Misconfigurations are the new zero days
A question that I frequently ask myself is, "Do these organizations know that so many assets are exposed to the internet?"
And the answer is always not clear, because even with the greatest IPS & EDR Systems, they can't monitor every activity that happens on their network, specially not the external internet facing one, which in the end, results that many assets are not being monitored daily and potentially vulnerable.
This is a story of a misconfiguration chain, that eventually could result in Confidentiality, integrity and availability impact,
on a real wide-scale company. So during research, and while doing some OSINT on the company ( Redacted.com ), I've encountered some form of WAF on almost every endpoint, which led me to quickly check what IP's we have on public open sources that are connected to the company, And test if all of them are under some kind of protection.
1: Unauthenticated Confluence Access
After a while, I found some IP's that we're connected to the company via SSL Certificate ,Surprisingly, this direct IP Accessways a huge hit, as it was the company's Confluence page, Accessing the Domain name would lead to 403 Forbidden and redirect to SSO, but accessing the IP directly will reveal the entire confluence dashboard. This was big, I could see internal files, configuration, cloud environment, testing documents and more...
And here is when things get interesting.
Same confluence instance had the jolokia framework installed under a path like this: https: //ip/jolokia/i started testing this jolokia instance for some known vulnerabilities, to see if it might be unpatched. Surprisingly - i found that this jolokia instance is vulnerable to lfi, and now i can read files from the server. I could view the entire configuration files, directories, /etc/passwd & /etc/hosts and so on...
Poc: curl -k -v "https://redacted. Com/jolokia/exec/com. Sun. Management: type=diagnosticcommand/compilerdirectivesadd/\! /etc\! /passwd"
now, what was interesting to me is, what if i can also write files to the server? And if i do, can i eventually escalate this to remote code execution?
See, even if an attacker grabs the passwords, it doesn't mean the port that is serving the targeted service (for example 3306 mysql) will be open for public access. So being stubborn as i am, i didn't stop there.
3: file write to RCE.
While digging dipper, i red the following article which led me to test if a certain log write function was available on the endpoint: https: //thinkloveshare. Com/hacking/ssrf_to_rce_with_jolokia_and_mbeans/i
found out that the jolokia diagnostic command/vmlog/output is available to use by any unauthenticated attacker, therefore an attacker can overwrite files.
So i was able to write a file on the server with the following command: - curl -i -k
https: //redacted/jolokia/exec/com. Sun. Management: type=diagnosticcommand/vmlog/output=! /opt! /j2ee! /ext. Net. Redactted. Com! /test. Jsp
then i could close the file log with the following command:
-curl -i -k
https: //redacted/jolokia/exec/com. Sun. Management: type=diagnosticcommand/vmlog/disable
then the last step was to chain the LFI to launch a malicious php code from the arbitrary log file that was generated on the server, which eventually granted us a fully working reverse shell!
To sum up, misconfigurations are anew era of vulnerabilities. There's no need for phishing, and there's no need for any social engineering, a small mistake can be chained with another mistake and potentially cause unknown damage that will probably stay under the radar for a long time...