As always in every penetration testing engagements we start by reconnaissance and information gathering, in this step we try to get as much information about the target as possible.

We can achieve that by using various of tools and techniques to obtain foothold on the target, by using enumeration, scanning and other recon techniques.

In this lab we are tasked to pentest this Linux Lab : Hub on Offsec’s Proving grounds :

First step will be to check if the target is up and running, we could do so by sending ICMP requests to check if we can communicate with the target by running this command :

Next I’ll initiate a scan using rustscan because it’s considered fast, afterwards I can run a full scan with nmap and investigate with other tools :

└─# rustscan -a 192.168.220.25 - ulimit 5000 

From the scan I can see the following open ports and services:

Port 22 running SSH
port 80 running HTTP 
port 8082 running blackice-alerts
port 9999 running abyss

Lets run an nmap full scan and while I do that I’ll investigate the webpage on port 80…

From examining port 80, it seems like it’s running nginx 1.18.0 service but however it’s forbidden to access the webpage.

I’ll run gobuster for initial enumeration on port 80 and see if I find anything meaningful:

by running this command:

┌──(root💀CSEC)-[/home/cyborgbytes/Documents/PGWriteupsOffsec/Hub]
└─# gobuster dir -u http://192.168.220.25/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -o enum.txt

I can enumerate the possible web directories based on a wordlist I specify.

from enumeration I can see the following output :

Possible web directories on port 80 are the following :

/themes
/data
/applications
/trace
/cache
/disk

Next I’ll investigate the webpage on port 8082:

The webpage seems that is running a CMS called FuguHub, I was able to create a user on the webpage, so lets keep investigating.

Results of the nmap full scan is the following :

By running searchsploit to search for exploits on FuguHub, I can see that there is public exploit on exploitdb for FuguHub, a Remote Code Execution for version 8.1:

Next I’d copy this exploit and try to use it to get initial foothold…

After some research I found out that the exploit method is a bit complex, going forward with the exploitation I’ll do the steps one by one :

first the concept of the vulnerability is that we have to upload a lua “lsp script” that gets us a reverse shell upon upload:

I’ll run a listener on port 9001 :

`nc -lvnp 9001 `

Next I’ll download and execute a script used for this CVE:

Before we run the exploit we need to install the dependent libraries for the exploit to work properly.

going back to the main terminal, I’ll run cadaver to open and put the reverse shell :

but before I do so I’ll go to the platform and make an account and get the URL Session of the /fs/ directory.

dav:!> open http://192.168.220.25:8082/fs/0682cdd29b0ca95eff361bd2/
dav:/fs/0682cdd29b0ca95eff361bd2/> cd ..
Authentication required for Web File Server on server `192.168.220.25':
Username: admin
Password: 
dav:/fs/> put lua.lsp
Uploading lua.lsp to `/fs/lua.lsp':
Progress: [=============================>] 100.0% of 349 bytes succeeded.
dav:/fs/> 

After uploading the lua reverse shell I will have to run the CVE python exploit and run the exploit, I actually had to edit the source code to align with the procedure:

And THERE WE GO! a root shell directly without the need to escalate any privileges.

And here we conclude the lab successfully…

on to the next ones! with dedication, commitment and resilience.

Feel free to Clap, share if you like my content! it helps me a lot and it’s appreciated too.