Nmap scan
...
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 0d:ed:b2:9c:e2:53:fb:d4:c8:c1:19:6e:75:80:d8:64 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMApl7gtas1JLYVJ1BwP3Kpc6oXk6sp2JyCHM37ULGN+DRZ4kw2BBqO/yozkui+j1Yma1wnYsxv0oVYhjGeJavM=
| 256 0f:b9:a7:51:0e:00:d5:7b:5b:7c:5f:bf:2b:ed:53:a0 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXtxiT4ZZTGZX4222Zer7f/kAWwdCWM/rGzRrGVZhYx
80/tcp open http syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD OPTIONS
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Editorial Tiempo Arriba
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
...Only two open ports: 22 SSH and 80 HTTP, most likely that the initial foothold will be achieved by exploiting a web vulnerability.
Port 80
Upon visiting the website hosted on port 80, I noticed the Publish with Us page that had a file upload feature. I attempted to upload a PHP reverse shell, however, after opening the image preview, I found that the file had been renamed and its extension was stripped.
Next, I decided to intercept the preview request using Burp Suite to understand what was going on. I attempted to redirect the upload to my own machine, setting up a Python HTTP server to receive the image.
Uploading the image to http://localhost:80 returned the default preview icon. The web app was trying to fetch the image, but it couldn’t access it, resulting in the fallback to the default icon.
This made me think there's another app running on a internal port, so I starter scanning using Burp Suite's Turbo Intruder.
As I suspected, internal port 5000 is open and returns a file.
I downloaded the file, and it contained information about the available API endpoints.
{
"messages": [
{
"promotions": {
"description": "Retrieve a list of all the promotions in our library.",
"endpoint": "/api/latest/metadata/messages/promos",
"methods": "GET"
}
},
{
"coupons": {
"description": "Retrieve the list of coupons to use in our library.",
"endpoint": "/api/latest/metadata/messages/coupons",
"methods": "GET"
}
},
{
"new_authors": {
"description": "Retrieve the welcome message sended to our new authors.",
"endpoint": "/api/latest/metadata/messages/authors",
"methods": "GET"
}
},
{
"platform_use": {
"description": "Retrieve examples of how to use the platform.",
"endpoint": "/api/latest/metadata/messages/how_to_use_platform",
"methods": "GET"
}
}
],
"version": [
{
"changelog": {
"description": "Retrieve a list of all the versions and updates of the api.",
"endpoint": "/api/latest/metadata/changelog",
"methods": "GET"
}
},
{
"latest": {
"description": "Retrieve the last version of api.",
"endpoint": "/api/latest/metadata",
"methods": "GET"
}
}
]
}/api/latest/metadata/messages/authors was very useful, since it contained some credentials.
Welcome to the team! We are thrilled to have you on board and can't wait to see the incredible content you'll bring to the table.
Your login credentials for our internal forum and authors site are:
Username: <redacted>
Password: <redacted>
Please be sure to change your password as soon as possible for security purposes.
Don't hesitate to reach out if you have any questions or ideas - we're always here to support you.
Best regards, Editorial Tiempo Arriba Team.User flag
I just logged into the machine with those credentials using SSH and claimed the user flag.
Root flag
I explored the /apps directory and discovered a .git repository, so I began looking for any clues that could potentially lead to privilege escalation. Finally I found some credentials for prod user.
I logged into the prod user, and things immediately looked promising: the user has limited sudo privileges.
At this point, I hit a rabbit hole, spending a huge amount of time trying to exploit the script to gain root privileges, but without success. While reviewing the installed package versions, I discovered that GitPython 3.1.29 is installed, which is vulnerable to CVE-2022-24439. This vulnerability finally allowed me to claim the root flag.
