Enumeration

Nmap

Initial nmap scan revealed SSH and HTTP ports were open. Moreover, it showed .git directory is accessible on website.

00 - nmap

Web Enumeration

Website directed us to bitforge.lab so I added it to /etc/hosts file.

01 - web

Later, I found a subdomain in the website called plan.bitforge.lab.

02 - subdomain

It was Simple Online Planning 1.52.01 (SOPlanning 1.52.01) website.

03 - simple online planning 1 52 01

Exploitation

git-dumper

I could not find any default credentials. However, as shown in nmap output I found .git directory.

04 - config

So I used git-dumper tool to dump it.

05 - git dumper

Then checked commit history using git log command.

06 - removed db

Then used git show <commit_id> command and obtained DB password.

07 - login creds

MYSQL

Then I logged in to mysql but I added --skip-ssl flag to avoid TLS errors.

08 - mysql

I read the admin password hash.

09 - admin hash

However, it was not crackable. I tried and it did not work. Later, I opened https://github.dev/Worteks/soplanning to checkout default admin credentials and I found it.

10 - default admin

Then I tried to update the password on DB and it worked.

11 - updated

I was able to login.

12 - logged in

CVE-2024-27115

An authenticated Remote Code Execution (RCE) vulnerability is found in the SO Planning online planning tool. With this vulnerability, an attacker can upload executable files that are moved to a publicly accessible folder before verifying any requirements. This leads to the possibility of execution of code on the underlying system when the file is triggered. The vulnerability has been remediated in version 1.52.02.

So there was a CVE for Simple Online Planning 1.52.01 (SOPlanning 1.52.01). I found an exploit (https://www.exploit-db.com/exploits/52082) and executed it.

13 - shell

Later, to get a better shell I transfered pentest-monkey reverse shell.

14 - transfer new shell

Then obtained upgraded shell.

15 - updated shell

PSPY64

Then I transfered pspy64 and linpeas.sh files.

16 - transfered files

Executing pspy64 revealed jack’s password.

17 - pspy64

So I switched to jack and obtained user flag.

18 - jack local

Privilege Escalation

sudo -l (NOPASSWD flask run)

At first I switched to SSH shell. Then I executed sudo -l and found I could execute flask_password_changer as sudo.

It was .sh script. It was at first changing directory to /opt/password_change_app then running flask run.

flask run commands executed app.py on current directory. And we have write access to app.py.

19 - nopasswd

So I updated app.py to execute chmod +s /bin/bash. And simply obtained root.

20 - root

<
Previous Post
hokkaido - Proving Grounds Practice
>
Next Post
Jordak - Proving Grounds Practice