a easy/medium web exploiting machine, with internal pivoting and CVE / RCE
Let’s go.
Ports
We’ve got four open ports:
SSH on port 22
HTTP on port 80
RPCBind on port 111, and
MySQL/MariaDB on 3306
3306
If we try to connect to the mysql instance, we get this:
So we can’t connect remotely from our IP; let’s move on.
HTTP/80
All we get at the webroot is the Apache default page for CentOS, which is the OS running on the box and it has a different Apache default to the one for Ubuntu/Debian, so that’s mildly interesting. We need to find a hidden directory; this will do it:
/structure is what we want. It contains an installation of FuelCMS which has a pre-auth RCE vulnerability. The installation isn’t quite standard and it takes just a little digging to figure out where to get code execution:
where COMMAND_HERE is where the command goes, duh.
I try initially for a reverse shell but can’t seem to get one to fire; between this and hacksudo3 you would think I don’t know how to get one. I resort to enumerating with cat and ls, learning we have a user called anna. We can read the Fuel database config with this:
And that (above) is basically this with a slight modification; it’s a deliberately vulnerable Flask app to demonstrate Python deserialization vulnerabilities. The source code above gives the page we want (heaven) and the name of the parameter (awesome), plus the method (POST).
Linpeas shows something running on Port 5000, so that’s what we want. Set up an SSH port forward:
ssh -L 9000:127.0.0.1:5000 anna@192.168.1.202
And we can go to localhost:9000 in the browser to see the page; not that there is anything much to see.
We can use the exact code from the blog I linked above to generate a payload, just replacing the IP with ours; then we can run it:
Then we just need to POST it to localhost:9000/heaven using the parameter awesome. You could use CURL, I used Burp Suite: