niedziela, 17 lutego 2019

Sleepy - CTF

I woke up again at 3 AM so it was... a good time to finish one of the CTF(s) I started few weeks ago - this one is called Sleepy ;) . Machine you can find online thanks to VulnHub Team. Below few details from the journey...
When machine is ready, we should be somewhere here:

When I saw JDWP enabled I decided to switch to Metasploit and use one of the exploits available there:

That was interesting. :)

I decided to read few more pages about JDWP[1, 2, 3, 4]. Now it was time to verify found hints. :)

Checking prdelka's paper:

So far so good. More docs to read:

 ...and more...

Ok, we will get back to that later...

Let's try to check the next found open port - 8009/tcp. Some hints you will find on Wiki:

Ok, let's prepare our mod_jk (basing on this article[5] - thanks!):

Our configs:

Restarting apache2 and checking our 'settings':

Looks like now we can access /manager/.

After a while you'll see that bruteforcing manager's password is pointless. So I was wondering if there is any other way to grab tomcat's password list... Let's get back to our JDWP port.

According to the links mentioned before ([1, 2, 3, 4, [5]) we'll get the list of available threads:

Let's interrupt:

Now (after I was looking for a tomcat-users.xml file location) I modified payload available here
to read the content of the file:

...and again... ;]

I was wondering if I need to copy user-file via ftp? Checking:

Maybe, but I wasn't even able to list directory content when I was connected via FTP ;S

So no luck, need to try something else...

Maybe some grep? ;)

"Great, password!" but can you see this nice string at the beginning? ("<-- " ;))

So, yeah...

At this stage I stuck for a while. But then I decided to read the file backwards (line by line):

Good, so now we have a 'tomcat' password and we can access Tomcat's /manager/... ;)

My next step was: to generate WAR shell using and deploy it to "remote" (on our host:

Checking access:

Preparing WAR webshell:


And after visiting 'new link' we should see our reversed shell in meterpreter's windows:

Cool. Let's find some SUID files:

As you can see there is a nightmare binary:

Checking with strings:

Great. Checking:

 Ok, again. I prepared new session/warfile:

Next step: exporting function in bash:

Unfortunately I wasn't able to grab root-shell...

... until kill with proper signal was used (in 2nd (session) console):

Great, rootshell :)

It was a great CTF. Big thanks goes to the author!
Also big thanks goes to VulnHub for sharing all of those games.


Brak komentarzy:

Prześlij komentarz