Last time when we talked about Juniper/JunOS we focused mostly[1,2] on XSS bugs. Today we'll talk about postauth CLI access and how to extend it ;). Here we go...
Today we'll start here:
As this bug is very similar to the one I found in Junos Space let's jump directly to the 'environment' part. (I believe you'll find there all the hints to check "your (Y29tcGFueQo=? ;)) local network". )
So...
Environment
We'll use the same environment and settings as it was described in previous posts about Juniper/JunOS.
For this case - Juniper vSRX - we're talking about version 12.1X47-D20.7*.
*(I did not check if the bug occurs in other version of Juniper. If so - it looks like a 7-years-old-bug.)
TL;DR: "In my opinion":
It's always a good idea (when you landed in CLI-kind-of-binary) to check commands like 'help', 'man', etc. It can reveal some juicy hints we can use later during our pwntest project(s, for example: 3).
Checking commands available in CLI I found that logged-in user is able to use few of them to "escape" to root-shell.
For example - I tried to 'archive' few things... Like this:
Next...
Again Neo:
...and that's how (in the meantime) I found an overflow (file ... source <A*10k> destination blah):
Unfortunately I wasn't able to find a good way to inject a shellcode (ASCII?) I decided to look deeper for the 'tar' operation:
After a while we should be somewhere here:
Last check:
That's IT. ;]
Maybe you'll find it useful during your Ansible adventures... ;)
Have fun!
Cheers,
Brak komentarzy:
Prześlij komentarz