$ nmap -p- --min-rate 3000 192.168.175.163
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 18:24 +08
Nmap scan report for 192.168.175.163
Host is up (0.17s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Did a detailed nmap scan to enumerate for me as well:
$ sudo nmap -p 22,80 -sC -sV -O -T4 192.168.175.163
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-01 18:27 +08
Nmap scan report for 192.168.175.163
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c1994b952225ed0f8520d363b448bbcf (RSA)
| 256 0f448badad95b8226af036ac19d00ef3 (ECDSA)
|_ 256 32e12a6ccc7ce63e23f4808d33ce9b3a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
So there's a /panel directory present, and we can enumerate that first:
Default Creds -> Subrion RCE
The /panel directory shows us a basic login page:
We can login with admin:admin. This software was Subrion CMS v4.2.1, which had a few public exploits:
I ran linpeas.sh on the machine to enumerate for me, and it picked up on cronjobs running as the root user:
Here's the content of the file:
#! /bin/bash#07/06/18 A BASH script to collect EXIF metadata echo-ne"\\n metadata directory cleaned! \\n\\n"IMAGES='/var/www/html/subrion/uploads'META='/opt/metadata'FILE=`opensslrand-hex5`LOGFILE="$META/$FILE"echo-ne"\\n Processing EXIF metadata now... \\n\\n"ls $IMAGES |grep"jpg"|whilereadfilename; doexiftool"$IMAGES/$filename">> $LOGFILE doneecho-ne"\\n\\n Processing is finished! \\n\\n\\n"
This program uses exiftool to get the metadata of the image and redirects it to a file. We can find the version of exiftool being used here by using it on any file:
www-data@exfiltrated:/opt$ exiftool image-exif.sh
ExifTool Version Number : 11.88
File Name : image-exif.sh
Directory : .
File Size : 437 bytes
File Modification Date/Time : 2021:06:10 12:06:15+00:00
File Access Date/Time : 2023:07:01 10:24:06+00:00
File Inode Change Date/Time : 2021:08:27 12:33:35+00:00
File Permissions : rwxr-xr-x
File Type : bash script
File Type Extension : sh
MIME Type : text/x-bash
This version is vulnerable to an RCE exploit by injecting code within the image. When exiftool is run on the malicious image, code would be executed as well. Since we can write to the /var/www/html/subrion/uploads directory, this means that we just need to create and put a malicious .jpg file there.
Here's a repository that can be used:
We just need to edit exploit.py to have the relevant IP address and port. Afterwards, we can grab any sample image and run the exploit to update it with the payload:
$ python3 exploit.py
1 image files updated
Afterwards, transfer it to the /var/www/html/subrion/uploads directory and wait for a bit. Once the cronjob runs, we will get a reverse shell as root: