This box starts with a website that allows you to upload images and view them. The show_image page is vulnerable to a LFI. Thanks to the vulnerability I'm able to enumerate all the sources and I discover that Java Spring Framework is present and from the maven pom.xml file I can trace the versions of the dependencies. The Java Spring Cloud dependency at version 3.2.2 is vulnerable to CVE-2022-22963 and I am able to login as Frank. Frank in his home has the unencrypted credentials of the user Phil but it will not be possible to login via ssh because it is prevented in the ssh configuration file, so I log in via su command. Finally for privesc root just look at the processes on the host with pspy64 to discover that all YML files in a folder that Phil can write to are executed by ansible as root, then just create an evil YML file.
23 April, 2023 00:00 CEST