Browny was a sweet and easy box as its name sounds. It's a great box for beginners to test their skills.
Machine Name: Browny
Machine IP: 10.1.1.17
Machine Difficulty: 1/10
- Port Scan
- Explore Port 9876
- Find Unauthenticated Remote Code Execution for software running on Port 9876
- Use Metasploit to exploit
Using nmap to scan the host:
nmap -sV 10.1.1.17
Browsing to Port 9876 using the Web Browser, we can see Xplico running:
One of the feature of Xplico is related to the parsing PCAP files. Once PCAP file uploaded, Xplico execute an operating system command in order to calculate checksum of the file. Name of the for this operation is directly taken from user input and then used at inside of the command without proper input validation.
Using Searchsploit we can see there is a RCE:
We can also Google Xplico Exploit:
Setting up Metasploit with the correct module:
msf5 > use exploit/linux/http/xplico_exec
Setting the correct payload:
msf5 > show payloads
msf5 > set Payload cmd/unix/bind_netcat
After running the module we will notice there is no prompt, however if we type in a command we see that we have a shell:
We see that we are root, as Xplico was running as root.
- Patch software
- Try avoiding running services as root if possible. Create special accounts for the purpose of running a service to help isolate in case an attacker is able to break in.
Thank you for reading.