Difficulty: Easy
Firstly let’s start as always with our nmap:
To start here we can see port 8080 which is most likely a web server, SSH on port 22 and Apache JServ on port 8009.
With that let’s check out the webserver on port 8080 first:
Here we have an apache tomcat server on port 8080, now usually the first thing I want to do here is try a bunch of default credentials. I usually try to do this with hydra but in this case I did not need to do that.
However when I clicked cancel I noticed something here in the 401 page:
Well that is just 1 of the default credentials that can be found online for apache tomcat so let’s try and use that on the off chance it could work:
And to our luck it worked!
Now we can upload a WAR file with a reverse shell in using msfvenom to generate the payload:
And now to upload:
And we now have it successfully uploaded:
Now simply start a nc listener and execute our payload to catch the shell:
Okay so now you should know what we do here.
Upgrade the shell:
Next is check for other users:
Can we do sudo -l without supplying a password:
Nope, so now to check the system-wide crontab and then check out the user jack’s directory:
This is interesting, it seems there is a scheduled task to run as root and changing to jack’s directory and running another script called id.sh.
So let’s first check out jack’s home contents:
Okay and we can see the file from the crontab and also see it’s readable and writeable by all which is perfect for us.
We can also see the user.txt and a test.txt so let’s first get the user.txt:
Awesome and now to check test.txt:
Okay this is clearly the output file from the id.sh script so let’s check what’s inside that:
Okay simple, well we know the file is run on a timer, so all we need to do is setup another nc listener and echo a base reverse shell in this id.sh file and wait for our new shell to catch.
Once it does we should be root and we will own the box, so first let’s echo the bash reverse shell:
And now we wait a little for our new shell to catch:
NOTE: We was listening originally on port 4444 so we needed to specify another port.
And last but not least, the root.txt!
And we are done! Congratulations and thank you for reading!
Please feel free to follow me on twitter if you like the write up: https://twitter.com/amec0e
