HackTheBox Writeup — Feline

Hello Guys , I am Faisal Husaini. My username on HTB is “fa1sal” . Also join me on discord.

The IP of this box is

Port Scan

We get 2 Open Ports , one running OpenSSH 8.2p1 on Port 22 and other running Apache Tomcat 9.0.27 on Port 8080

Way To User

Clicking on the Service option above, we get redirected /service directory and it contains a file upload functionality

The Apache Tomcat version running on the server is vulnerable to CVE-2020–9484 which is a Java deserialization vulnerability where we need a file upload functionality where we have control over the uploaded file

Since we don’t have the file uploaded to a external location which we can access from the web directly, but we can get the internal location through the java errors, for that I try to upload a file without name and then check the response in Burp

We see the internal file location for the file upload is /opt/samples/uploads and now we use ysoserial to create our java serialized code which we can then upload and then exploit it to deserialize the code and get reverse shell , but we have to upload the file as a .session file and then change the JSESSIONID to the directory traversed to the location of the file without .session extension

We create a bash script and then start a netcat listener and get our reverse shell as user tomcat which has the user flag

Way To Root

Checking on Google about these 2 Ports , it is known that these 2 ports are for SaltStack and checking for vulnerabilities for it, we have a latest CVE for it ,i.e, CVE-2020–11651

Using the publicly available exploit from the GitHub to check if it is vulnerable or not , but before that we did the portforwarding using chisel

We confirmed that the exploit is working for this SaltStack version and now we can get reverse shell through this exploit

We got reverse shell successfully and we are in a Docker container as root but we still don’t have access as root to the main machine , looking at the bash history , it tells that previously docker sockets has been used which can be used to escape the docker container

Now, we set up our container to get a shell which where we have the contents of the /root directory of the main system in a directory named /root_host , for more detailed information , check the link at the end of this writeup in the References section

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover