Feline — HTB walkthrough

Dhanishtha Awasthi
7 min readMar 13, 2021

--

Today we will be coming across machine Feline. This machine is interesting as it has java de serialization in JSESSION id parameter. Without wasting time let’s jump in.

ENUMERATION

Nmap Scan for Service Versions with Default Scripts.

After scanning the target. we see port 22 and 8080 are open. Where 22 is for SSH and 8080 has website named Virus Bucket running on Apache Web Server.

PORT 8080 Enumeration

Source code has

Source Code Enumeration

We can analyze our malware sample here. Let’s attach any msfvenom created payload.

On uploading a file I see, upload successful the report will be sent via mail

Uploading empty file gives

Then I tried removing filename and sending contents

We see we got upload file path

CVE enum : I got two CVE for RCE

First one

And second one

Exploiting CVE-2020–1938 gave me, not implemented error. This error occurs when we try to connect to a service on web server , which web server is not using , so this was not the way in definitely. APJ13 was not implemented

Then for exploiting, CVE-2020–9484 we require the path for uploads, which we already have. So enumerating about CVE-2020–9484 I got

https://www.redtimmy.com/java-hacking/apache-tomcat-rce-by-deserialization-cve-2020-9484-write-up-and-exploit/

It explains what happens in exploit

EXPLOITATION

So we need to make a ysoserial file and upload it to server

Change file permission to 777 (Read , Write And Execute to all) and then Upload the file

Now make the following request

On python HTTP Server , you get 200 ok for nc transfer , and 500 error in web page. Then I make two files , one to change the mode of uploaded nc and second to give reverse shell

And repeated the above process ,

1) clear browser history each time before I made an upload.

2) changed file permission of file to be uploaded to 777 (ALL)

3) kept nc on at defined port

4) uploaded the file

5)made request to http://10.10.10.205:8000, with jessionID values changed according to filename

First upload a file named iamfedup.session which contains command to change the mode to 777
Now try with JSESSION ID iamfedup , which will automatically look for iamfedup.session

This will run the “change mode command” in background for file /tmp/nc

First Upload iamfedup2.session named file
then Call the iamfedup2 , this will automatically call for iamfedup2.session

After uploading iamfedup2 , we see we get the reverse shell, as it will execute nc reverse shell command.

(I messed up in between so I did the process again with new port i.e. 1234) Got the Reverse Shell
Getting user.txt

POST EXPLOITATION

We initially have got the shell which is not the bash.

Rabbit Holes:

1) e2scrub_all cronjob

Cat /sbin/escrub_all

It is executing /sbin/e2scrub_all

2) apport

Both e2scrub and apport version were vulnerable but was not getting exploited. Finally Enumerating connections , we see localhost connected to port 4505 and 4506

Saltstack

Docker

Exploit

https://github.com/jasperla/CVE-2020-11651-poc/blob/master/exploit.py

Reverse tunnel Port forwarding

I tried creating reverse tunnel to docker using SSH first. But that would require me to add authorized keys to ssh directory in tomcat home folder, which we don’t have permissions to. So I tried it using netcat

But I failed. I got connection back but no shell, Can’t even figure out why

So next I used Socat

Socat based reverse tunnel : Port forwarding

After we have forwarded our local port 4506 to 9003 and started a listener on it, we need to connect to it, via our kali local machine

Method 1: using msfvenom payload reverse shell

Create a payload

Set netcat on

Transfer files and execute it via exploit we have found

We are here root of docker

Method2:

Directly transfer netcat to the docker system /tmp folder and execute it to give shell back

Now that we are root of docker let’s escalate priv

PRIVILEGE ESCALATION

First lets get the bash.

After getting the todo.txt and known tomcat needs to be open to public but is runnning somewhere internally.

We see — unix-socket connecting json container

Method 1:

https://www.hackingarticles.in/docker-privilege-escalation/

The –v parameter specifies that we want to create a volume in the Docker instance. The –it parameters put the Docker into the shell mode rather than starting a daemon process. The instance is set up to mount the root filesystem of the target machine to the instance volume, so when the instance starts it immediately loads a chroot into that volume. This gives us the root of the machine. After running the command, we traverse into the /mnt directory and found out flag.txt.

Method2:

https://blog.secureideas.com/2018/05/escaping-the-whale-things-you-probably-shouldnt-do-with-docker-part-1.html

Rooting the machine

Copy your public rsa key to .ssh/authorized_keys

Simply run command to escape docker shell, by mounting /root of VirusBucket to /mnt, then add your ssh keys to authorized keys
After adding authorized keys , login with SSH into the machine
Finally we are the root.

We are welcomes with a message, introducing Kubernetes 1.19

Kubernetes is an open-source container-orchestration system for automating computer application deployment, scaling, and management. It was originally designed by Google and is now maintained by the Cloud Native Computing Foundation

Don’t forget to get your root.txt

ROOTED!!!

--

--