CTF-200-08

This machine was part of an OffSec CTF on August 2023.

Information

This particular challenge was trivial, but once enumeration was completed, the rest was history.

Name
CTF-200-08

Difficulty

Intermediate

Community Rating

Hard

Enumerated Ports & Services

Port
Description
Protocol

8090

HTTP Web Application / Confluence

TCP(6)

8091

HTTP?

TCP(6)

Findings

Port 8090 in the browser, opened up a confluence login page. The version number is at the footer of the page, and after quick research it was found that the target is vulnerable to Remote Code Execution (RCE) and an exploit is available for this version, CVE-2022-26314.

R - C - E / CVE-2022-26314

After starting up msfconsole, I searched for an exploit related to confluence:

This yielded multiple results but based on the research on the link above, the OGNL injection exploit looks like the correct one:

From the screenshot above you can see I took steps to enumerate the home folder which was the same user with the reverse shell. After grabbing the first flag, I sent an interactive bash to another nc listener for better environment execution.

Privilege Escalation

After executing linPEAS on the system, I didn't find anything useful at first glance. Next, using pspy, I checked what processes were running. After a few minutes, I observed that a backup script runs with uid 0, meaning the root user—the grand master, the administrator, the god, the supreme overlord, the ultimate authority...

Later I confirmed that the linPEAS output did, in fact, list the log-backup.sh script and that I had full privileges on it all along... :(

After confirming read/write permissions to the backup script, let's echo a one-liner reverse shell to escalate my privileges and access the system as root:

Now let's wait for the cron job to execute the backup script...3, 2, 1--

Got my reverse shell with root priveleges and access to the proof.txt flag :)

Final Notes

It's important to continuously research your targets and the software running on them. Whether it's a web server, a locally installed application, or a service, the more you enumerate and research, the better you will become at formulating an attack plan. If one path doesn't work, keep enumerating until you find the weak spot!

References

LogoActive Exploitation of Confluence CVE-2022-26134 | Rapid7 BlogRapid7
LogoConfluence Security Advisory 2022-06-02 | Confluence Data Center 10.1 | Atlassian Documentationconfluence.atlassian.com
LogoGitHub - DominicBreuker/pspy: Monitor linux processes without root permissionsGitHub
LogoPEASS-ng/linPEAS/README.md at master · peass-ng/PEASS-ngGitHub
LogoRapid7Rapid7
PreviousCTF-200-07NextAuthBy

Last updated