Publisher

---

Enumeration

We start with an nmap scan:

# Nmap 7.94SVN scan initiated Sat Oct 12 17:36:44 2024 as: nmap -p- --open -sSCV -n -Pn -vvv -oN target 10.10.220.86
Nmap scan report for 10.10.220.86
Host is up, received user-set (0.046s latency).
Scanned at 2024-10-12 17:36:44 CEST for 26s
Not shown: 65506 closed tcp ports (reset), 27 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 44:5f:26:67:4b:4a:91:9b:59:7a:95:59:c8:4c:2e:04 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMc4hLykriw3nBOsKHJK1Y6eauB8OllfLLlztbB4tu4c9cO8qyOXSfZaCcb92uq/Y3u02PPHWq2yXOLPler1AFGVhuSfIpokEnT2jgQzKL63uJMZtoFzL3RW8DAzunrHhi/nQqo8sw7wDCiIN9s4PDrAXmP6YXQ5ekK30om9kd5jHG6xJ+/gIThU4ODr/pHAqr28bSpuHQdgphSjmeShDMg8wu8Kk/B0bL2oEvVxaNNWYWc1qHzdgjV5HPtq6z3MEsLYzSiwxcjDJ+EnL564tJqej6R69mjII1uHStkrmewzpiYTBRdgi9A3Yb+x8NxervECFhUR2MoR1zD+0UJbRA2v1LQaGg9oYnYXNq3Lc5c4aXz638wAUtLtw2SwTvPxDrlCmDVtUhQFDhyFOu9bSmPY0oGH5To8niazWcTsCZlx2tpQLhF/gS3jP/fVw+H6Eyz/yge3RYeyTv3ehV6vXHAGuQLvkqhT6QS21PLzvM7bCqmo1YIqHfT2DLi7jZxdk=
|   256 0a:4b:b9:b1:77:d2:48:79:fc:2f:8a:3d:64:3a:ad:94 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJNL/iO8JI5DrcvPDFlmqtX/lzemir7W+WegC7hpoYpkPES6q+0/p4B2CgDD0Xr1AgUmLkUhe2+mIJ9odtlWW30=
|   256 d3:3b:97:ea:54:bc:41:4d:03:39:f6:8f:ad:b6:a0:fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFG/Wi4PUTjReEdk2K4aFMi8WzesipJ0bp0iI0FM8AfE
80/tcp open  http    syn-ack ttl 62 Apache httpd 2.4.41 ((Ubuntu))
| http-methods: 
|_  Supported Methods: POST OPTIONS HEAD GET
|_http-title: Publisher's Pulse: SPIP Insights & Tips
|_http-server-header: Apache/2.4.41 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat Oct 12 17:37:10 2024 -- 1 IP address (1 host up) scanned in 25.78 seconds

Port	Description
22	SSH: OpenSSH 8.2p1
80	HTTP: Apache 2.4.41

Let's go to the website and see what it contains:

If we look at the frame on the left we can see the following:

With this we can intuit that we are facing a SPIP in version 4.1.5 or earlier. If we look for any vulnerability for version 4.1.5 we can find this:

GitHub - nuts7/CVE-2023-27372: SPIP before 4.2.1 allows Remote Code Execution via form values in the public area because serialization is mishandled. The fixed versions are 3.2.18, 4.0.10, 4.1.8, and 4.2.1.GitHub

Looking at the repository we can see that we have two ways to do it, manual or automated with the exploit. We'll do it both ways:

Foothold

If we do fuzzing we can find the spip folder that corresponds to the configuration area where we can find the login:

Manual

We will be able to see that there is a post uploaded by the user think, to access the login we will be able to see at the bottom left a button that says Se connecter:

Following the PoC (Proof of Content) we will have to click on the button where it says mot de passe oublié ? :Following the PoC (Proof of Content) we will have to click on the button where it says mot de passe oublié ? :

Now we will see that it asks us to insert an email, we will put any email and we will intercept the request with burpsuite:

In the PoC we will see that in the last line of the request it changes it to oubli and injects the php command:

Now that we have managed to see the phpinfo we will send us a reverse shell with shell(), what we will do is to create a txt to see if we can create files:

Coming soon