Walkthrough for PlanetExpress

Summary

In this walkthrough, we will exploit an exposed PHP-FPM FastCGI implementation to gain an initial foothold. We will then escalate privileges by exploiting a misconfiguration in a SUID binary to read the root password hash and subsequently crack it in order to obtain a root shell.

This walkthrough uses the follow versions of tooling :

  • Kali 2022.2
  • nmap 7.9.2
  • John 1.9.0
  • ffuf v.1.3.1
  • Enumeration

Let's start the enumeration process with a simple Nmap scan.

    ┌──(kali㉿kali)-[~]
    └─$ sudo nmap 192.168.120.158 -Pn       
    Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-09 23:37 EST
    Nmap scan report for 192.168.120.158
    Host is up (0.28s latency).
    Not shown: 997 filtered tcp ports (no-response)
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    9000/tcp open  cslistener

Nmap done: 1 IP address (1 host up) scanned in 32.24 seconds

This scan shows two services on their default ports: SSH on port 22 and HTTP on port 80. We also see an unknown service (cslistener) running on port 9000. Here, we used -Pn (No Ping) option to avoid host discovery through heavy probing. Only common ports are probed twice with this option.
Now, let's try to enumerate the HTTP service which is running on port 80 to grab some useful information for exploitation.

HTTP Enumeration

From the Nmap scan result, we can see that the HTTP service is running on port 80. First, let's check whether we can open the web application by using a web browser and typing http://192.168.120.158:80.

An image to describe post

Unfortunately, we don't see anything of interest on the website. We will now brute force the directories of the target.

We can use a web application fuzzer like ffuf to brute force the directories. Here, we are using -c (to colorize the output), -w (to use a wordlist from localmachine), and -u (to provide target's URL) flags for our scan. The wordlist file contains a huge list of commonly used directory names. The scanner uses these directory names and tries to find a matching directory with the same name in the target system.

The default keyword for fuzzing is FUZZ which can be appended at the end of target URL. The ffuf scanner inserts the words from the wordlist in the place of FUZZ during the brute force attack.

┌──(kali㉿kali)-[~]
└─$ ffuf -c -w /usr/share/seclists/Discovery/Web-Content/quickhits.txt -u http://192.168.120.158/FUZZ -t 500                       

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : http://192.168.120.158/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/quickhits.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 500
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

/.htaccess_extra        [Status: 403, Size: 280, Words: 20, Lines: 10]
/.gitignore             [Status: 200, Size: 111, Words: 7, Lines: 16]
/.htaccess_sc           [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccessBAK           [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess_orig         [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.txt          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess              [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess-dev          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.BAK          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess-local        [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess-marco        [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.bak          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.old          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.sample       [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.save         [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.bak1         [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess.orig         [Status: 403, Size: 280, Words: 20, Lines: 10]
/.hta                   [Status: 403, Size: 280, Words: 20, Lines: 10]
/.ht_wsr.txt            [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccess~             [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htgroup               [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htpasswd-old          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccessOLD           [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htpasswd_test         [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htpasswds             [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htusers               [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htaccessOLD2          [Status: 403, Size: 280, Words: 20, Lines: 10]
/.htpasswd              [Status: 403, Size: 280, Words: 20, Lines: 10]
/config/                [Status: 403, Size: 280, Words: 20, Lines: 10]
/server-status/         [Status: 403, Size: 280, Words: 20, Lines: 10]
:: Progress: [2482/2482] :: Job [1/1] :: 1038 req/sec :: Duration: [0:00:06] :: Errors: 0 ::

After observing the brute force scan results, only the /config directory looks interesting. Now we will attempt to brute force the sub directories that respond with a "200" status code. Here, we are using two more flags to specify the number of concurrent threads (-t), and only display results that match a "200" HTTP status code (-mc).