Port enumeration

Using nmap I found 2 open ports.

nmap -p- --open -vvv -sS --min-rate 5000 -Pn 10.129.3.44 -oG allPorts.txt
nmap -p22,80 -sCV 10.129.3.44

caa293334b5009265e2e7a082b289614.png

Web enumeration

The main page brings you a subndomain that didn't work. 7f9ce5c87c43a601d538e499b00daf1c.png Inside this web, I found a CHANGELOG. 145ef1ba578227599822001e35da3707.png This changelog indicates the existence of a Pterodactyl panel using a vulnerable version. ad403e4afb7c0e3626752f777a6a256e.png

Subdomain enumeration

With ffuf I found the subdomain panel. af96f375b974d8bf4ef7451b87551b5a.png Here, I found the Pterodactyl instance indicated in the changelog. 59d34ea0b5ce1bfeb0781b54a26b9faf.png

RCE

Now, I verified that I can access the vulnerable json, comfirmating the vulnerability. 6dbe68191fdc20e0f0328df99e5e06f8.png I used a script to inject the code. f8fceec032305b045a610eb80bbd8e1b.png bfb094239653434d3aef7b555ab93c6d.png

Local enumeration

Inside the .env file I found some database credentials. d5a811bcd0ea3ec52148559cb839bae5.png Inside this database, I found some user hashes.

SELECT * FROM users;

f90e2dc4e90e753dae756d74352d1ea9.png Using john I was able to crack the phileasfogg3 password.

john --wordlist=/usr/share/wordlists/rockyou.txt hashes.txt

ff3d1549e3cc63700f9a9ea0ace17133.png Using this credentials, I can log as user phileasfogg3 with ssh. 948ba66acccc2f61667fdd2fb2c71749.png

Privilege escalation

The user had (ALL) ALL privileges, but with the targetpw flag set meaning sudo would prompt for the root password, not the current user's password. This effectively rendered the broad sudo rule useless without already knowing root's credentials. 9b9adbef912c8fcf1a6f0fb6c044e10b.png While exploring the home directory, I found an email from "headmonitor" to phileasfogg3 warning about suspicious activity related to udisksd, and instructing to report immediately if any signs of compromise were found. This pointed directly toward udisksd as the intended escalation vector. 77b3d582e12b62bd91047c8f80c36584.png I checked the installed version of` udisks2:

udisksd --version

b7f9249074f4f059763552a560a434fa.png The version matched a known vulnerable release affected by a Local Privilege Escalation vulnerability in the udisks2 daemon, specifically related to how it handles mounting filesystem images, allowing an unprivileged user to get udisks2 (running as root) to mount a crafted filesystem and gain root access.

Using the exploit's local mode, I generated a malicious XFS image containing a SUID root shell (or equivalent payload embedded in the filesystem image): ae03d503313ce3d299dfabf14fe13372.png This produced a crafted .img file designed to be mounted via udisks2. Now, Using scp I transfere the image to the victim.

scp -r xfs.image phinleasfogg3@10.129.3.44:/home/phinleasfogg3

Here, I execute the exploit in target mode, to mount the crafted XFS image. Because udisksd performs the mount operation with root privileges and the image's contents (including the SUID binary embedded in it) are mounted onto the filesystem without proper privilege-dropping or sanitization, the SUID-root shell contained inside the image becomes accessible with root ownership and permissions intact once mounted. 4aa415bbee0108ab4d68889a244a5340.png