Skip to main content

Featured

 Hi there, I am malw_guy , a former Penetration-Tester, currently pursuing a degree in Electro-Communications. I've been nourishing my hacking skills since I was just a teenager, I started back when I was 13 (I'd like to keep my current age confidential). The purpose of this blog is as a showcase / portfolio so people can grasp a lil' bit of my knowledge in the field.  It should be noted that I am inclined to withhold public disclosure of the majority of my accomplishments in this particular field, primarily due to their involvement with governmental entities. However, should you possess a compelling reason to inquire further about these achievements, I am prepared to disclose them on a case-by-case basis, depending on the nature of your inquiry.
Read more

Machine: Inject

Hello there, today we'll be talking about a pretty new machine called Inject. Let's begin things off with the basic nmap scan
Nothing unusual except the service on port 8080, a Nagios server. Without looking too much on that, let's move to the website.
Here we're prompted with a website that's meant to be some cloud storage server, we have a Log-In and a Sign-Up button, but neither one of them are functional, so we go into the "Upload" page
Here we have a basic file upload, also let's keep in mind that the box is called "Inject", so its very likely that we need to get a foothold exploiting the file upload.
In order to see how to file upload works, I tried to upload a .txt file with some text in it, in order to see how the server handles the file.
Unfortunately, it's telling us that only image files are allowed, so let's upload an image and see how it's getting handled by the server.
Let's take a look at the php parameter, because it looks very fuzzable, I tried playing around with files, trying to upload a php shell, but unfortunately nothing worked, so I checked for path traversal and fortunately it was a success
We can see in the home directory that we have 2 users, frank and phil, so let's look around a little bit
In phil's directory, we see the user.txt file, but unfortunately, we aren't allowed to display it.
In frank's directory, I found some strange .yml file. It's pretty clear we'll take advantage of that at the privilege escalation phase, but for now let's list some more of the web application to find out some more services and configuration files.
After a little bit of moving around, I found a configuration file for the webserver, where we can see it's using spring-boot and it's version 2.6.5.
With a little help from google, I found a metasploit module for that service, it's the spring_cloud_function_spel_injection
Now let's set-up exploit's options and set our payload.
As we can see, our exploit worked and we got a meterpreter session.
Now let's get our user.txt
Hmm, the operation failed, usually when this happens is because we don't have permission, so let's look around maybe we find some credentials in some configuration files (this approach works 99% of the time)
We can see the password field in /.m2, I got there because when using burp to look in frank's directory, .m2 wasn't listed because it's hidden, so I thought that something interesting is lying there. Let's start a basic shell from meterpreter, so we can see on what user we are logged in, and we can see we are logged in on the user 'frank'.
Let's log-in on the user 'phil' with the password we got and get our user flag.
Let's cat the user.txt now
Alright, half-way there, after I googled a little bit about that ansible .yml file, I found this Based on it, what we need is to create a local .yml file, with the code we saw in the playbook_2.yml on frank's directory and upload it on the server in /opt/automation/tasks
Now to upload that file to the webserver, we need to start a python http server in the directory of the file
and we need to use wget on the target machine where we are logged in as phil to download the file, and we use bash -p in order to acces the /bin/bash of root.
After this, just grab the root.txt and that was it.