Enumeration

Nmap

Initial nmap scan revealed SSH and port 8090 were open. Moreover, it showed that port 8090 was a Confluence application.

00 - nmap

Web Enumeration

Visiting the web page revealed that Atlassian Confluence application was version 7.13.6

01 - confuence 7 13 6

Exploitation

CVE-2022-26134

In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1.

Target version was vulnerable to CVE-2022-26134.

02 - exploit

I did some research and found jbaines-r7/through_the_wire repository, which includes an exploit for this vulnerability.

03 - exploit

I simply executed it and obtained the reverse shell.

04 - revshell

And I read the user flag.

05 - flag

Privilege Escalation

pspy64 cron job

I executed pspy64 and found out that target was running a cron job as root.

06 - pspy64 suspicious

Then I read the /opt/log-backup.sh file. I also checked permissions and found out I could write on it.

07 - opt backup

I simply the updated script to add SUID permission to bash.

08 - update script

And I got the root.

09 - root

<
Previous Post
Zipper - Proving Grounds Practice
>
Next Post
Workaholic - Proving Grounds Practice