionGitHub

Since we have the credentials, we are able to use this exploit.

Privilege Escalation

Cronjob

After using linpeas.sh to look for potential privilege escalation spot, the cronjob have a job that is running as root for this file /opt/image-exif.sh

If we ls -al, we can see that we are able to read the file.

The content of image-exif.sh file is this:

#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata 

echo -ne "\\n metadata directory cleaned! \\n\\n"


IMAGES='/var/www/html/subrion/uploads'

META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"

echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename; 
do 
    exiftool "$IMAGES/$filename" >> $LOGFILE 
done

echo -ne "\\n\\n Processing is finished! \\n\\n\\n"

After searching online, there is a local privilege escalation method for this.

A case study on: CVE-2021-22204 - Exiftool RCEConviso AppSec

https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-22204cve.mitre.org

FIrst we need to check if this version of exiftool is it vulnerable and sure enough it is

So we will follow the steps as shown on the website to create our malicious jpg file.

We will then upload to the uploads folder as stated in the bash script.

After 1 minute, the script is executed and we are able to get a root shell to access both the local.txt and proof.txt.