Private Program – Code Execution.

As the program is private; Program Name, Endpoints are replaced **
Hey guys, Today i’ll show you how i gained a Code Execution on a HackerOne’s Private Program. This is chaining of multiple issues, which were addressed separately and all were marked as Critical/P1. Nice team 😀
This  program had a ABC Enterprise installation and a Normal Installation which have some less features or say some less endpoints 😉 , Program hosted Enterprise for testers with admin credentials given. While Normal was available to download and host locally.
Normal Installation
  • Less features,
  • Less bounty,
  • Gives basic idea how the app is hosted and working on backend. 🙂
Information i gained using Normal Installation
  • Some internal services.
  • Web app structure.
Some XSS, SSRF were found in Normal Installation, But now i had an understanding of what i’m testing.
Lets go ahead and start with program hosted Enterprise with many more features / endpoints

1 – Critical IDOR

There was option to download logs, After downloading logs i started looking into it what things it contains. And luckily i found a request in logs
GET /api/v1/upload?username=xxx&api_key=xxx&dcid=xxx&timestamp=xxx
where other  users  api_key was getting leaked, Hmm this is good but we’re working as Admin login right now, So i tired download the log while being normal user & unauthenticated and it got downloaded. Using this IDOR an attacker can download logs while being unauth to instance and then further exploit it with api_key retrieved from logs. So now i can report this one but i decided to dig in it further.
After making request to;
GET /api/v1/upload?username=xxx&api_key=xxx&dcid=ggg&timestamp=123
I got another URL in response which was;
Tried changing filename for LFD but didn’t worked, changed upload to download still no LFD, Seems like dead end :/ But then i thought lets make an OPTIONS request (read in someone’s write up)
And GET, PUT was there, Made PUT request and server responded with ‘Content Length can’t be 0’, added raw data and again made request and response was 200 OK, Then i added ../../../../../../../../tmp/harsh.txt in filename and again response 200 OK
Then, ../../../../../../../../etc/harsh.txt and exception 😀
Permission Denied (/opt/xxx/api/uploads/../../../../../../../../etc/harsh.txt)
^ Not exactly this.
At this point i have enough things to report
  • Unauthenticated user can download logs
  • Logs contains API Key
  • Using API Key attacker can create files on server (where current user had permission).
And plot twist;
  • Api key was password of admin user itself.

All reported and got response from team.

Code Execution with Server Admin Interaction

So after reporting all the above mentioned issues, I challenged myself to use this endpoint separately and get Code Execution.
And within few minutes i realized a normal user credentials also accepted at /api/v1/upload and hence a normal user can create files on server.
Going back to logs and Normal Installation for gaining info how this issue can get me a Code Execution.
Realized the web app is started from /opt/xxx/bin/xlink, So this was simple all an attacker need to do is overwrite xlink with reverse shell script, and wait server admin to restart (just make some files not usable which will force admin to restart) the server by doing sh xlink restart/stop/start and as soon as he trigger this condition we will have a rev shell.
This issue was Normal user to Code Execution.  Traiged and Rewarded as Crtical.
Now this 2 bugs finished here. You might have noticed i mentioned “sh xlink restart/stop/start ” as the file is not executable. Will continue later with another RCE 😉 which wont require attacker to wait for admin to restart the server. 😛 Instead all an attacker need to do is visit a url and enjoy shell although this one will require attacker to have admin access of web app.
Thanks for reading.
Harsh from Bugdiscloseguys!

9 thoughts on “Private Program – Code Execution.”

  1. Hello,
    Congrats,
    How could you overwrite the /opt/xxx/bin/xlink file since when you tried to overwrite your created file /etc/harsh you got an exception?
    Thanks

    1. The application was installed in /opt/application-folder/* , Current session had permission to overwrite any files under /opt/application-folder/* , ../../../../../../../etc/harsh.txt was to test if i can do path traversal or not. It might be confusing to most of the reader but i had a local file read vulnerability also so it helped me a lot in exploiting this. Let me know is it clear or not. @rootxharsh DM

  2. Good find. Didn’t understand this part. “You might have noticed i mentioned “sh xlink restart/stop/start ” as the file is not executable”.
    Even if you are able to replace xlink file with your .sh file having reverse payload.
    Why would an admin run this file? Instead he will just restart the apache server as “service apache2 restart”. Thanks.

    1. The server in use was Python Cherrypy, what xlink will do is start all services and server the application needs such as Internal services they are using Elasticsearch, PostgresSQL, Cherrypy with thier according ports in arguments. The application can only be restarted from xlink. 🙂 If we overwrite it with our whenever server get retstarted next time we will have our code executed on server. Let me know is it clear or not. @rootxharsh DM

      1. Thanks man.
        I think since you had a normal installation with you, you figured out that xlink is used for the services to start. Am I correct?
        Since you installed it locally.

Leave a Reply

Your email address will not be published. Required fields are marked *