Enumeration

Nmap

Initial Nmap scan revealed SSH, HTTP, 8082i 9999 ports were open.

00 - nmap

WEB Enumeration

The port 80 had nothing special. When I visited it just showed forbidden. However Port 8082 had FuguHub running.

01 - website fuguhub

It redirected me to set an admin for the website.

02 - website admin set

Then I logged in as admin.

03 - admin login

After visiting about page, I found that FuguHub 8.4 was running.

04 - 0 version

Exploitation (Directly Root)

CVE-2024-27697

The about page is an editable page that executes LSP code (Lua Server Pages), a PHP/ASP-like scripting language, simplifies the design of remote real-time monitoring and controller applications for embedded systems. Its content can be changed through the Administrator panel. The vulnerability inserts a reverse shell written in lua into the About page which is viewable to both logged in and logged out users.

Customizable page can be seen below.

06 - customizable page

I found an exploit that both explains and automates that vulnerability.

05 - exploit

At first I tried to exploit it manually as explained below.

06 - 0 exploit

Edited the customizable page and added reverse LSP shell.

07 - update lsp script

And visiting the about page got me reverse shell.

08 - revshell

I could also run exploit.py directly and get a reverse shell.

09 - exploit py

Then I reaad the root flag.

10 - root

<
Previous Post
Extplorer - Proving Grounds Practice
>
Next Post
Image - Proving Grounds Practice