Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.
The IP of this box is 10.10.10.205
Port Scan
Running NMAP full port scan on it , we get
We get 2 Open Ports , one running OpenSSH 8.2p1 on Port 22 and other running Apache Tomcat 9.0.27 on Port 8080
Way To User
Checking the web, we have a webpage named VirusBucket which provides a malware analysis and testing platform
Clicking on the Service option above, we get redirected /service directory and it contains a file upload functionality
The Apache Tomcat version running on the server is vulnerable to CVE-2020–9484 which is a Java deserialization vulnerability where we need a file upload functionality where we have control over the uploaded file
Since we don’t have the file uploaded to a external location which we can access from the web directly, but we can get the internal location through the java errors, for that I try to upload a file without name and then check the response in Burp
We see the internal file location for the file upload is /opt/samples/uploads and now we use ysoserial to create our java serialized code which we can then upload and then exploit it to deserialize the code and get reverse shell , but we have to upload the file as a .session file and then change the JSESSIONID to the directory traversed to the location of the file without .session extension
We create a bash script and then start a netcat listener and get our reverse shell as user tomcat which has the user flag
Way To Root
Checking the locally open ports running, we have a lot of locally open ports and the interesting one looks 4505 and 4506
Checking on Google about these 2 Ports , it is known that these 2 ports are for SaltStack and checking for vulnerabilities for it, we have a latest CVE for it ,i.e, CVE-2020–11651
Using the publicly available exploit from the GitHub to check if it is vulnerable or not , but before that we did the port forwarding using chisel
We confirmed that the exploit is working for this SaltStack version and now we can get reverse shell through this exploit
We got reverse shell successfully and we are in a Docker container as root but we still don’t have access as root to the main machine , looking at the bash history , it tells that previously docker sockets has been used which can be used to escape the docker container
Now, we set up our container to get a shell which where we have the contents of the /root directory of the main system in a directory named /root_host , for more detailed information , check the link at the end of this writeup in the References section
We got shell successfully after connection with Socat and now checking the / directory, we have the host_root directory created
Checking the contents of that directory, we have the contents of the root directory of the main system and also we have the root flag too
References
Tunneling and Pivoting Guide –> https://0xdf.gitlab.io/2020/08/10/tunneling-with-chisel-and-ssf-update.html
Docker Escape Guide –> https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html
Exploit for SALT –> https://github.com/jasperla/CVE-2020-11651-poc
Tomcat Exploit –> https://github.com/masahiro331/CVE-2020-9484