Hub
Last updated
Last updated
Source: Proving Grounds OS: Linux Community Rating: Easy
I started with autorecon as usual and it exposed several ports:
SSH (22)
HTTP (80)
HTTP (8082)
HTTP (9999)
I began with HTTP (80), but access was forbidden. Running a fuzzer revealed a license file at: http://192.168.197.25/LICENSE.txt
This file exposed information about the software in use, including the line:
I recalled a vulnerability with this software on Windows and did a quick check for a Linux variant, but found nothing at the time.
On HTTP (8082), I discovered a FuguHub site that wasn’t even configured. It allowed me to configure the admin account and set a password.
Once set, I noticed that the site included a Web File Server, which enabled file uploads. I looked for a CVE to automate the process and found CVE-2023-24078. Although I tried the PoCs, they didn't work as expected.
I then took a manual approach: I created a Lua shell (using the .lsp extension, as it's the extension exposed in the license file on HTTP (80) and the extension used in the PoCs) with the following content:
I uploaded the Lua shell using the Web File Server and then accessed it at: http://192.168.197.25:8082/revshell.lsp
That was it. I got access as root.
Even when standard HTTP access is forbidden, auxiliary files (like license files) can reveal details about the underlying software and potential vulnerabilities.
Unconfigured admin interfaces, such as the one on FuguHub, can provide a convenient entry point.
When automated PoCs fail, manually crafting a payload (in this case, a Lua shell) can get the job done.
Leveraging the file upload functionality can be a direct path to remote code execution.