Run a nmap scan to see which ports are open and which services are running on those ports.
-sC: run default nmap scripts
-sV: detect service version
The result shows that three ports are open.
- Port 21 running FTP
- Port 22 running SSH
- Port 5000 running HTTP
Visit the HTTP service.
Register with junk credentials.
We are able to login after registering.
By using ffuf we assume that we can get some interesting directories but ffuf did not give us any interesting ones. We navigate the tabs on the page but nothing useful here as well.
Inspect the page. The session cookie has the JWT format. Let’s visit the JWT.io and review the cookie.
Even if it looks similar to JWT, it is stated that the cookie has invalid signature which means the cookie is not valid.
The nmap result showed that the HTTP service is related to werkzeug which means the service uses Flask. That’s why we need a flask session cookie decoder.
Let’s google it.
We see that the cookie format is the same as Flask’s. The cookie is signed by a secret key. So, we use flask-unsign tool to fetch, decode and brute force the session cookie in order to find the secret key.
After running the command, we get the secret key.
Now, we need to get a valid username. But before, let’s see outputs on two cases.
Case 1: Login with invalid username and password
Case 2: Login with valid username and invalid password.
When we login with an invalid username and password, the response we get is different from the one we get when we login with a valid username and invalid password. This observation is important for us because with the output we get, we will be getting valid users with the script that we will write.
The script tries different usernames one by one and when the response from the server is “Invalid login” that means it is a valid username so that the username is added to the valid usernames list.
After waiting a while, we get an username called “blue”.
Let’s generate a cookie for user “blue”.
Paste the cookie via “Cookie Editor”, save it and refresh the page.
Perfect! We are in as user blue.
Enumerating the pages.
And find the credentials on the directory note/1.
We know that there is FTP service is running. Let’s log in.
We now are able to download the file called policy.pdf.
It reveals the password policy. Hence, it will be easier for us to obtain passwords.
Line 4 on Password Protection is what we need.
So, the password specified in the policy should be like below.
Superb! We are in as ftp_admin now.
Download all the files and inspect them in the local.
Unzip both zip files and examine the difference between the two by using “diff”.
By doing that, we are able to get new credentials.
We still continue to examine and takes our attention something, md-to-pdf. It is a feature that exporting markdown to PDF and vice versa.
This library is the attack vector because it allows us to have remote code execution according to CVE-2021-23639.
We edit the remote code execution payload.
Run the python HTTP server.
Set up netcat listener on port 9999.
Export the malicious md file.
Perfect! We successfully get the reverse shell as user svc.
Upgrade the shell to a full interactive shell.
Get the user.txt flag.
Since we have the root credentials for mysql database we need to keep looking something related mysql in order to escalate our privileges.
After searching privilege escalation techniques on mysql, a page on exploit-db welcomes us. It is dynamic library for local privilege escalation through mysql if mysql runs with root privileges.
Download the library.
Rename it.
Compile it as shown on the page.
Download the compiled file into the box.
Login the database as root.
We get an error at the end, says data too long for column.
So, we try to compile it on the box. To do so, we download the c file.
And compile it again.
And then, we follow the steps shown on the page.
The commands that we execute one by one.
After executing the commands, we succesfully get our reverse shell as root user.
And capture the root.txt flag.
Thank you for your time.
Cyber Security Blog 