Knowledge Check
TARGET IP: 10.129.42.249
Last updated
TARGET IP: 10.129.42.249
Last updated
Start by checking out the IP on a browser
Looks like the URL runs off of GetSimple CMS.
It looks like it is the default page for the program.
A quick google search shows default credentials.
newuser:password
siteadmin:password213
None of these worked.
However, I did find a possible workaround if I can get access to the system:
Edit file: data/users/youuser.xml
Change field: <PWD>YOUR_ENCRYPTED_PW</PWD>
to <PWD>011c945f30ce2cbafc452f39840f025693339c42</PWD>
Save
New password should be 1111
Checked the source code for anything that sticks out. Didn't find anything to note.
Checked the /robots.txt
directory and discovered another link to a /admin
page.
Checked out the /admin
page and found a login page for the gettingstarted app.
I tried admin:password for the username:password. It did not work. I got a Error message:
Error: Login failed. Please double check your Username and Password
Run nmap on IP and see what ports are open. Start with basic nmap scan and refine:
nmap --open -Pn [TARGET_IP]
I'm using the -Pn option because it looks like it is blocking my pings. This took a while.
Nothing popped up. So I ran the nmap again basic and it seemed to work this time.
nmap --open [TARGET_IP]
Port 22 and 80 were both open which makes sense for a webserver. I went ahead and ran a basic nmap scan on all ports to see if anything else was open:
nmap --open -p- [TARGET_IP]
Nothing was popping up because it was saying it was blocking my ping probes. Might want to retry if I hit a roadblock somewhere else.
I went ahead and ran a more detailed scan on ports 22 and 80:
nmap -sV -sC -p 22,80 [TARGET_IP]
Output:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA) | 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA) |_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/admin/ |_http-title: Welcome to GetSimple! - gettingstarted |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It looks like the server is Linux.
SSH Version: penSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
The host keys are listed above.
Port 80 is running Apache Version: Apache httpd 2.4.41 ((Ubuntu))
Ran gobuster on TARGET_IP and came up with some more extensions:
/.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278]
Can't get access to
I checked the cookies on the request:
GS_ADMIN_USERNAME:admin
4bc774744b09f4bb3746b641176918d9f52ef9b9:"93faf1706c6b62a18553fe3cdf4e4c1015c73760"
I tried MD5 and base64, UTF-8, and ISO-8859-1 (Found it in the header). no go...
Need to look at other methods to decrypt and then use Burpsuite to change cookie and try to get access
/admin (Status: 301) [Size: 314] [--> http://10.129.42.249/admin/]
Sign in page
/backups (Status: 301) [Size: 316] [--> http://10.129.42.249/backups/]
Empty
But I can create a zip file of a backup of the system. I might be able to dig through the zip file and find something in here that would help.
/home/user/Desktop/_var_www_html_backups_zip_2023-02-01-0300_41_archive.zip
/.htaccess (Status: 403) [Size: 278]
Can't get access
/data (Status: 301) [Size: 313] [--> http://10.129.42.249/data/]
Look into this extension for possibly changing the password above.
Checked out users/admin
and found out one of the usernames is admin
Looks like the password is encrypted but will look into decrypting is. Doesn't look hashed.
d033e22ae348aeb5660fc2140aec35850c4da997
I used Crackstation to look it up.
Holy cow! It's an MD5 hash that translates to... wait for it...
admin
I now have access to the admin account with admin:admin
credentials
Email is admin@gettingstarted.com
I have admin access to the account. From here it looks like I can create a page. I can access the file system in /data/pages for the pages. I should be able to gain access to the system from here by adding a new file
On the data/other/authorization.xml I found an API Key:
4f399dc72ff8e619e327800f851e9986
On /data/other/logs/
I found a login of all failed login attempts including my own.
On the /data/cache/
I found .txt file specifying that we are running on an old version. Confirmed that this is the GetSimple Version which is 3.3.15. Need to check for exploits.
h
/index.php (Status: 200) [Size: 5485]
Home
/plugins (Status: 301) [Size: 316] [--> http://10.129.42.249/plugins/]
There are some .php files in here but can't see the contents of them
/robots.txt (Status: 200) [Size: 32]
Found /admin in here
/server-status (Status: 403) [Size: 278]
Can't get access to
/sitemap.xml (Status: 200) [Size: 431]
Looks like nothing important?
/theme (Status: 301) [Size: 314] [--> http://10.129.42.249/theme/]
Looks to be mainly styles files
I checked Metasploit and it looks like there are two exploits available for GetSimple:
The first one didn't work with the credentials I provided. However the second exploit worked as it will work on the version of GetSimple that the website is running. Which is outdated.
I had to redirect to the /home/mrb3n directory but found the user.txt file with the flag:
7002d65b149b0a4d19132a66feed21d8
I then used the shell
command to drop into a shell and slightly better terminal.
I ran the following to get a better console:
I ran sudo -l:
(ALL : ALL) NOPASSWD: /usr/bin/php
I checked gtfobins for possible root escalation:
Rand the above and got root priveleges.
Went to the /root/root.txt and grabbed the flag with a minute left on the machine:
f1fba6e9f71efb2630e6e34da6387842