HTB Monitortwo

HTB monitortwo writeup

categoty : web

difficulty : easy

As always we begin with a port scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16



Starting Nmap 7.80 ( https://nmap.org ) at 2023-06-02 12:45 EAT
Stats: 0:00:21 elapsed; 0 hosts completed (1 up), 1 undergoing Connect Scan
Connect Scan Timing: About 56.80% done; ETC: 12:46 (0:00:15 remaining)
Nmap scan report for 10.10.11.211
Host is up (0.28s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 53.63 seconds

As you can see there is a web interface , it is a login page and it utilizes something called cacti version 1.2.22

Using searchsploit :

searchsploit

running the exploit, BOOM!! we get a reverse shell

Looking around there is nothing really interesting , i ran linpeas and all i could find was a suid binary called capsh , you can check out how to exploit it here

capsh

but there was nothing in the root folder , turns out we were in a docker container that ran the webserver.The file that caught my attention was entrypoint.sh in the root folder.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18



#!/bin/bash
set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi

chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
	set -- apache2-foreground "$@"
fi

exec "$@"

As you can see , we can use that format to run mysql statements.I used the following to dump users in the user_auth table.

1

mysql --host=db --user=root --password=root cacti -e "SELECT * FROM user_auth"

We get that there are 3 user accounts, admin, guest and marcus and their password hashes.I saved the hashes to a file and let john-the-ripper do its thing.

john

I tried logging in the webpage but i got access denied and then tried ssh login as marcus, BOOM!! i am now marcus.

We can read the user.txt in the home folder

marcus

I tried running linpeas again but still got nothing , also checked suid binaries but still nothing , at this point i did not know what to do.

I got a hint that there was a docker vulnerability that resulted in privilledge escalation , you can read more and get the exploit here CVE-2021-41091

For this exploit to work you will utilize the capsh privesc we had discovered earlier in the reverse shell to set the “chmod u+s bash” .

then we execute the bash binary above as the in the marcus ssh session, BOOM!! root baby!!

root

Goodbye ;)