Port Enumeration

nmap reveals 3 open ports, 22, 5000 and 8000 2e44c942ea1afb746978244686aeb59b.png

NOTE

After ending the machine, I found that the port 8000 isn't supposed to be open, so, I'm omiting what I found in this port, who was the database with the users hashes used to obtain a rosa shell.

Web enumeration

It looks like a app used to scan CIF files, but, I need an account, I can create it acount with the register option. d6660754ef00c6478d256d2dcf156647.png Here in Dashboard, I can upload CIF files. c420748d08d98d8022f18f1bd792ee8b.png After some research, I found a CVE refered to a popular python library used to this tipe of tasks. b3accfa97eb32fa17260c771db0a3bc1.png

RCE CVE-2024-23346

Using the POC code with the example code who the machine gives me, Im able to obtain a shell. 53f822e03a51d1ff2ac6db46fa178c71.png bd7c47673bb393a8ccb0f3be0f93d17a.png This is some type of container, but, here, Im able to found a database with a lot of hashes. 64b67f7941bc96de4ec04cb37893e686.png Using john, I'm able to crack these hashes. 103ef916ae66549ae3603d91965b8696.png With the credentials rosa:unicorniosrosados I'm able to obtain the user shell. bc03c9a849a52d7f6263221ef14df847.png

Privilege scalation

After scaning the local ports, I found something extrange in 8080. 4717063dcf67810c3dd4b92268edd784.png Using ssh, I forwarted the port.

ssh -L 8080:127.0.0.1:8080 rosa@10.10.11.38

With this, I'm able to see who this service is working with aiohttp. a1fa5ebab34811f8eb120a10b32cb523.png This version is vulnerable to LFI. c789c559344f9a3ea8d5b0fc8a506524.png Using this, I'm able to read the root hash, ending the machine. e3fe6d332a09cc28d8fbbafe5e876d03.png