11/2020

Description:

Target IP: 10.10.10.194 Initial access from a local file inclusion vulnerability on the web app on port 80, exposing web server admin account.

Foothold gained by code execution vuln to spawn a reverse shell.

Examining the web application further, a zip file hosted on the web app is password protected. Although the archive is irrelevant, the password protecting it is reused by user ‘ash’.

Root privileges acquired via an exploit with Linux container – lxc.

Difficulty:

easy

Flags:

User: 0e484d2a784c5e2193c7b7ad1f4e16c0

Root: f2e0283c559f576b74edc61bc7ae0c33

Enumeration

Nmap port scan result on the target machine.

Nmap port scan result on the target machine.

Service discovered: SSH (22), HTTP (80, 8080).

<aside> 💡

A port check scan is much less complicated than a service and version discovery.

Running port check then service discovery on open ports minimizes wait time.

</aside>

Running service and version discovery on three open ports.

Running service and version discovery on three open ports.

Examining the web application on port 8080 - a default page of Tomcat.

Examining the web application on port 8080 - a default page of Tomcat.

/etc/tomcat9/tomcat-users.xml : contain admin credential for manager web application.

link to host-manager webapp in tomcat9-admin comment

Examining the web application hosted on port 80.

Examining the web application hosted on port 80.