Port 8080 was running an application that handles YAML input.
This was obviously a deserialisation exploit, where the application handles user input without sanitsation and it can lead to code execution. Googling for this led me to this repository.
Based on the PoC, we can first test whether the parser is able to send requests to our host using this script:
This would create a JAR file. Then, we can make the machine download the JAR file using the same method as above to receive callback. This would trigger the command and our listener port would receive a reverse shell as tomcat.
Privilege Escalation
Tomcat Credentials
Since we are tomcat, we should look into the configurations for the Tomcat interface. This can be found within ~/conf/tomcat-users.xml.
We can try an su to the admin user and find that it works with this password.
Sudo Privileges
Since we have the password, we can check for sudo privileges.
The deploy.sh does not have absolute path, so we can create our own script to get a root shell. However, before running that, the script seems to check main.wasm and only runs deploy.sh if it returns 1.
Running the script does not work no matter what for now, so let's investigate main.wasm. WASM is short for Web Assembly, and we can download and decompile the file here:
This would allow us to see the code that is present. Alternatively, we can use wasm-decompile to read it.
export memory memory(initial: 16, max: 0);
global g_a:int = 1048576;
export global data_end:int = 1048576;
export global heap_base:int = 1048576;
table T_a:funcref(min: 1, max: 1);
export function info():int {
return 0
}
The above code seems to do nothing but return 0, so we need to change that 0 to a 1. We can count the bytes and change the byte accordingly using dd.
Afterwards, we can create a deploy.sh file that adds our public key into the /root/.ssh/authorized_key folder and run the sudo command.
