This is a Debian 12 machine running a web site vulnerable to reflected-XSS and HTTP header injection. We steal an admin cookie exploiting these vulnerabilities that will permit us to get access to an administration dashboard. Here, a command injection vulnerability is exploited to get an user shell. Regarding escalation, we find a relative path vulnerability affecting a sudo binary.
Browse the site with Firefox, in the /support URI we can inject a payload.
A hacking protection alert is triggered, the application replies with info taken from the user HTTP request headers. This means the application is a candidate for a reflected-XSS vulnerability when injecting a payload in any of the HTTP request headers.
Capture an HTTP request and send to Repeater, then inject a cookie-stealing payload in any on the reflected headers such as "User-Agent", "Accept", etc. In this case we will use the "Accept" header.
An is_admin cookie is received on a built-in PHP web server under our control.
Add the cookie to Firefox (or Burpsuite headers) and navigate to /dashboard, an administrator panel appears.
Turns out the dashboard is used to execute a system diagnostic command. This looks like a candidate for command injection. Capture a request and add a reverse shell in the date parameter.
A reverse shell for user dvir is received on port 1919.
Which can be used to retrieve the user flag.
ROOT
From the low-priv shell, take the opportunity to enumerate the system.
So we can run syscheck as root, no password will be prompted. Enumerate the binary.
> strings /usr/bin/syscheck#!/bin/bashif [ "$EUID"-ne0 ]; thenexit1last_modified_time=$(/usr/bin/find/boot-name'vmlinuz*'-execstat-c%Y{}+|/usr/bin/sort-n|/usr/bin/tail-n1)formatted_time=$(/usr/bin/date-d"@$last_modified_time"+"%d/%m/%Y %H:%M")/usr/bin/echo"Last Kernel Modification Time: $formatted_time"disk_space=$(/usr/bin/df-h/|/usr/bin/awk'NR==2 {print $4}')/usr/bin/echo"Available disk space: $disk_space"load_average=$(/usr/bin/uptime|/usr/bin/awk-F'load average:''{print $2}')/usr/bin/echo"System load average: $load_average"if!/usr/bin/pgrep-x"initdb.sh"&>/dev/null; then/usr/bin/echo"Database service is not running. Starting it..."./initdb.sh2>/dev/nullelse/usr/bin/echo"Database service is running."exit0
There is a vulnerability in this code: in the execution of the ./initdb.sh script the path is not fully defined. This means we can create our own initdb.sh script in a directory with write permissions (for example, our home directory) then run sudo /usr/bin/syscheck from there. This will make the script to be run as root.
Create a script in the home directory /home/dvir/initdb.sh and add a reverse shell in the code.
