Failed Coding Assessment to Remote Code Execution- Part 2
If you see a good move, find a better one.
Hey there, I previously explained how I could fetch test cases from an ongoing live coding assessment. Please read Part 1 before moving forward if you haven't already.
Now as I was able to fetch test cases, I started thinking if I could escalate it further to some severe vulnerability.
Started a TCP Server with Netcat. Instead of HTTP Server, This time I created a TCP domain name using Ngrok.
Here now comes knowledge of Reverse Shell. Reverse Shell is a piece of code, which can help to get a C&C (Command & Control), bypassing firewall rules, because the connection is created from the server side to the attacker.
A basic python reverse shell I made passed in system command as parameter is shown below. It will be required to have knowledge about file descriptors and how Linux use them to access stdout, stdin and sockets.
As I ran this script with the TCP domain I got from Ngrok, I got a reverse shell on REDACTED.com’s code execution docker on my terminal running Netcat.
I was in this docker container, running bash shell.
I tried searching all the directories to find some juicy information, but just was able to find a file called .sentry. It contained some public tokens the error tracking related to sentry, but as said, it was a public token, so no use case.
Then I thought of getting environmental variables, simply ran env command and curiosity killed the cat.
I wasn’t able to believe, their code execution environment has all credentials including AWS_S3_TOKENS, FIRESTORE_TOKENS and HOST=root, I never realised everything was happening on the Root docker container.
There is a final part pending, where I will how I moved forward and the way to report vulnerability perfectly.
References:
