Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

When trying to authenticate to Cisco Hyperflex requests are sent to the /auth in the Nginx configuration. This is then sent to a localhost server that parses the authentication request.

The authorization handling function parses /etc/passwd in order to get the hash and salt of the password for the provided username. In order to check the hash, the following code snippet is used: python -c 'import crypt; print crypt.crypt("", "")'.

Because the password is completely controllable in the command, this is vulnerable to command injection! By escaping the double quote ("), it is possible to add unlimited commands to this request. Now, an attacker can execute arbitrary commands on the server from an authenticated user.

While reversing the application, they noticed traffic being forwarded to port 80. After finding what Java call this was being used for, they found code that was taking a command string into and putting into directly into a /bin/bash request. Since this was not being filtered and was executed in a shell, command injection was trivial to do.

The final vulnerability was an unauthenticated endpoint that allowed for file uploads in the Nginx configuration file. Of course, this was vulnerable to directory traversal, leading to a file write primitive to achieve code execution later.

These vulnerabilities are fairly simple command injections. However, the reverse engineering to find these vulnerabilities is the interesting part. Additionally, Java normally fixes command injection. Somehow, this product was able to disable all of the protections.