This is a Debian 12 machine running a web site vulnerable to reflected-XSS and HTTP header injection. We steal an admin cookie exploiting these vulnerabilities that will permit us to get access to an administration dashboard. Here, a command injection vulnerability is exploited to get an user shell. Regarding escalation, we find a relative path vulnerability affecting a sudo binary.
Browse the site with Firefox, in the /support URI we can inject a payload.
A hacking protection alert is triggered, the application replies with info taken from the user HTTP request headers. This means the application is a candidate for a reflected-XSS vulnerability when injecting a payload in any of the HTTP request headers.
Capture an HTTP request and send to Repeater, then inject a cookie-stealing payload in any on the reflected headers such as "User-Agent", "Accept", etc. In this case we will use the "Accept" header.
An is_admin cookie is received on a built-in PHP web server under our control.
Add the cookie to Firefox (or Burpsuite headers) and navigate to /dashboard, an administrator panel appears.
Turns out the dashboard is used to execute a system diagnostic command. This looks like a candidate for command injection. Capture a request and add a reverse shell in the date parameter.
A reverse shell for user dvir is received on port 1919.
Which can be used to retrieve the user flag.
ROOT
From the low-priv shell, take the opportunity to enumerate the system.
And the sudo configuration.
So we can run syscheck as root, no password will be prompted. Enumerate the binary.
There is a vulnerability in this code: in the execution of the ./initdb.sh script the path is not fully defined. This means we can create our own initdb.sh script in a directory with write permissions (for example, our home directory) then run sudo /usr/bin/syscheck from there. This will make the script to be run as root.
Create a script in the home directory /home/dvir/initdb.sh and add a reverse shell in the code.
> sudo -l
Matching Defaults entries for dvir on headless:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
use_pty
User dvir may run the following commands on headless:
(ALL) NOPASSWD: /usr/bin/syscheck
> strings /usr/bin/syscheck
#!/bin/bash
if [ "$EUID" -ne 0 ]; then
exit 1
last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"
disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"
load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"
if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
/usr/bin/echo "Database service is not running. Starting it..."
./initdb.sh 2>/dev/null
else
/usr/bin/echo "Database service is running."
exit 0
> sudo /usr/bin/syscheck
Last Kernel Modification Time: 01/02/2024 10:05
Available disk space: 2.0G
System load average: 1.86, 1.23, 0.55
Database service is not running. Starting it...
