OS Command Injection
The target internal web application is an administration tool that supports multiple features. One of which appears to be vulnerable toOS_Command_Injection due to the file being sent as a value
Vulnerability is confirmed.
SSH Key Write
Writing Kali’s public SSH key into the ~/.ssh/authorized_keys file
┌──(kali㉿kali)-[~/archive/htb/labs/sea]
└─$ ssh root@sea.htb -i ~/.ssh/id_ed25519
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-190-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sun 11 Aug 2024 06:35:48 PM UTC
System load: 0.74 Processes: 271
Usage of /: 68.9% of 6.51GB Users logged in: 1
Memory usage: 16% IPv4 address for eth0: 10.129.118.101
Swap usage: 0%
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
root@sea:~# whoami
root
root@sea:~# hostname
sea
root@sea:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:94:3b:14 brd ff:ff:ff:ff:ff:ff
inet 10.129.118.101/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2187sec preferred_lft 2187secSystem Level Compromise