GlasgowSmile Writeup
So another vulnhub box called Glasgow Smile was introduced to our team so we learned together. You can download it from: https://www.vulnhub.com/entry/glasgow-smile-11,491/.
This VM provides the IP address on boot, so not network discovery required here. We jumped right in to leveraging nmap with nmap -sC -sV -p- $IP -oN glasgow.nmap and we got two ports back: 22 and 80. Its running ubuntu, but nothing stands out. I’m going to go check out the webpage, but while I do that I’ll check UDP as well in the background: nmap -sS -p- $IP -oN glasgow_udp.nmap. So for the webpage, I’ll start with curl $IP -v and see what we are getting back. Nothing interesting and only html with one image available. I’ll download that image with curl $IP/joker.jpg — output joker.jpg and while I investigate the image, I’ll let feroxbuster -u http://$IP run to keep things going in the background. Checking out the image, not much in there but I always want to check for information leakage. I ran the following commands: file joker.jpg, binwalk joker.jpg, exiftool joker.jpg, strings joker.jpg, and firefox joker.jpg. There are two words I’ll save for later “Glasgow Smile” and “Mindsflee” in case I need them. Feroxbuster finished up and found a joomla page. CMS pages are always a candidate for infiltration! So let’s run a specific scanner for joomla. I’ll do the following: joomscan — url $URL -ec and get this output:
So it found the administrator page, some robots.txt entries that attempt to stop web crawlers from indexing items, and some components that really don’t have any vulnerabilities in them. I do see the version so searchsploit joomla to see anything is close. There is an SQL injection for 3.7, but that doesn’t take us anywhere. So, off to visit this CMS and see what is clickable: firefox $URL. The page has one item on it with some quotes from the Joker movie. I capture some potential usernames like joker, arthur, and Super User. Not much else to navigate, so off to google to find the default joomla passwords. Google leads me to install pages where joomla asks for you to set the default password during install. However, it appears that “joomla” is a user option as well so add that to my list. After some more looking around, there isn’t much else. I have a set of potential users, but that’s about it. I try to log in a few times and I’m a bad guesser. With no clue what type of password list to try, I’ll create a list from the webpage and see if that can get me close. I run: cewl $URL -w cewl.list and I got a list of words. Well, let’s give it a shot and see what happens! It so happens that nmap has a script just for joomla, so I used that one instead of hydra or burp.
It found some results. However, all results after the first one are false positives. Once the first logon works, it returns a cookie that gives the false positives for the rest of the accounts. Now with a valid login, we can see the CMS page. Since we are on as joomla we have full control. To be easy, I’ll go into “Templates” and put a reverse shell embedded in there. What we have to be careful about is putting the webpage into a pause while the shell is running. I visited and found a php payload that runs as a process.
In this case, we didn’t use any PaaS redirector or a C2 shell, but we could if we needed to. Notice this is not the same box I used to enumerate, I’m putting the next step on my windows box! As soon as you look at the home page (curl works too), we get a shell!
Since I started this shell from windows doing netcat (nc64.exe), my shell is pretty stable right now. It drops me in the joomla directory, but that’s where I want to be anyway. www-data is a service account, so my first goal is to see what configuration files we have access to browse to get better/more access. Doing an ls there is the “configuration.php” file and it contains database creds. Let me save those and go look at the next service. mysql -u joomla -pbabyjoker gets us in.
Looking around, we can get to the joomla_db. The only thing in there that is juicy is: select username,password from jnqcu_users; but we already got that! Let’s go look at use batjoke; show tables; and we get some potential usernames and hashes. I copy them over to my box and do a little editing. I see that a few of them end in “==” which may mean they are base64 encoded. A quick check says yes they are. So with a little bash magic, here is some results:
So my tool of choice here is to see if these creds work on ssh since that port was open. I’ll use crackmapexec to have it automate the work! cme ssh $IP -u users2.txt -p passwords.lst — no-bruteforce and we got a winner with “rob”! ssh rob@$IP lets me in! An initial check in the home directory and I have a note from Abner?
It looks funny, but I do see some “==” at the end so I’ll try base64 decoding. No luck. It doesn’t look encoded, but I ran it with ent aberMessage.txt and it doesn’t have a high enough score to be encrypted. So maybe it is something simple like a cypher. cat Abnerineedyourhelp | tr ‘a-zA-Z’ ‘b-zaB-ZA’ turns out to be a winner! With that, now I run that last command through base64 decoding and I got a nice long password. doing a su gets me over to abner’s account. I jump to my new home directory with: cd ~ and I got another file there: info.txt. Just a good story in there. Showing all files, there is a bash history available. Looking inside there is some penguins file that he’s messing with. Let’s find it: find / -name “.dear_penguins.zip” 2>/dev/null. We found it in the joomla directory, so let’s open it. cd /dev/shm; unzip /var/www/joomla2/administrator/manifests/files/.dear_penguins.zip. It asks for a password and I try abner’s. That works. Next I see what it is with file dear_penguins and it is ascii. Okay show me with less dear_penguins and we got another story with some ascii at the end. I’ll try base64 one more time and it definitely isn’t base64! However, I try the string without converting and I get another login with su penguin. I change to penguin’s home directory and see a few files. There is a note saying that penguin is struggling with the find command he built that has a SUID bit. For some weird reason, there are two files that are owned by the group root…weird.
Inside of “.trash_old” it just has exit in it. Root owns the group but I can right he file, let me just add a command in there and see if somehow it executes. I’ll add ‘echo “hello” > /tmp/messageToMe’ to the file. Now I’ll run watch /tmp/messageToMe and voila it appears!
It even says that I cannot edit it, which means it was created with different permissions? Let’s go check. ls -al /tmp/messageToMe shows it is owned by root! Well, I’ll change the code and instead of writing me a message, I’ll just add a SUID bit to bash and make a backdoor: chmod +s /bin/bash;. And voila, that changes too: ls -al /bin/bash. Let’s upgrade the shell with bash -p and we got a root shell (elevated permission but not quite root). Just to finish this off, let’s create a certificate with ssh-keygen -f artilleryRed and put that in the /root/.ssh/authorized_keys file and we can ssh in as root!
And that is the box. You can see above, there was a crontab running as root executing that .trash_old file. Remember, always try something new!