CyberSecLabs - Casino

⇒ Casino is an medium difficulty linux machine that teaches us about :

  • Flask SSTI [ Server Side Template Injection ]
  • SSRF [ Server Side Request Forgery ]
  • Python SETENV abuse to hijack library being imported.


Enumerating and performing SSTI

⇒ So when we visit the website we find the employees working and a few more names in the banned list

  • So we have an user list now :

⇒ After looking around for a file we see that search is vulnerable to SSTI as it executes $ and returns 49 . We then read the items in the config using **

Reference : Side Template Injection

  • So we got the secret key : i_L0v3$$$


⇒ We are able to login as Erlich user using the secret key we found from the config. When we try to play the game we get the following page :

⇒ Intercepting the request we notice something interesting , an BTC parameter that has an url. We previously saw that there was port 9000/tcp which is filtered, it could be only accessible locally. So we tried and visit it through this request and it worked :

  • On the /admin page there’s an option that allows us to execute commands on the system :

  • We ran id command and saw that it is running commands as user grey.

  • We popped an shell as user grey :

Privilege Escalation ( grey to carla )

⇒ There’s an github repository in adminPanel folder

  • Running git show . We find an commit that has carla user password :

carla : >F73SzS36>V$tJmc

  • We switched to carla :

Privilege Escalation ( carla to root )

⇒ We can run an python script as root user and we also have SETENV permissions :

  • Reading the python script we see that it performs simple things nothing vulnerable here.

⇒ But we saw that we have SETENV permissions which would allow us to specify PYTHONPATH to import an module. We can leverage this to hijack the library datetime being imported .

  • Creating in /dev/shm that has an python reverse shell

  • Running the script as root with PYTHONPATH to /dev/shm

sudo PYTHONPATH=/dev/shm /opt/