Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with
NMAP filters shows a website available on
Port 80. The website states ‘Sorry, direct IP access is not allowed’ but provides an admin contact detail.
I edit my host file and add in
Navigating over to the domain I see a WordPress website. Reviewing the page I can see the copyright says 2018 and the last post is from 2020. I begin a WPScan with full flags.
Running out of date WordPress.
Well the scan is running I notice that
wp-with-spritz has been detected and its last update was 2015.
wp-with-spritz coming up as 2015 being the last update.
A short search later shows me an entry from ExploitDB – 44544 which shows an LFI/RFI available for the plugin. I tried a few RFIs to gain code execution or a shell but was unsuccessful.
Next I used the LFI (Local File Inclusion) exploit to pull the WP-Config file. WP-Config file stores the database credentials for a WordPress installation. I viewed it in source as it tends to look cleaner then the static viewing.
wp-config.cfg file running in source.
I try the credentials to login to the WordPress admin but it doesn’t work. I check around a few locations for the next point of escalation. I review
NMAP and realize the machine is running
Apache/2.4.29. I navigate to the 000-default.conf to see if the page we saw earlier can give us any additional information or if any other hosts exists.
An additional VHOST is available.
I add the new host in my hosts file and navigate over to the new sub-domain. I try the credentials found earlier in the
WP-Config file and log in. It took me a second as I needed to use admin for the username and not wpadmin.
I navigate around the console looking for a file upload or script option. Next I check the version which is located at the top right of the page.
This leads me to ExploitDB – 49810 which I pull to my Attack VM and run. I fill in the required variables and submit the request, giving my a low privilege shell.
⚠ Attack Machine (Tab 1)
ExploitDB – 49810 running successfully.
⚠ Attack Machine (Tab 2)
After getting onto the machine and upgrading my shell I tried to use
WGET to pull files to the box and was unable to do so as they were both not installed. Using
nc I pulled Linenum to the box.
⚠ Attack Machine
Going through the endless string of results I notice
cacti-backup.service. I also notice that the user marcus who I was trying to escalate too had a
.backup directory in Marcus’ home directory and
cacti-backup.service running on the machine.
cacti-backup.service I can see that the
.backup folder m entioned earlier has a shell script inside the directory. Trying to view it gives me his credentials. I
su to his account, grab the flag and try
cacti-backup.service showing a backup script running in
and the password for Marcus in
I login with
SSH and read the note –
This must be a clue to how I progress. I check services running looking for a docker installation. I notice
Port 8443 open which wasn’t visible on the original scan. I use
SSH to forward the port to my local host.
Port 8443 open on the local host.
Apache Tomcat/9.0.31 running on the local host.
Viewing the page does not give me the exploit I was hoping for but I do notice
Apache Tomcat/9.0.31 running which I know is constantly being exploited. A short Google late shows me that a Metasploit module is available.
Apache Tomcat ‘Ghostcat’ Exploit via Metasploit
The first I ran the exploit it errored and told me to use
ForceExploit to override. Doing this allowed me to get a meterpeter shell.
ForceExploit command used due to local host pivot
After running the exploit I could see I was root of the docker environment. I knew next steps were to escape and escalate. I found this article on hacktricks, hacktricks – Docker Breakout.
Inside the previous output you can see that the SYS_MODULE capability is enabled. Going through the first link lead me to a second article focused full on
CAP_SYS_MODULE hacktricks -CAP_SYS_MODDULE. Truthfully this part can be confusing so just follow the article as best you can.
⚠ Attack Machine
Use the copy command (on the website) to copy reverse-shell.c and Makefile. After the reverse-shell.c on
Line 8 and put in your own IP/Port. Make sure when copying the Makefile you tab the blank char before each word. When done launch a web server and pull both files to the machine.
After we run
reverse-shell.ko on the docker VM our reverse shell pops and we are root.
Root on Monitors from HTB.