Inject

Enumeration

Nmap scan of the host show two open ports, SSH on port 22 and http on port 8080

Looking at the webpage, the Blogs links leads to a page with  no useful info., the log in and sign up pages are of no use either however, we are able to upload file using the upload link on the top right corner of the page.

When we upload an image it provides us with a link to the location of the uploaded image.

clicking on the link to the location, we get a 500 error for a broken image file but an actual display of the uploaded image if the file is OK, in both case however we see the URL location of the uploaded file as seen below

The URL as seen contains "img" parameter indicating  possibility of  LFI ( local file injection), to confirm this we can fire up BurpSuite and use known LFI payloads.

Foothold

As presumed the website did contain LFI and as seen above we are able to dump the /etc/passwd file.

I enumerated to find ssh files but they don't exist, on the passwd file there are three real users(root, frank, phil), two of whose home directory we can check.

Checking frank's home directory we see a hidden folder .m2 with a settings.xml file in it. The file contains username and password for phil but the credentials didn't work for SSH login.

So, I needed to enumerate further, after enumerating I discovered the web server running is maven.apache and the root directory contains a pom.xml file which show running dependencies and installed version. 

One of the software running springframework.cloud has version 3.2.2 installed which contains a vulnerability CVE-2022-22963.

I found a working PoC in this Github repo 

User Flag

To use the script, we have to create a reverse shell payload and server it on a local web-server. In this case I create a revshell.sh file and serve it on Python http server  then I use wget to get the file, change the permission to allow execution and then run the script.

Once executed, we get a reverse shell and logged in as frank. 

As user frank we can't read user phil file including the the user.txt file, however, remembering the password file we discovered from the settings.xml file, we were able to switch user to phil with the password and get the user.txt flag

Privilege Escalation

To escalate our privilege, I first uploaded pspy which allows us to see all running process, including root's. 

from the output, we see ansible playbook file running  and a playbook_1.yml file located in /opt/automation/tasks being deleted and re-added by root

Checking the playbook_1.yml file below, we can't edit the file as it's created by root but we can view it.

Reading up online, I come across this article that gave me an idea on exploiting this.

I created an Evil.yml file in the directory containing the revshell payload.

With a listener on, I ran the command /usr/bin/python3 /usr/bin/ansible-playbook /opt/automation/tasks/evil.yml and become root.