Vulnlab - Forgotten [Easy]
We would find a website that we are going to fuzz and find an installation page for the LimeSurvey software. Then we would set up our local database to work with the installation of that software and run it on the server. We would then install a malicious plugin so that we can gain remote code execution on the machine. Then we would find credentials in the environment variables that we can use to gain access to the SSH. After that, we are going to abuse the mount points of the docker image to gain root on the host machine.
Upon scanning the machine, we would find a couple of ports open ports.
$ sudo nmap -sS -sU 10.10.105.241 --min-rate 10000 --open -p-
Going to the web page, we would find that it results to status code 403, so the next step that we are going to take is to fuzz it
$ ffuf -w $commontxt -u http://10.10.105.241/FUZZ
Then we would find an installation page for the software LimeSurvey.
We are going to try to install it, however to do that we need to install
mysql server onto our local server and expose it to the machine so that the system can connect to us, otherwise we would get:
ERROR 1130 (HY000): Host '<MACHINE_IP>' is not allowed to connect to this MySQL server
In order to do that, we would need to set our MySQL server to accept connections from anywhere and create a user.
First, we need to edit our configuration
$ sudo nano /etc/mysql/mysql.conf.d/mysqld.cnf
# Change "bind-address" to "0.0.0.0"
Then we can connect using the
root user and
mysql> CREATE USER 'forgotten'@'%' IDENTIFIED BY 'forgotten';
mysql> GRANT ALL PRIVILEGES ON *.* TO 'forgotten'@'%' WITH GRANT OPTION;
mysql> FLUSH PRIVILEGES;
We would then be able to install the LimeSurvey and get into the admin panel.
We can now research of some ways to get remote code execution on the machine using this software, a quick google search would lead us to this exploit: LimeSurvey RCE.
The exploit is leveraging the plugins feature of the software to install a malicious plugin which can connect to our listener.
We can setup such plugin by cloning the repository and replacing the needed variables in the file
php-rev.php after that we also need to edit the
config.xml and add the installed version of the LimeSurvey to the
<compatibility> element, after that we would zip the files and upload them.
$ zip plg.zip ./php-rev.php ./config.xml
We can then navigate to
/index.php/admin/pluginmanager?sa=upload to upload our plugin. After we upload it and activate it, we can start a local listener with the given configuration earlier, and to execute our reverse shell we need to head to
We can now run
linpeas to enumerate further, and upon examining the output we would find this environment variable set in the beginning
LIMESURVEY_PASS=5W5<REDACTED> we would also find that the current shell is running within a docker container.
After finding that password I immediately tried it to change the user to
root in the current container which worked, and I also tried to SSH with the user
limesvc which also worked!
And judging by the system information, it seems that we are not in the docker container anymore, if we list the home directory we would find the
We can use a tool called CDK - Zero Dependency Container Penetration Toolkit to inspect our docker container which runs the LimeSurvey application.
In the Mounts section we can see the listed mounts, the
resolv.conf | hostname | hosts are standard for every container but the
/opt/limesurvey isn’t so we can check that out.
We can see that the host has mounted the
/opt/limesurvey directory in the
/dev/ folder on the container, We can go to
/dev/ to create a single file and check its permissions on the host system. Since that the docker container process is running as
root we would have the same permissions from within the container. The file that has been created is having
We can now try the same thing but with the
bash executable, we would try the following thing on the container:
root@efaa6f5097ed:/var/www/html/survey# cp /bin/bash ./syl
root@efaa6f5097ed:/var/www/html/survey# chmod u+s ./syl
Now on the host machine we can invoke our binary
./syl and we should be
limesvc@ip-xxx:/opt/limesurvey$ ./syl -p
syl-5.1# cat /root/root.txt