Browsing to the webpage on port 8080 lands at a "Zodd Cloud" product page. There seems to be signup and sign in functionality that will be worth exploring.
None of the links work except signup, which lands at an Under Construction page.
Oh, but there is an Upload link kind of hidden at the top right corner of the homepage. Apparently only image files are allowed after I tried to upload a text file. After uploading an image, you get a link to view the uploaded file in the format
This seems like perhaps a fairly standard local file inclusion vulnerability. Some more testing needed to determine exactly how this behaves. Turns out you can upload anything with an image file extension. However, when trying to access non-image files, the server returns an error message that the image could not be displayed. Perhaps there is some blind code injection going on. Using
curl we get an interesting error:
Sure enough, you can access local files using
Phil and Frank are going to be the targets for initial access based on the
After a considerable amount of time trying to upload a file, use webshells, find config files, etc. I finally found
pom.xml which indicates some versions of components. Specifically,
spring-cloud-function-web version 3.2.2 is vulnerable to RCE as part of the Spring4Shell vulnerability.
Using the POC I found here after some searching for POCs, I was able to test command execution with a
Next step is to shell this bad boy. I tried to use my command injection to write to Phil and Frank's authorized key files but without success. Next up is a reverse shell.
After lots of time trying different payloads, I finally was able to get this one working easily. The reverse shell returned was for the
frank user. Within Frank's home directory is a
settings.xml file in the
.m2 directory that has a username and password for Phil.
With this access I added my public key to the authorized keys file to maintain easy access.
Using the password in the file, I was able to
su phil to pivot to the Phil user.
Root's home folder
/root is oddly owned by the
staff group which Phil is part of. This is odd.
Searching for files using
find / -group staff 2>/dev/null reveals the directory
/opt/automation/tasks which looks interesting and related to Ansible. The directory is owned by the
staff group and Phil is part of this group and can write files to the directory. I had a suspicion that Ansible would run any playbook in this directory.
So I created my own playbook.
- hosts: localhost tasks: - name: Checking webapp service shell: "echo $(cat /root/root.txt) > /home/phil/root.txt
Sure enough, after about a minute, my new file ended up in my home directory and had the root key in it!
With this access, you could conceivably write a playbook to do anything including escalate to full root access. That is left as an exercise to the reader.