TUTORIAL Monitors - Hackthebox
by sanakasa - April 24, 2021 at 09:28 PM
#37
rooted. good box learned a lot of new stuff
Reply
#38
(April 26, 2021 at 02:25 AM)chilly Wrote: rooted. good box learned a lot of new stuff

GG ! I'm looking towards services and ports like hinted hope to be able to root before sleeping :D
Reply
#39
finished writeup, also figured out the unintended user path that Celesian found to get user in 25 mins
Reply
#40
Hi, Don't you mind to share the writeup on the forum?
This forum account is currently banned. Ban Length: Permanent (N/A).
Ban Reason: Credit Farming/Mass Leeching in Introduction section
Reply
#41
(April 26, 2021 at 02:25 AM)chilly Wrote: rooted. good box learned a lot of new stuff

The version of the software running in the container should be vulnerable to a number of things, including a very recent CVE to get RCE, but I couldn’t get any payloads to work. Possibly due to networking restrictions? Can you at least confirm whether you targeted the software on port 8443 directly to get inside the container?
Reply
#42
(April 26, 2021 at 06:09 AM)davebrew2 Wrote:
(April 26, 2021 at 02:25 AM)chilly Wrote: rooted. good box learned a lot of new stuff

The version of the software running in the container should be vulnerable to a number of things, including a very recent CVE to get RCE, but I couldn’t get any payloads to work. Possibly due to networking restrictions? Can you at least confirm whether you targeted the software on port 8443 directly to get inside the container?

Thats the one. Use the slightly older CVE not the 2021 one.
Reply
#43
use ssh tunneling for the port you found and there is also a metasploit exploit that has been worked for me
Reply
#44
(April 26, 2021 at 12:58 PM)sanakasa Wrote: use ssh tunneling for the port you found and there is also a metasploit exploit that has been worked for me

Complete write up here for user: 

https://raidforums.com/Thread-Tutorial-M...t-for-free

And for root: 

https://raidforums.com/Thread-Tutorial-M...t-for-free

For free... enjoy! :)
Reply
#45
Can someone please share the unintended way for user?
I know it has been patched now, I just want to know what it was.
Reply
#46
unintended way to get user was LFI with spritz plugin,  read crontab

http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/crontab
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/etc/systemd/system/cacti-backup.service
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/home/marcus/.backup/backup.sh
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Monitors: root part for free siracuso 26 4,013 May 01, 2021 at 08:56 AM
Last Post: hhy
TUTORIAL Monitors HTB Detailed Writeup 0xmahesh 0 1,069 April 29, 2021 at 03:27 PM
Last Post: 0xmahesh
TUTORIAL Monitors Detailed Writeup Jockerjock 1 1,017 April 29, 2021 at 03:23 PM
Last Post: 0xmahesh

 Users browsing this thread: 1 Guest(s)