sobota, 9 lutego 2019

RCE in Enterprise VA MAX

Just like few times before I was looking for some new VM appliance to check. This time I found "Enterprise VA MAX" prepared by Below you will find few details about the bug I found in version v8.3.4 (afaik 'latest' one). Here we go...

I started here:

 When your VM is ready you should be able to log in to the admin's panel:

I was ready to switch to BurpProxy but then I saw that this will be a quick 'test' because...

The webapp-shell is already available for you/logged-in as admin user:

I was a little bit disappointed at this stage but I decided to check the app anyway ;)
(Running webserver from root is always some kind of a 'good hint' for me... :> )

(In the meantime I was looking for some other ways to obtain reverse shell, for example:

... or here (by downloading php-shell in txt file and run it later as a separated command):

Running (and we can see revshell to port 4444 on Kali):

So yeah.. Cool feature :) well.

...anyway... ;] )

I started from very first page(s, like Hostname & DNS and so on...) then suddenly found something interesting in the Logs section.

(By the way, this one is good too :



Check it out (Logs):

As you can see some lazy guy was trying to run sqlmap against the VM ;]

...but more interesting for me was:what can we do with that sudo? ;D

(Update: Looks like I forgot to upload this screen ;) Thanks for the email!)

post-auth RCE poc to check


Enjoy ;)

Remember to use it only for legal purposes.

In case of the fix: try this page. ;)


* Updated: 10.02.2019 @ 13:23:

When your reverse shell is ready, remember to check sudo -l ;)


Brak komentarzy:

Prześlij komentarz