Agile

edwards d07867c6267dcb5df0af

edwards:1d7ffjwrx#$d6qn!9nndqgde4

{ "SQL_URI": "mysql+pymysql://superpasstester:VUO8A2c2#3FnLq3*a9DX1U@localhost/superpasstest" }

Creds

Steps:

Enumerate host to find /download which has a fn parameter which is vulnerable to LFI.
Using LFI we can find some files on the system such as /etc/passwd, but no hashes stored there unfortunantly.

Using the LFI we were able to locate a app.py file which contained the following

app.config['SECRET_KEY'] = 'MNOHFl8C4WLc3DQTToeeg8ZT7WpADVhqHHXJ50bPZY6ybYKEr76jNvDfsWD'

Using this secret key we can craft our own signed cookies and become any use in the password application.
User 0 and 1 have credentaisl stored in them.
We are able to gain access to user corum on the machine itself. Initial access complete!
After further enumeration on this system we find a process thats running a remote debugger. It seems to be a chrome remote debugging port.
We forward the port to the local machine and attach to the debugger with chrome.
We can access the "test' vault and gain additional credentials to the dev_admin user, these credentials are listed above. Along with some credentials to mysql.
After checking the sudo version it seems that it is vulnerable to CVE-2023-22809 https://www.synacktiv.com/sites/default/files/2023-01/sudo-CVE-2023-22809.pdf
This part is still confusing but it seems we can do the following: export EDITOR='vim -- /app/venv/bin/activate sudoedit -u dev_admin /file/that/wehave/access/to
Using CVE-2023-22809 we can modify the activate function from venv which will run any additional commands we add to it as root.
I opted to add a user to /etc/passwd file /echo $newUserHash >> /etc/passwd
Now we can run source activate and the line that we added to the activate file should be run as root user.

Last updated 1 year ago