PG - Plum

PG – Plum

In this walk through, we will be going through the Plum room from Proving Grounds. This room is rated as Intermediate on the platform and it consists of exploitation of PluXml via CVE-2022-25018 to get initial foothold. For Privilege escalation, root password stored in SMTP related files have to be exposed to get root on the target. So, let’s get started without any delay.

Plum

Machine Info:

Titleplum
IPaddress192.168.169.28
DifficultyIntermediate
OSLinux
DescriptionPlum is an Intermediate level Linux machine that is vulnerable to CVE-2022-25018 which have to exploited in order to get the initial foothold. The attacker then have to escalate his privileges by looking for stored passwords in SMTP related files.

Enumeration:

  • I started off with a regular nmap aggressive scan and found only two ports opened – 22 (SSH) and 80 (HTTP).

$ sudo nmap -A 192.168.169.28
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-06 20:11 IST

Nmap scan report for 192.168.169.28
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT   STATE    SERVICE VERSION
22/tcp open     ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2021-41617	4.4	https://vulners.com/prion/PRION:CVE-2021-41617
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp filtered domain
80/tcp open     http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: PluXml - Blog or CMS, XML powered !
| vulners: 
|   cpe:/a:apache:http_server:2.4.56: 
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	OSV:BIT-APACHE-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|     	OSV:BIT-APACHE-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|     	OSV:BIT-APACHE-2023-31122	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2023-43622	5.0	https://vulners.com/cve/CVE-2023-43622
|     	CVE-2023-31122	5.0	https://vulners.com/cve/CVE-2023-31122
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|_    	CVE-2023-45802	2.6	https://vulners.com/cve/CVE-2023-45802
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/6%OT=22%CT=1%CU=40757%PV=Y%DS=4%DC=T%G=Y%TM=65C24532
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=101%GCD=1%ISR=10C%TI=Z%II=I%TS=1)SEQ(SP=10
OS:1%GCD=4%ISR=10C%TI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11
OS:NW7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE8
OS:8%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)
OS:T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%
OS:T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164
OS:%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=83EA%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 993/tcp)
HOP RTT       ADDRESS
1   215.99 ms 192.168.45.1
2   215.96 ms 192.168.45.254
3   216.04 ms 192.168.251.1
4   216.15 ms 192.168.169.28

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.81 seconds

nmap scan

  • Enumerated the web server on port 80 and found that it is running the PluXml CMS.

PluXml CMS

  • Enumerated the web server on port 80 and found that it is running the PluXml CMS.

$ gobuster dir -u http://192.168.169.28/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.169.28/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/02/06 20:18:11 Starting gobuster in directory enumeration mode
===============================================================
/themes               (Status: 301) [Size: 317] [--> http://192.168.169.28/themes/]
/plugins              (Status: 301) [Size: 318] [--> http://192.168.169.28/plugins/]
/data                 (Status: 301) [Size: 315] [--> http://192.168.169.28/data/]   
/core                 (Status: 301) [Size: 315] [--> http://192.168.169.28/core/]   
/update               (Status: 301) [Size: 317] [--> http://192.168.169.28/update/] 
/readme               (Status: 301) [Size: 317] [--> http://192.168.169.28/readme/] 
/server-status        (Status: 403) [Size: 279]                                     
                                                                                    
===============================================================
2024/02/06 20:25:12 Finished
===============================================================

gobuster scan

  • On the footer of the homepage, i can see a hyperlink named as Administration. Clicking on it, redirects me to a Admin login panel.

Footer

Admin login panel

  • I tried a common username and password combo and got into the backend. Found out that the running CMS version is 5.8.7.

Article list

Initial Access:

CVE-2022-25018

  • Looked for any known exploits for the concerned version and found out that it is vulnerable to CVE-2022-25018 which is a arbitrary code execution vulnerability done via inserting malicious PHP code into static pages.

CVE-2022-25018

  • Now that we know, what the vulnerability is. We can create a static page and will then add the PHP reverse shell payload in the page source code, which when get executed grant us a shell back at our netcat listener.

Edit static pages

Edit source code

got initial access

  • Captured the local flag from /var/www directory.

local flag

Privilege Escalation:

  • Executed LinPEAS on the target to reveal some potential privilege escalation attack vectors and found out that a SMTP server is running on the target localhost.

Active ports

  • Tried to login to it to enumerate it further but found nothing useful.

which nc

  • Now, as we know we have a running SMTP on the target. I wandered around the filesystem and found the /var/mail directory. In there, i peeked into a file named www-data and surprisingly got the root password stored in it.

root password

  • Switched to user root with the found password and captured the root flag to mark the machine as complete.

proof flag

Also Read: PG – Pc

Conclusion:

Conclusion

So that was “Plum” for you. We started off with a regular nmap scan and found two ports opened – 22 (SSH) and 80 (HTTP). Enumerated the web server on port 80 and found PluXml CMS running. Found Administration login panel link in the footer of the page and used default creds to get into the backend. In there, found out that it is running version 5.8.7. Looked online for any known exploit and found that it is vulnerable to CVE-2022-25018. Used the same to get initial foothold on the target. For Privilege escalation, root password stored in SMTP related files was exposed to get root on the target. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top