We should start here:
After your installation, machine should be ready to boot:
We are here:
As you will see in that menu, there is already a 'default password' but we will get to that later. ;)
It's time to switch the proxy in the browser... I used Burp Suite. You should be here:
So?
LDAP injection? ;) I will leave it to you as an exercise ;)
Using default credentials to check the panel:
After a while I was checking some settings available on the appliance. That's how I found 'eMail notifications' section where you can define 'parameters'. I tried my own values:
And that worked :) File was created in /tmp/ directory. So I decided to try something else. Now our 'values' for email settings looks like this:
Cool, we got root! :)
At this stage I decided to check for more 'latest' VM. I found that Artica (is not a 'part of Kaspersky' and) released 'new version' at SourceForge - here:
I was wondering if I can achieve similar results for that ('latest') version. Checking:
That's more like it:
Password was the same (just like for the prior version) but login changed to 'Manager' so I tried to go directly to SMTP settings to check if I'll be able to inject my commands again... No luck this time...
...but I found that in Artica (3.06) you will have a nice webshell after you are logged-in :)
So?
Great, rooted again. :)
Conclusion: cool bug but we still need a valid credentials to use it, right?
Nope :) It's time to use some Nippur-resources ;)
To verify:
Now you got it. So even if admin will change default password, you still can read it remotely. :)
Remember to check the bug only in your local environment - not at the Shodan ;)
Do not use it for illegal purposes.
Cheers
Brak komentarzy:
Prześlij komentarz