InfoSec LAB

monitoring_site

Presence of the monitoring_site directory was initially discovered by PEAS

rosa@chemistry:~$ curl -I http://127.0.0.1:8080
HTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Content-Length: 5971
Date: Sat, 19 Oct 2024 22:07:54 GMT
Server: Python/3.9 aiohttp/3.9.1

An internal web application was also identified, supposedly running on the port 8080

┌──(kali㉿kali)-[~/archive/htb/labs/chemistry]
└─$ sshpass -p 'unicorniosrosados' ssh rosa@$IP -L 127.0.0.1:8008:127.0.0.1:8080 -N

Since I already have a SSH session as the rosa user, I can use that to tunnel the target’s internal port 8080 to Kali’s 8008

Webroot

Only the List Services button works

It sends out a GET request to the /list_services endpoint

Then it returns this.

PSPY is running and captured the whole process. The backend executes the following command; /bin/sh /usr/sbin/service --status-all

Injection doesn’t seem to work as it’s in Python’s b string

Vulnerability

Checking the aiohttp 3.9.1 library

Looking it up online reveals a PoC for CVE-2024-23334 Moving on to Privilege Escalation phase

InfoSec LAB

Explorer

Chemistry_monitoring_site

monitoring_site

Vulnerability

Interactive Graph View

Table of Contents

Backlinks