BlueSky is an easy machine from Vulnhub that requires a bit of initial enumeration. However, upon getting the foothold, this machine isn’t that difficult. Also, this machine worked in VMWare but not in VirtualBox for me. I have taken the reference from Proxy Programmer’s video for the foothold. You can check it at the end of this blog post. “BlueSky Walkthrough – Vulnhub – Writeup”
Link to the machine: https://www.vulnhub.com/entry/bluesky-1,623/
System Failure Walkthrough – Vulnhub – Writeup
Identify the target
First of all, we have to identify the IP address of the target machine while working with the virtual environments.
sudo netdiscover -r 192.168.19.0/24
Scan open ports
Next, we have to look for the open ports on the target. This gives us information about the open ports on the target machine.
nmap -v -T4 -sC -sV -p- -oN nmap.log 192.168.19.147
We can see from the screenshot above that we have an Apache Tomcat server running on the target.
Enumerate tomcat server
This is the part that I really couldn’t get anything from the tomcat server. However, from the Proxy Programmer’s video, I get that we need to guess related frameworks. Also, when I searched tomcat on Metasploit, I got a result struts which is a framework for Java EE. With the help of Proxy Programmer’s video, I identified that the vulnerability is on the struts2 framework.
Github Link: https://github.com/jrrdev/cve-2017-5638/blob/master/exploit/exploit.py
The above exploit works on python2 only. However, I will be using the Metasploit framework for getting a reverse shell.
Although it said that the exploit failed, we have a session running in the background.
Since we have a session in the background, I decided to spawn another reverse shell in my bash as Metasploit shells aren’t as stable.
nc -nlvp 9001
Escalate privileges
Next, I upgraded the reverse shell. For more information, check my other blog post.
Upgrade to an intelligent reverse shell
Since we have key4.db and logins.json files, we can decrypt the password using firepwd tool. For that, we have to transfer these two files to my local machine.
# On the target machine
python3 -m http.server
# On my local machine
wget http://192.168.19.147:8000/key4.db
wget http://192.168.19.147:8000/logins.json
Github link to Firepwd: https://github.com/lclevy/firepwd
We have to install the required packages and then put these two files on the same directory where firepwd.py resides.
python3 firepwd.py
We got a twitter’s password.
Then, when I checked for password reuse by logging into the SSH service, it worked.
Now, let’s check the sudo permissions.
We can see that the user has all permissions and we can now switch to root.