Enumeration

Nmap

Initial nmap scan revealed SSH, HTTP and port 8089 were open. Moreover, it also showed that FlatPress 1.2.1 application was running on port 8089.

00 - nmap

Web Enumeration

I visited the FirePress page and found a login page.

01 - flatpress

After some reaserach I found out that the default credentials for FlatPress 1.2.1 was admin:password, so I tried it and it worked.

02 - admin:password default

Exploitation

CVE-2022-40048

Flatpress v1.2.1 was discovered to contain a remote code execution (RCE) vulnerability in the Upload File function.

There was an upload function on administrator dashboard. It checks file magic bytes but it does not check extensions. So I could simply update pentestmonkey/php-reverse-shell and add GIF magic bytes (GIF89a;) at the beginning. Also, I updated the IP address to my tun0 IP address.

10 - php revshell

Then I simply uploaded the file.

11 - uploading

12 - uploaded

And then visited the fp-content/attachs endpoint which includes uploaded files.

13 - fp-content

Then simply clicked and got reverse shell.

06 - sudo l

Privilege Escalation

sudo apt-get

As it can be seen on the above netcat image, user had sudo NOPASSWD privileges over apt-get binary. So I simply checked gtfobins/apt-get/ and applied the necessary step.

apt-get update -o APT::Update::Pre-Invoke::=/bin/sh

And I simply got root.

07 - root

<
Previous Post
Fired - Proving Grounds Practice
>
Next Post
RubyDome - Proving Grounds Practice