Enumeration

Nmap

Initial Nmap scan revealed SSH, HTTP ports were open.

00 - nmap

Web ENumeration

The website was htmLawed 1.2.5 website.

01 - website

Exploitation

CVE-2022-35914

/vendor/htmlawed/htmlawed/htmLawedTest.php in the htmlawed module for GLPI through 10.0.2 allows PHP code injection.

The website was vulnerable to RCE but I could not run processing on the website. When I click process button it showed Not Found.

02 - not found

Then I found this blog which explains the exploit in detail.

05 - exploit

I tried again with /vendor/htmlawed/htmlawed/htmLawedTest.php or different combinations but still got NOT FOUND errors.

Later I tried fuzzing and found index.php (which was the default page we see).

03 - index php

04 - index php

And I tried to send POST request to index.php instead of htmLawedTest.php and it worked.

06 - works

Later, I tried bash reverse shell but it did not work. So I downloaded a netcat binary form H74N/netcat-binaries repo and transfered it using wget. Later I gave it permissions with chmod 777 nc. And finally I ran it and got a reverse shell.

08 - revshell

Then simply read the local flag in /var/www folder.

09 - local

Privilege Escalation

cronjob

Inside the /var/www folder there was a file named cleanup.sh which was owned by us (www-data). We could read and write, however we could not run the operations in the file.

10 - sus

pspy64

I ran pspy64 and made sure that root was running a cronjob to execute cleanup.sh

11 - ez

So I updated the script and added nc execution at the end.

12 - update

After a minute I got the root shell.

13 - gg

<
Previous Post
Lavita - Proving Grounds Practice
>
Next Post
PC - Proving Grounds Practice