Autorecon runs, I curl the headers for seperate ports.

9999 gives nothing

Description of image

1111 shows info

Description of image

So does 5000.

Description of image

5000 seems to be the most promising. I should say I got this info from the original Autorecon scan, but that hasn’t finished yet. Port 1111 mentions an href for “database.db”. I’m wondering if that where the uploaded data on port 5000 doesn’t end up…

Autorecon came back

Description of image

Nothing super interesting. Lets check the service enumeration for version numbers etc.

One thing I noticed in the tree was a screenshot was taken for port 1111 which seems to be an accessible directory

Description of image

I visit the port and the site and click the link and get a db download

Let’s check it out

Description of image

Ok, there might be something here

Within the user database I find a ton of usernames with hashes for passwords

Description of image

I also find a table called structure with various cif files, which makes me wonder because on port 5000 there was a mention of uploading these files. However, I also know there are many other people with access to this box, so maybe they uploaded these files

Description of image

I poke around a bit and find out there is a critical remote code execution vuln regarding CIF files and a python library called pymatgen which analyzes materials. The issue comes from the insecure use of eval() in a specific method that utilizes eval() to process input. It is CVE-2024-23346. This should be my way in.

I stumble around for a bit trying to confirm RCE. I decide to have the remote server reach out and pull a file from me to confirm. Once I uploaded the malicious cif I stood a up a python server on my machine and sure enough the remote server reached out. So we have RCE.

Description of image

Description of image

Ok. Now to craft a shell and see if we catch it.

I try numerous ways to get a shell with no dice. However, I decided if it will reach out to grab a file, I can get it to send me one with netcat, successfully got it to send me the passwd file :)

Description of image

Remember back when I got that db file that had users and what seems to be hashes in it? This is good, because cross referencing it with the passwd file I find two users that actually exist

Description of image

So we know Rosa and App are actual users

Now that I narrowed down the list I am going to use hashcat to try to crack either app or rosa.

Description of image

Bingo! That grey box is the password. The app account did not produce anything.

Tried to ssh in as rosa with the cracked creds, success :)

Description of image

Post Foothold

I stumble around for a while before discovering there is an app working locally that wasnt present during initial scans. The port is 8080.

Description of image

When I curl the port I see it’s running an http server I hadn’t seen before

Description of image

A quick google search shows this is vulnerable to a LFI/Path traversal vulnerability CVE-2024-23334. Once I get the PoC, which is a bash script, I stumble around trying to get a useful file. Eventually I land on ssh keys for root!

Description of image

Copied and pasted into a file on my local machine and… Description of image

Owned :)