Exfiltrated

Writeup for Exfiltrated from offsec Proving Grounds

Information Gathering

sudo ./nmapAutomator.sh 192.168.142.163 all

Service Enumeration

HTTP (Port 80)

Notice from our initial information gathering there is a robots.txt directory with 7 disallowed directories. Upon navigating to /panel/, we see an admin login page. We also take note that this is Subrion CMS v4.2.1.

Exploit

We can log in using admin:admin to access the dashboard.

SubrionCMS 4.2.1 is vulnerable to Authenticated Remote Code Execution. /panel/uploads in Subrion CMS 4.2.1 allows remote attackers to execute arbitrary PHP code via a .pht or .phar file, because the .htaccess file omits these.

GitHub - h3v0x/CVE-2018-19422-SubrionCMS-RCE: CVE-2018-19422 Authenticated Remote Code ExecutionGitHub

Privesc

Running LinEnum on the target, we see something interesting.

Notice that there is an unusual file inside the crontab - /opt/image-exif.sh

This script seems to be running exiftool. Apparently improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up allows arbitrary code execution when parsing the malicious image.

An Image Speaks a Thousand RCEs: The Tale of Reversing an ExifTool CVEMedium

Once we got exploit.jpg on our attack machine, we can upload it to the target machine using wget and python SImpleHTTPServer.

Now we can check /bin/bash and we realize that it has the SUID set, which allows us to run it and get root.

PreviousClamAV NextTwiggy

Last updated 2 years ago