write in front
The exploitation of this vulnerability was eventually exposed, and we will not repeat the analysis here. You can click to visit for details.CVE-2024-4040Learn the details of the vulnerability, which the author still uses when analyzing the exploit.sessions.obj
file to read the history cookie and then try to escalate privileges, but I also mentioned in one of the earliest articles that such a file will only be generated when the program exits, which acts as a cache function of the server (CrushFTP Unauthenticated Remote Code Execution(CVE-2023-43177)), so its use is relatively more metaphysical and depends on fate. In actual combat, we often need more stable and direct ways to obtain the password of the admin account.
Later use
Get user profile path
I mentioned before that this system saves user configuration in XML files, as shown below
Its relative path is in/users/MainUsers
Down
In addition, in the vulnerability author's analysis, it was mentioned that you can use{working_dir}
To get the absolute path of the project running
1 |
GET /WebInterface/function/?command=zip&c2f=rsC2&path={working_dir}&names=/bbb HTTP/1.1 |
Therefore, combining the above two points, we can easily get the specific user configuration file.
path=<INCLUDE>{working_dir}users/MainUsers/username/user.XML</INCLUDE>
Of course, you can also use relative pathspath=<INCLUDE>./users/MainUsers/username/user.XML</INCLUDE>
So we just need to knowadmin
The corresponding configuration file can be obtained by the user's username.
At the same time, through the content of the configuration file, we can see that the password is also encrypted and stored in this file.
1 |
<?xml version="1.0" encoding="UTF-8"?> |
At this time we will face another problem, although we know that there is acrushadmin
Administrator, but what should we do if this account is deleted and changed to another name?
Another village with hidden flowers and bright willows
The solution is actually very simple. This system will save the user's information tologs/session_logs
under folder
Looking at the directory, we can easily find that the naming method is also very regular.24(年)04(月)25(日)20(时)
Looking at the next level directory, the naming method is fixed.session_HTTP_num.log
Let’s take a look at the specific content. It is not difficult to find that our user name and some operation information are recorded in detail in the log. At this time, the problem of user name is easily solved.
Cracking encrypted passwords
We usey4tacker
Take the user as an example. The encrypted password here is71W4Y3ZzpxXfeaU4fehf/w==
1 |
<?xml version="1.0" encoding="UTF-8"?> |
Next we just need to see how the system handles decryption.
By looking at the login process and constantly searching for this shit mountain system, it is not difficult to finally find that the password decryption process is incrushftp.handlers.Common#decode_pass
1 |
# 以下仅仅列出关键代码 |
we can see thiscom.crushftp.client.Common.encryption_password
It is also hard-coded and stored in the program, so we can easily calculate this initialization key.
Simply write a decryption script
1 |
String key = getHash("crushftp", true, "SHA", "", "", false); |
After running, the password is successfully obtained:y4tacker
Therefore, we can extract all user names by traversing the log, and then read the decrypted password to obtain the user name and password login of all users.
GIPHY App Key not set. Please check settings