OSCP PREPROTİONS – HTB Seal

Seal machine is a vulnerable machine with Linux operation system among retired machines. It is expected to obtain user and root flags using these vulnerabilities.
We provide network scanning with nmap to recognize the target machine.
Classic Scan

Full port scan

As a result of port scanning, 22/tcp ssh OpenSSH 8.2p1, 443/tcp ssl/http nginx, 8080/tcp http-proxy ports are open. Since there is no vulnerability on port 22, let’s provide enmeration from the browser on ports 443 and 8080.
443.port

On port 80, we provided enumeration in web aplliacation, we looked at the source code, we looked in developer mode and we did not find any information.
We scan with Gobuster to see if there are any hidden files or directories.

Gobuster scan

As a result of the Gobuster scan, we found some interesting directories, but they return 302 as the response code, so we could not access them. We note these directories and continue.

8080.port

On port 8080, the GitBucket login screen meets us, we provided enumeraiton in the same way, but we could not get any information. We tried GitBucket default credential information, we used the most used credentail information, we could not make a successful login. We create ourselves in the root user in the create user section just below.

Let’s log in with the credentail information we created.

After logging in, we provide enumeration on the application.
We go to root/seal_market/tomcat directory. here we click on the 5 commits button (to see the previous modified files)

We look in the old file. Here we find credential information in tomcat/Catalina/localhost/host-manager.xml file.

<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>
We note this information and continue.

Here I continue with the enumerationa part.

We understand that a proxy is used here. Let’s Google if there is a vulnerability where nginx and tomcat are used together.

We realized there was a path traversal vulnerability.

We have understood that there is a high level vulnerability here. The vulnerability here is reverseprxoy; it changes the flag to normal and can access the files on tomcat.
We have obtained tomcat credential information. With this information, we need to use this vulnerability to connect to tomcat.
Let’s try to access the directories we cannot reach by using the ; sign.
Let’s try to bypass 403 in the manager directory

Bypass

Let’s log in here using tomcat credential information.

This way we were able to log in with tomcat credentials. Here we are asked to upload to the WAR file type. (war file extension: a compressed package containing Java-based web components and applications that run on a web server)
Here we load and run a java file with msfvenom

upload the shell.war file to the target

When uploading this war file we got stuck again at 403 response.

We tried to bypass from url but it didn’t work
so let’s try to intercept and bypass it with burpsuite

This is how we got our shelter

We have seen that even the authorization of the Luis user is limited, here we need to raise the authorization by applying letaral movent. Therefore we do local enumeration.
Let’s list the commands running in the backend with the Pspy tool

The command “sudo -u luis /usr/bin/ansible-playbook /opt/backups/playbook/run.yml” stands out here.
Let’s see what is inside this yml file

We understand that the dashboard is copied and then backed up. If we could copy the ssh folder, which is one of the target files, we could obtain the ssh key of the luis user and connect to it. But we cannot do this because we do not have copy authorization. What is remarkable here is the copy_links=yes parameter. Because of this parameter, we can install it if we add it as a link.

It did not give permission on the dashboard, so we link to the uploads folder.
After waiting 1 minute, the file is backed up. With nc, we try to transfer the files from the target machine to my machine and read them.

Let’s examine the files we received here

We got our user flag on this user, but we could not get the root flag because we do not have root authorization.

We provide local enumeraton to obtain the root flag.

As a result of the enumeration we see that we will provide /usr/bin/ansible-playbook privilege escaation.

Let’s see if this is exploited at gtfobins

We type this command and try

Here we have the root flag.

Comments

  1. dobry sklep

    Wow, marvelous blog format! How long have you ever been running a blog
    for? you make running a blog look easy. The overall glance
    of your website is great, let alone the content material! You can see similar here
    dobry sklep

  2. sklep online

    I’m pretty pleased to find this website. I need to to thank you for your
    time for this fantastic read!! I definitely enjoyed every bit
    of it and i also have you saved to fav to check out new things in your site.
    I saw similar here: Najlepszy sklep

  3. dobry sklep

    Hi there! Do you know if they make any plugins to help
    with Search Engine Optimization? I’m trying to get my blog to
    rank for some targeted keywords but I’m not seeing very good success.
    If you know of any please share. Kudos! You can read similar text here:
    Ecommerce

  4. sklep online

    Hey there! Do you know if they make any plugins to
    assist with Search Engine Optimization? I’m trying to get my blog to rank for some targeted keywords
    but I’m not seeing very good results. If you know of any please share.
    Appreciate it! You can read similar blog here: Ecommerce

  5. Suivre Téléphone

    Que dois-je faire si j’ai des doutes sur mon partenaire, comme surveiller le téléphone portable du partenaire? Avec la popularité des téléphones intelligents, il existe désormais des moyens plus pratiques. Grâce au logiciel de surveillance de téléphone mobile, vous pouvez prendre des photos à distance, surveiller, enregistrer, prendre des captures d’écran en temps réel, la voix en temps réel et afficher les écrans du téléphone mobile.

  6. 네이버 아이디 구매

    저희는 구글 계정 판매 전문 회사입니다.우리의 구글 계정은 이메일, 문서, 캘리더, 클라우드 저장 등의 기능을 포함한 포괄적인 디지털 솔루션을 제공합니다.구글 계정을 통해 우리는 사용자에게 효율적인 협업 플랫품을 제공하여 개인과 팀이 일과 삶을 더 스마트하게 관리할 수 있도록 지원합니다.

  7. AA List

    Hello! Do you know if they make any plugins to help with SEO?
    I’m trying to get my website to rank for some targeted keywords but I’m not
    seeing very good results. If you know of any please share.
    Many thanks! You can read similar blog here: Auto Approve List

Bir yanıt yazın

E-posta adresiniz yayınlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir