OSCP PREPROTİONS – HTB Seal

Seal machine is a vulnerable machine with Linux operation system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We provide network scanning with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 22/tcp ssh OpenSSH 8.2p1, 443/tcp ssl/http nginx, 8080/tcp http-proxy ports are open. Since there is no vulnerability on port 22, let’s provide enmeration from the browser on ports 443 and 8080.
443.port

On port 80, we provided enumeration in web aplliacation, we looked at the source code, we looked in developer mode and we did not find any information.
We scan with Gobuster to see if there are any hidden files or directories.

Gobuster scan

As a result of the Gobuster scan, we found some interesting directories, but they return 302 as the response code, so we could not access them. We note these directories and continue.

8080.port

On port 8080, the GitBucket login screen meets us, we provided enumeraiton in the same way, but we could not get any information. We tried GitBucket default credential information, we used the most used credentail information, we could not make a successful login. We create ourselves in the root user in the create user section just below.

Let’s log in with the credentail information we created.

After logging in, we provide enumeration on the application.
We go to root/seal_market/tomcat directory. here we click on the 5 commits button (to see the previous modified files)

We look in the old file. Here we find credential information in tomcat/Catalina/localhost/host-manager.xml file.

<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>
We note this information and continue.

Here I continue with the enumerationa part.

We understand that a proxy is used here. Let’s Google if there is a vulnerability where nginx and tomcat are used together.

We realized there was a path traversal vulnerability.

We have understood that there is a high level vulnerability here. The vulnerability here is reverseprxoy; it changes the flag to normal and can access the files on tomcat.
We have obtained tomcat credential information. With this information, we need to use this vulnerability to connect to tomcat.
Let’s try to access the directories we cannot reach by using the ; sign.
Let’s try to bypass 403 in the manager directory

Bypass

Let’s log in here using tomcat credential information.

This way we were able to log in with tomcat credentials. Here we are asked to upload to the WAR file type. (war file extension: a compressed package containing Java-based web components and applications that run on a web server)
Here we load and run a java file with msfvenom

upload the shell.war file to the target

When uploading this war file we got stuck again at 403 response.

We tried to bypass from url but it didn’t work
so let’s try to intercept and bypass it with burpsuite

This is how we got our shelter

We have seen that even the authorization of the Luis user is limited, here we need to raise the authorization by applying letaral movent. Therefore we do local enumeration.
Let’s list the commands running in the backend with the Pspy tool

The command “sudo -u luis /usr/bin/ansible-playbook /opt/backups/playbook/run.yml” stands out here.
Let’s see what is inside this yml file

We understand that the dashboard is copied and then backed up. If we could copy the ssh folder, which is one of the target files, we could obtain the ssh key of the luis user and connect to it. But we cannot do this because we do not have copy authorization. What is remarkable here is the copy_links=yes parameter. Because of this parameter, we can install it if we add it as a link.

It did not give permission on the dashboard, so we link to the uploads folder.
After waiting 1 minute, the file is backed up. With nc, we try to transfer the files from the target machine to my machine and read them.