AdSense

Thursday, March 21, 2019

Jerry


JERRY

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Jerry, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

Jerry's IP is 10.10.10.95:




- Scanning with Nmap, there is only one open port 8080:




- Scanning deeper:




- So we have a web server running Apache-Coyote Tomcat 7.0.88 JSP engine 1.1 at port 8080.

- Connecting with the browser:





- Clicking any tab the user is prompted with a login form:





- However, when clicking Cancel the answer is a 401 Unauthorized error web page that reveals credentials information like tomcat:s3cret





3 - EXPLOITATION


- Another way to find valid credentials would be to use Metasploit's auxiliary module tomcat_mgr_login:




- Setting options:





- Running the module after a while finally same credentials than before are found:


.......................




Metasploit provides a module to exploit an Apache Tomcat server with an exposed "manager" application vulnerability :




- Using this module:





- Setting options (using exposed credentials tomcat:s3cret) and running the exploit we get a Meterpreter session:






- Spawning a shell:




4 - CAPTURING THE FLAGS

- In this case both flags are in the same text file:








Bashed


BASHED

- Layout for this exercise:





1 - INTRODUCTION

- The goal of this exercise is to develop a hacking process for the vulnerable machine Bashed, what is a retired machine from the Hack The Box pentesting platform:

https://www.hackthebox.eu


2 - ENUMERATION

Bashed's IP is 10.10.10.68:

 

- Scanning with Nmap the only open port is 80:



- Scanning deeper the port 80:


- Connecting with the browser:

 


- Dirbusting:






- Checking the folder /dev we find two PHP scripts:

 

- Clicking either phpbash.php or phpbash.min.php the result is a PHP bash:

 







- Looking for more content:

 

- Good news are that Netcat is available:

 


3 - EXPLOITATION


Msfvenom helps creating an exploit called myshell.php:




- Uploading myshell.php from Kali to Bashed:


 

 


- Setting up a Meterpreter listener session:




- Running myshell.php from the browser:

 

- The exploitation is successful and we get a Meterpreter session:



- Spawning a shell and improving it:

 


4 - CAPTURING THE 1st FLAG

- Reading user.txt:

 


5 - PRIVILEGE ESCALATION

- Let's try two ways for achieving Privilege Escalation

5.1 - Exploiting the kernel

- Checking the Ubuntu release version:




Kernel exploit for this operating system:









- Copying the exploit poc.c to Kali and compiling it according to the instructions:








- Transferring the binary pwn from Kali to Bashed:




- Giving execution permissions:




- Running pwn we eventually get a remote root shell:





5.2 - Sudoer privileges

- The current user is www-data:

 

- Sudoer privileges for www-data allows to run all commands as the scriptmanager user:

 




- Listing content inside folder /scriptmanager:



- Listing content of / there is a folder called scripts:



- User www-data cannot access directly the contents of folder scripts:

 

- However www-data can use his sudoer privileges to open scripts:



- Reading test.py and test.txt:

 

 


- At this point of the exploitation process the strategy will be to replace test.py with some exploitation code, for instance:




- Transferring myexploit.py to Bashed:



- Copying myexploit.py over test.py:




- Setting a Netcat listener session on Kali's port 5555:




- After some seconds a remote root shell is successfully achieved:





6 - CAPTURING THE 2nd FLAG

- Reading root.txt: