Red panda, an easy rated linux machine, involved a spring boot application vulnerable Server Side Template Injection (SSTI) which was blocking few characters to not allow remote code execution, using any encoder for generating payload for java runtime exec, we get the shell as woodenk user, running pspy a jar file was being executed as root user which was dealing with XML and abusing XXE by performing directory traversal we can read any file as the root user.
NMAP
Nmap scan report for 10.10.11.170
Host is up (0.089s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-US
| Date: Sat, 09 Jul 2022 19:01:58 GMT
| Connection: close
| <!DOCTYPE html>
snip..
|_ Request</h1></body></html>
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-title: Red Panda Search | Made with Spring BootPORT 8080 (HTTP)
On port 8080 we see an animation of a fox having a search bar and the title bar tells us that it’s made on Spring Boot which is a java web framework
I tried some stuff like putting a single quote ' to see if there's sqli or some command injection
Fuzzing for files with gobuster we find an endpoint /stats
This shows two potential usernames damian and woodenk, clicking on either one of them will show us an option to export table and a GET parameter author
I tried fuzzing for LFI through a payload list which failed as well
On clicking Export table it downloads an xml file
Foothold
But we can’t really change the contents of xml so there’s no chance ofXXE, testing for SSTI it was vulnerable to Thymeleaf which is a template engine for spring boot, testing it with @{7*7]
So we know that it’s vulnerable to SSTI, let’s try to get RCE and look for any payloads if there are
But this payload didn’t worked and gave an error that there are banned characters
I tried different fragment expressions
And * this one worked with our payload
For getting a reverse shell I tried bunch of things, encoding the reverse shell with base64 and sending it off but I didn't get a connection back
I searched around for ways to generate java runtime exec payloads and found an encoder for that
Stabilizing the shell with python3
Since we are in logs group, I checked if this group has access anywhere
The reason we are in this group is because the panda search is application is being ran as woodenk as user and with logs group
Checked for sudo -l which was asking for a password
I transferred linpeas to enumerate the machine
It didn't found anything but pspy we can see something running in background as root user
Privilege Escalation
In /opt , we can see a clean up script removing every jpg and xml files from every publicly writable directory
We can check the source code of panda search MainController.java
In the source code we can see that it's looking for either damian_creds.xml or woodenk_creds.xml in /credits and reading the contents
We can find the password of woodenk user here
But it was useless as we wouldn't be in the logs group also this file isn't important as the one which is running as root through cronjob is credit score /opt/credit-score/LogParser/final/src/main/java/com/logparser/App.java
First it's going to set arguments from the log file from which it can parse the values and separate them with ||
In IsImage function it's going to check for a jpg image extension file , will come back to it later
From getArtist function it's going to read the meta data of the image specifically the name of Artist of the image
Lastly the main function from which the code will start from which wiil read the uri part from the log file separated by ||, it will check if there's a jpg image file in the uri, if there is , it's going to fetch the artist name of the image file and it's going to send the value to addviewto function which will check if the uri of the image is the similar the one present in the xml file
So to perform the XXE, first we need to make jpg image file point to an artist name and it could be any name so I’ll be setting it to uwu but we don't have write permissions in the directory where the source code is running so we'll need to perform directory traversal to /home/woodenk
For the xml file we need to name it artist + creds.xml, so it's going to be uwu_creds.xml also we need to add the location of the image in uri and this needs to be the same as the one in the log file
Method 1
Transfer both the image and xml file in woodenk’s home directory
Now to add the uri of this image file we’ll perform a directory traversal from /clients as the path is hard coded /opt/panda_search/src/main/resources/static + uri , here uri is our input where we'll perform directory traversal to our image file location /home/wendook/smooch.jpg
echo "200||10.10.14.36||Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:101.0) Gecko/20100101 Firefox/101.0||/../../../../../../../../../../home/woodenk/smooch.jpg" > ./redpanda.logAfter waiting for some time we’ll see the root ssh key being reflected in uwu xml attribute which we set
Method 2
The second way is also with XXE but it’s with blind SSRF which is also known as out of band XXE, through which we’ll get the root flag by transferring an xml file having an entity to make a request to our server with the entity having the flag contents as a parameter being passed on to our hosted xml having the entities to load the contents
We’ll transfer this on the target machine
And host this xml file on our python server
