Post

Proving Grounds - Twiggy

Posted Updated
Preview Image
By H3NDR1CH
2 min read

Twiggy was an insightful machine focused on exploiting a SaltStack vulnerability.

The machine required initial enumeration to identify open services, followed by a specific focus on the web service running on port 8000.

By identifying and leveraging the salt-api service, a known exploit for SaltStack 3000.1 was used to gain access and execute a reverse shell.

This machine provided practical experience in handling and exploiting SaltStack configurations.

Diagram

graph TD
    A[Host Enumeration] -->|Nmap Scan| B[Identify SaltStack]
    B -->|Web Service on 8000| C[Explore SaltStack API]
    C -->|Find Exploit| D[Execute Exploit]
    D -->|Gain Access| E[Execute Reverse Shell]
    E -->|Obtain Access| F[Privilege Escalation]
    F -->|SaltStack Privilege Escalation| G[Capture Evidence]
    G -->|Success| H[Completion]

Information Gathering

Port Scan

  • nmap -sS -Pn -n -T4 -p- --open 192.168.177.62

    Untitled

  • nmap -sVC -Pn -n -p 22,53,80,4505,4506,8000 192.168.177.62

    Untitled

Enumeration

HTTP 8080

So i decided to try access some url’s that are mistaken on purpose.

  • http://192.168.177.62:8000/localPowered by CherryPy 5.6.0

    Untitled

  • feroxbuster -u http://192.168.177.62:8000 -k -C 404,403,500 --wordlist=/usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -X .php -t 100

    Untitled

  • http://192.168.177.62:8000/login → Says “Please log in”

    Untitled

  • curl -X POST http://192.168.177.62:8000/login -d "username=admin&password=admin" → Unauthorized

    Untitled

  • Intercepting the login request in the burp

    Untitled

    Untitled

  • Verifying the response of the requisition

    1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

      HTTP/1.1 200 OK
  Server: nginx/1.16.1
  Date: Thu, 04 Jul 2024 20:29:32 GMT
  Content-Type: application/json
  Content-Length: 43
  Connection: close
  Access-Control-Expose-Headers: GET, POST
  Vary: Accept-Encoding
  Allow: GET, HEAD, POST
  Access-Control-Allow-Credentials: true
  Access-Control-Allow-Origin: *
  Www-Authenticate: Session
  Set-Cookie: session_id=178a37984d63e3d4ea4a4a39d686e300e2256436; expires=Fri, 05 Jul 2024 06:29:32 GMT; Path=/
  X-Upstream: salt-api/3000-1
    
  {"status": null, "return": "Please log in"}

    Untitled

I also can get the same answer with this command:

  • curl -v -X GET http://192.168.177.62:8000/login

    Untitled

It have the X-Upstream: salt-api/3000-1.

Exploitation

Salt-API

That information about the requisition, indicates the request was handled upstream by a service identified as salt-api version 3000-1. This suggests the server might be running SaltStack, a configuration management tool.

Once that i wanted an reverse shell, this script wasn’t promisor, so i found this one:

CTF, Proving Grounds - Play
EASY Linux Web SaltStack
This post is licensed under CC BY 4.0 by the author.