✏️ Overview
<aside>
🗒️ Tags
gcore, password-store, zookeeper, exhibitor
</aside>
<aside>
📅 Time Frame
Apr 16
</aside>
<aside>
🎯 IP
192.168.158.98
</aside>
<aside>
🚪 Open ports
[*] ssh found on tcp/22.
[*] netbios-ssn found on tcp/139.
[*] netbios-ssn found on tcp/445.
[*] ipp found on tcp/631.
[*] ssh found on tcp/2222.
[*] http found on tcp/8080.
[*] http found on tcp/8081.
[*] mdns found on udp/5353.
</aside>
<aside>
💻 Operating System
Linux
</aside>
<aside>
📚 Resources
- https://gtfobins.github.io/gtfobins/gcore/
</aside>
<aside>
✍🏻 Notes
- The port 8081 was found to be running the Jetty HTTP server and a bug was identified in the config section of the web UI.
- A suspicious cron job was found, which continuously changes the ownership of /opt/zookeeper and /opt/exhibitor.
- The command "/usr/bin/gcore" that doesn't require sudo was detected, which can be used to generate core dumps of running processes potentially containing sensitive information.
- The root is running "/usr/bin/password-store" which could potentially have sensitive information.
</aside>
<aside>
🚧 Privilege Escalation
- Found a potential vulnerability in the Jetty HTTP server configuration on port 8081, allowing unauthorized access to sensitive data or system controls.
- Noticed irregularities in a recurring cron job altering permissions of critical directories like /opt/zookeeper and /opt/exhibitor, indicating a possible route for unauthorized access or privilege escalation.
- Identified the "/usr/bin/gcore" command, enabling the generation of core dumps from active processes without requiring elevated privileges, potentially exposing sensitive data.
- Noted the root user's use of "/usr/bin/password-store", raising concerns about the security of stored credentials or sensitive information, prompting further examination for potential vulnerabilities.
</aside>