Nmap gives us 2 open ports
nmap --open -sC -sV 10.10.11.170
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
| 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
8080/tcp open http-proxy syn-ack
|_http-title: Red Panda Search | Made with Spring Boot
|_ Supported Methods: GET HEAD OPTIONS
Looking at port 8080, we get a page to search for pandas.
We can see search field that we can use. When I search for a word, I saw the input being reflected to the results page. So I started testing this for this for different vulnerabilities. After a couple of tried I got an interesting result when I used
(1+1) this as the payload.
The expression got evaluated and the it resulted
2 Right away I knew I was dealing with a SSTI (Server Side Template Injection) vulnerability. So I kept trying for different payloads to identify what the templating engine it uses.
After a couple of tries, I was able to identify that its using Java.
NOTE: If you look for a Java payload, you would see that they all have
$ at the beginning. But this doesn’t. Reason for that is while I was trying different payloads, I came to notice that some characters are banned i.e
_ so I had to find a payload that doesn’t contain these. Therefore, I replaces
* and it worked.
After looking around, I was able to get a reverse shell with this payload.
You can get all the SSTI payloads I used from here.
Running pspy, I saw a cron is running.
It was invoking a java application in
/opt/ directory. Therefore, I looked into that directory and found the source code of the panda search application in
Looking at the source code, I saw what this was doing. So a couple of things to notice is:
- Looking at the
main()function we can see its loading the log file in
/opt/panda_search/redpanda.logand passing it to the
parsLog()function. Looking at that function, it just gets a line and splits according to a delimiter which is
2. Once its parsed, the value of
uri is passed to the
getArtist() function to get the name of the Artist. The way it does it that, it loads the image from the uri path given with
uri and looking at the meta data for an entry called
Artist Once it finds one, it return the value of the that tag.
3. Then an XML file is updated according to the artist’s name from the
addViewTo() function. Here we can see that it’s using
SAXBuilder to edit the XML file.
If we look at vulnerabilities for this library, we can find an XXE (External Entity Inejction) vulnerability from a crafted HTTP request that allows us to read arbitrary files.
Snyk Vulnerability Database | Snyk
Do your applications use this vulnerable package? In a few clicks we can analyze your entire application and see what…
Now that we know this, we can put the pieces together and start to exploit this. For that first we have to add an entry to the
redpanda.log file. Because that’s where the application gets the location of the image path.
echo "200||10.10.14.101||Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0||/../../../../../../../tmp/kavi.jpg" >> redpanda.log
If you look at the path that path is used, you can see there is no input validation done. Its just appending the path we provide.
So we can use
../../../../ to escape out from that directory to specify an image we need.
After we have to add a meta data entry named
Artist and set the name. Looking at the source, we can see there is no input validation here as well. So we can use the same trick to specify a XML file we need.
We can add the entry with
exiftool -Artist=../../tmp/kavi kavi.jpg
Now we need to make the XML file to exploit the XXE vulnerability. Since this is a blind XXE, we can’t use a typical payload we use. We have to use OOD (Out of Band) technique here.
The concept here is to load a DTD file which contains a malicious XML entity, read the root flag and then make a request to a server to control with the flag set as a parameter.
One thing to note when naming the XML file is that you have to name it as
_creds.xml Thats because the string
_creds.xml is appended to the name of the artist. With
../../tmp/kavi being the name of the artist, the location of the XML file is going to be
(Find the payloads from here)
As you see, this will get the
/root/root.txt and send it to us. Once these files are created, you have to put the XML file in
/tmp should contain 2 files.
_creds.xml You have to host the
kavi.dtd file as well. Once all thats done, you just have to wait for the cron to run.
Once it runs, you should receive the flag to your server.
Contact me though social media:
Email — email@example.com
Instagram — https://www.instagram.com/_kavi.gihan/
Discord — kavigihan#8518
Happy Hacking !!! 😄