Codo

Source: Proving Grounds OS: Linux Community Rating: Easy

Enumeration & Reconnaissance

  • I started with the usual autorecon, which exposed:

    • SSH (22)

    • HTTP (80)

Service Analysis

  • I began with HTTP (80). It displayed a Codoforum page. I played around for a while before checking for a CVE. I found CVE-2022-31854, which provided RCE but required valid credentials. I tried the default credentials (admin:admin) and they worked. I was in to the admin panel!

Codoforum

Gaining Initial Access

  • I attempted to run the PoC to get a shell back, but that didn't work, so I did it manually.

    • I created a PHP reverse shell and then opened the admin panel at: http://192.168.197.23/admin/

    • Logged in as admin, navigated to Global Settings, and went to "Upload logo for your forum" where I uploaded my PHP shell.

Global Settings
  • To execute it, I visited: http://192.168.197.23/sites/default/assets/img/attachments/shell.php

  • These steps were outlined in the CVE's PoC. I just followed them.

  • I checked my listener and, sure enough, I got a reverse shell.

Getting a Shell
  • I then converted it into a proper tty with the following commands:

SHELL=/bin/bash script -q /dev/null
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl + Z
stty raw -echo && fg
reset
Ctrl + C
  • I searched for a flag using

find / -type f \( -name local.txt -o -name proof.txt \) 2>/dev/null
  • That found nothing. Then I remembered that the machine has only one flag. Time to escalate privileges and search again.

Privilege Escalation

  • I uploaded linpeas, and it exposed a password in the PHP configuration file at: /var/www/html/sites/default/config.php

config.php Password
  • The password found was FatPanda123. I first tried it for the offsec user (since there was an offsec directory in the home directory), but it didn't work there. Then I checked it for root, and it worked. We were in as root, as simple as that.

Switching to root

Lessons Learned

  • Sometimes a web application's administrative interface can be an effective RCE vector if valid credentials are obtained also make sure to try default credentials.

  • When a PoC doesn't work. Following the steps provided in the CVE's PoC manually can make it work.

  • Configuration files often contain sensitive credentials.

Last updated