Twiggy

Writeup for Twiggy from offsec Proving Grounds

Information Gathering

Service Enumeration

sudo ./nmapAutomator.sh 192.168.63.62 all

HTTP (Port 80)

Mezzanine CMS running.

HTTP (Port 8000)

Doesn't look like anything useful.

But when we look at the response in burp, we see something interesting.

Looks like this is running salt-api/3000-1.

Exploit

A quick google search and we find that Saltstack 3000.1 is vulnerable to authentication bypass/remote code execution.

Saltstack 3000.1 - Remote Code ExecutionExploit Database

However, the script isn't working well and I found a better script.

GitHub - jasperla/CVE-2020-11651-poc: PoC exploit of CVE-2020-11651 and CVE-2020-11652GitHub

Nice, looks like it is vulnerable.

Hmm...That didn't work, maybe this machine doesn't have nc.

Seems like our new payload works and since we are root, there's no need for privesc!