🔎🦶Enumeration/Foothold

Before I begin each machine I kick off a full port scan with RustScan and pipe the open ports found into NMAP.

Copy
Vulnerable Cacti 1.2.22 running.

Vulnerable Cacti 1.2.22 running.

I pulled the python file directly to my machine and executed it making sure to have a nc listener running on Port 9001.

Copy
Copy

Once on the box I grabbed LinPEAS and ran a full scan. The following information came back as interesting –

I used the SUID privesc to elevate my session to root (cause when in Rome and also not knowing it would be used for root)

Copy

Next I noticed the config PHP files from the LinPEAS scan so I navigated to /var/www/html/include (Cacti configuration) and verified this was what LinPEAS had pulled.

Confirming it was the configuration for Cacti’s database I locally connected to the MySQL database. I pulled the user_auth table which I remember from the last box as it contains the users for the Cacti application. More information regarding it can be found HERE. I grabbed both the hashes and put them into john using rockyou password list built into seclists.

Copy

I got a hit on the Marcus hash which I then used on SSH

Copy
Copy

Once on the box I enumerated around until I remembered notes from when I was doing HTB – Busqueda yesterday and found Exploit-Notes – Docker.

🔝Escalation to Root

Using the steps earlier I used chsh to elevate my session to root on the initial docker and then ran the following:

Copy

Next as the Marcus user I used findmnt to find all mountable file systems which includes docker containers:

Copy

I then searched the containers until I found the elevated /bin/bash which can be executed for root.

Copy
Copy

Rooted.

I’m a fan of TheCyberGeek approach to building boxes on the HTB platform and really enjoyed this box.
https://www.hackthebox.com/achievement/machine/245261/539

Published On: April 3rd, 2024 / Categories: HTB, Technology / Tags: , , , , , , /

Leave A Comment