Good evening everyone,
All right, as we continue with the catch-up game today. This next machine will be focused it seems on the cgi vulnerabilities. Anyhow, here is the intro:
“Christmas is fast approaching, yet, all remain silent at The Best Festival Company (TBFC). What gives?! The cheek of those elves — slacking at the festive period! Santa has no time for slackers in his workshop. After all, the sleigh won’t fill itself, nor will the good and naughty lists be sorted. Santa has tasked you, Elf McEager, with whacking those elves back in line.”
For now, I’m going to just start with a the standard nmap
$ nmap -sC -sV 10.10.92.197
Question 1: What is the version number of the web server?
Well from the nmap, we have a few different web servers.
root@kali:/mnt/hgfs/shared_folder/tryhackme# nmap -sC -sV 10.10.92.197
Starting Nmap 7.80 ( https://nmap.org ) at 2020-12-15 17:46 EET
Nmap scan report for 10.10.92.197
Host is up (0.10s latency).
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
3389/tcp open ms-wbt-server Microsoft Terminal Services
| Target_Name: TBFC-WEB-01
| NetBIOS_Domain_Name: TBFC-WEB-01
| NetBIOS_Computer_Name: TBFC-WEB-01
| DNS_Domain_Name: tbfc-web-01
| DNS_Computer_Name: tbfc-web-01
| Product_Version: 10.0.17763
|_ System_Time: 2020-12-15T15:47:09+00:00
| ssl-cert: Subject: commonName=tbfc-web-01
| Not valid before: 2020-12-11T21:55:21
|_Not valid after: 2021-06-12T21:55:21
|_ssl-date: 2020-12-15T15:47:14+00:00; -1s from scanner time.
5357/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Service Unavailable
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
|_ Supported methods: GET HEAD POST OPTIONS
8080/tcp open http Apache Tomcat 9.0.17
|_http-favicon: Apache Tomcat
|_http-title: Apache Tomcat/9.0.17
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Let’s do a quick searchsploit on the Tomcat service. We can also take a look at the CGI based ones. It did warn us in the learning portion about CGI exploits. also it has a high CVSS score.
Question 2: What CVE can be used to create a Meterpreter entry onto the machine? (Format: CVE-XXXX-XXXX)
So if we check out the exploit (https://www.cvedetails.com/cve/CVE-2019-0232/)
Anyhow, that answers that question. Lets move on. The challenge mentions it wants us to try and use the meterpreter shell from Metasploit. As I said in my first post I’m going for the OSCP once I get back home, so let’s see if we can find a non-msf exploit. I cheated a little and used the context clues from the learning section to find this .bat file in the cgi folder and tested with a whoami. I also used this for reference: https://wwws.nightwatchcybersecurity.com/2019/04/30/remote-code-execution-rce-in-cgi-servlet-apache-tomcat-on-windows-cve-2019-0232/
Question 3: What are the contents of flag1.txt
Well for now, the msfconsole worked without issue for reading the flag. As I have run out of time tonight, this will have to cut it. I’ll try again tomorrow. Also they mention there is 2 ways to escalate privileges in this machine, as this is Windows and I’m not as good at them. I’ll hit that at a later date as well.
As always, best of luck. If you enjoy my content, feel free to add me on LinkedIn and let me know you saw the blog.
Until next time,