Newsletter 16/05/2023
This machine has a dummy Next.js website that exposes a subdomain in the Content-Security-Policy header. There, we can enumerate third-party dependencies like dompdf. This one is vulnerable to Remote Code Execution. After a lot of enumeration to interact with dompdf, we find a way to get a reverse shell on the system. Then, user root executes a shell script each minute, and the script is vulnerable to command injection, which must be exploited by adding malicious metadata to a temporary file. By chaining these steps, we are able to get a reverse shell as root
This machine has a WordPress website that uses a plugin that is vulnerable to SQLi. Then we can get password hashes and crack one of them to get access to the WordPress dashboard. The version of WordPress is vulnerable to out-of-band XXE using a WAV file that allows to read files from the server. Using this vulnerability, we can find plaintext credentials for FTP. In this service we have another PHP file with more plaintext credentials that are valid for SSH. Once inside the machine, we can see some PGP keys and messages that can be decrypted to find the password for root
This machine has a website that allows to analyze image file metadata with exiftool. However, the version is vulnerable to command injection and can be used to access the system. Then, we find some Windows event logs and a plaintext password as username, probably a mistake. After that, we gain access as another user that is able to execute a binary with sudo, which behind the scenes runs a Perl script that leads to the privilege escalation
64-bit binary. Blind Format String. Buffer Overflow. ret2libc
Padding Oracle Attack. Custom cipher and padding
JavaScript deobfuscation
64-bit binary. Buffer Overflow. Threads. Canary bypass. ret2libc
DSA. Nonce reuse. Modular arithmetic