ENUMERATION
Nmap tcp full scan
nmap -A -p- -oN nmap_tcp_all.txt 10.10.11.100The nmap output highlighted the presence of:
- SSH on port 22:
OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 - web server on port 80:
Apache httpd 2.4.41
EXPLOITATION
Basic dirbusting with gobuster shows the presence of a potentially interesting file named db.php.
Anyway visiting that page looks empty.
Visiting http://10.10.11.100 shows a web page with different sections.
The portal sections bring you to a page where you can submit vulnerability details.
Searching for test as the Exploit title and clicking on submit it is clear that our input is reflected within an xml output. This is an indicator of a possible XXE attack vector path.
Send the request to the repeater. Since the user input is reflected in the xml we can try a classic XXE payload which retrieves the /etc/passwd file.
The decoded POST request body with our malicious input.
The server response includes the content of /etc/passwd.
Since we can exfiltrate files let’s try to retrievedb.php from /var/www/html using a php wrapper payload.
The server response contains the content of the db.php encoded in base64 as expected.
Using the leaked password we can ssh into the machine as development user.
PRIVILEGE ESCALATION
sudo -l output indicates that we can execute a python script as root without password.
The script contains an unsafe usage of the eval() python built-in function. The goal is to write a well formed malicious ticket file which can pass the checks and then execute arbitrary code thanks to eval().
The ticket to obtain a reverse shell is the following:
Now start a nc listener on the attacker machine, execute the vulnerable script with sudo and receive a privileged reverse shell.
LESSONS LEARNED
- When the user xml input is reflected in the web page go for XXE.
- If the application is built with php try
php//filterwrapper to retrieve php files.
