GLPI "htmlawed" (CVE-2022-35914) exploitation - (Part 1)

We are going to see about GLPI "htmlawed" vulnerablities and way to exploit the webserver to gain the access.

  CTF Challenges   May 31, 2023   0  Add to Reading List
GLPI "htmlawed" (CVE-2022-35914) exploitation - (Part 1)

Network Enumeration:

  • Analyzing the Nmap output from the previous section reveals that our target has the GLPI authentication application and the Apache2 web server installed and running on port 80.
  • Let's load the target into the web browser and look for additional information. 

  • But not much information was gathered from it. Let's do some deep analysis of the target web server. 

HTTP Enumeration:

  • The webserver's secret directory was located using dirb. The "phpinfo.php" file revealed various details concerning PHP 7.4.3-4ubuntu2.17. It aids in gaining access to the target machine and demonstrates that some functionalities were turned off.

  • Following a Google search, we discovered a GLPIScan github page that assisted us in identifying the vulnerability in the most recent version. Launch the scan to look for anything that will actually aid in our ability to exploit.

  • GLPI "htmlawed" is vulnerable to CVE-2022-35914, according to the scan log. Reviewing the "htmlawedtest.php" code will help us comprehend how it operates and identify any potential vulnerabilities.

  • Since GLPI gets htmLawedTest.php directly from composer, this is the default situation in versions 9.x and 10.x and where the issue manifests.
  • The path /vendor/htmlawed/htmlawed/htmLawedTest.php is publicly accessible on the GLPI application by default.
  • We decided to take advantage of it by employing callback functions like array_map and call_user_func after analysing the PHP code.

Exploitation:

  • Let's look into the htmLawedTest.php and look for the available parameters.
  • We should manipulate the inputs and try to gain access to the target machine.

  • Load the "htmlawedtest.php" and intercept the http post request using burpsuite and manipulate the request.

  • Lets configure the browser to act brupsuite as proxy between the client and server. Type "call_user_func" in input box and click process button. It will stop at brupsuite. Just manipulate the request and forward it to the server.

  • Before forwarding the request, start the listener to capture the shell. 

  • Successfully gain access to the target machine. To gain root privilege use "linpeas.sh" to gather more information and exploit it accordingly. 

Tags

What's Your Reaction?

like

dislike

love

funny

angry

sad

wow