Today we will be coming across machine Feline. This machine is interesting as it has java de serialization in JSESSION id parameter. Without wasting time let’s jump in.
Nmap Scan for Service Versions with Default Scripts.
After scanning the target. we see port 22 and 8080 are open. Where 22 is for SSH and 8080 has website named Virus Bucket running on Apache Web Server.
PORT 8080 Enumeration
Source code has
We can analyze our malware sample here. Let’s attach any msfvenom created payload.
On uploading a file I see, upload successful the report will be sent via mail
Uploading empty file gives
Then I tried removing filename and sending contents
We see we got upload file path
CVE enum : I got two CVE for RCE
And second one
Exploiting CVE-2020–1938 gave me, not implemented error. This error occurs when we try to connect to a service on web server , which web server is not using , so this was not the way in definitely. APJ13 was not implemented
Then for exploiting, CVE-2020–9484 we require the path for uploads, which we already have. So enumerating about CVE-2020–9484 I got
It explains what happens in exploit
So we need to make a ysoserial file and upload it to server
Change file permission to 777 (Read , Write And Execute to all) and then Upload the file
Now make the following request
On python HTTP Server , you get 200 ok for nc transfer , and 500 error in web page. Then I make two files , one to change the mode of uploaded nc and second to give reverse shell
And repeated the above process ,
1) clear browser history each time before I made an upload.
2) changed file permission of file to be uploaded to 777 (ALL)
3) kept nc on at defined port
4) uploaded the file
5)made request to http://10.10.10.205:8000, with jessionID values changed according to filename
This will run the “change mode command” in background for file /tmp/nc
After uploading iamfedup2 , we see we get the reverse shell, as it will execute nc reverse shell command.
We initially have got the shell which is not the bash.
1) e2scrub_all cronjob
It is executing /sbin/e2scrub_all
Both e2scrub and apport version were vulnerable but was not getting exploited. Finally Enumerating connections , we see localhost connected to port 4505 and 4506
Reverse tunnel Port forwarding
I tried creating reverse tunnel to docker using SSH first. But that would require me to add authorized keys to ssh directory in tomcat home folder, which we don’t have permissions to. So I tried it using netcat
But I failed. I got connection back but no shell, Can’t even figure out why
So next I used Socat
Socat based reverse tunnel : Port forwarding
After we have forwarded our local port 4506 to 9003 and started a listener on it, we need to connect to it, via our kali local machine
Method 1: using msfvenom payload reverse shell
Create a payload
Set netcat on
Transfer files and execute it via exploit we have found
We are here root of docker
Directly transfer netcat to the docker system /tmp folder and execute it to give shell back
Now that we are root of docker let’s escalate priv
First lets get the bash.
After getting the todo.txt and known tomcat needs to be open to public but is runnning somewhere internally.
We see — unix-socket connecting json container
The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.
Rooting the machine
Copy your public rsa key to .ssh/authorized_keys
We are welcomes with a message, introducing Kubernetes 1.19
Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation