Sudo Abuse

Synopsis: # Cozy hosting is a project hosting service web app hosted on nginx 1.18.0. From directory busting a few endpoints were discovered which disclosed a user’s session cookie via replacing the session cookie the attacker logged in the /admin endpoint. And in that page there was a functionality to check for live hosts using SSH which found out to be vulnerable to OS Command Injection. By exploiting that vulnerability the attacker gained the initial foothold and landed as the user apps. From the /apps directory a java archive was found upon decompiling the archive file the postgres user’s password was found which was later used to login into the database, from the database the admin user’s password hash was captured and got cracked via hashcat later. Using the cracked hash it was possible to login on behalf of the user josh via SSH. After landing on the host as the user josh it was found out that the user could run SSH with sudo privilege which lead to sudo abuse and the host got compromised completely.

Synopsis: # On the host Busqueda a vulnerable web app was running, by exploiting the web app’s query parameter the attacker gained RCE & the initial foothold. The attacker then enumerated the system and compromised the password for the cody user, which was reused for the user svc account. The attacker also discovered a new virtual host (VHOST) where a self-hosted Git service was running. Using the sudo privileges of the svc user, the attacker was able to dump the configuration files of running Docker containers, which led to the compromise of a few additional user passwords. The attacker then logged into the administrator’s Git account and found a number of scripts. One of these scripts, named full-checkup.sh, did not have its full path specified. The attacker abused this oversight by creating a file named full-checkup.sh in the /tmp directory that contained a reverse shell. This allowed the attacker to gain complete control of the host.