Monitors
About the machine
Monitors is an awesome machine starting with WordPress with a plugin vulnerable to a local file inclusion vulnerability, after exploiting it I found a virtual host reading the Apache's configuration file which led me to a version of cacti vulnerable to SQL injection also allowing remote code execution.
After gaining access to the machine, I found an user password in a systemd unit file, on further enumeration there's a docker container with the port 8433 mapped to it, this port is running Apache Tomcat hosting Apache OFBiz vulnerable to a Java Insecure Deserialization, after exploiting it I landed in the docker container with a dangerous capability allowing the insertion of kernel modules.
Recon
nmap
Running nmap to scan all TCP ports, it found two ports open, 22 (SSH) and 80 (HTTP):
Based on SSH the host is likely to be running Ubuntu Bionic (18.04).
HTTP - 80
Accessing the web server, it shows a message saying direct IP access is now allowed and a contact with the domain monitors.htb:
I added it to /etc/hosts and ran nmap again:
This time nmap returned something else saying the site probably is WordPress. Accessing the domain on the browser now shows a webpage:
wpscan
After I identified it's a WordPress site, I ran wpscan:
It identified a plugin vulnerable to local file inclusion and the admin user.
LFI
Taking a look on vulnerability, the source code of the plugin is using file_get_contents to read any file passed via $_GET['url'], so it's not possible to execute PHP code.
Going to http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/passwd it's possible to read /etc/passwd:
I read wp-config.php looking for credentials, but those didn't work SSH, neither WordPress:
I used ffuf trying to find another files:
Those files didn't reveal anything interesting at all, so I took a look at Apache's configuration files.
Virtual hosts
Reading /etc/apache2/sites-available/000-default.conf I found a comment about some virtual hosts:
Cacti
I added cacti-admin.monitors.htb to my /etc/hosts file and accessed it:
The application running on this virtual host is cacti, which is a network monitoring tool. I tried some default credentials, but they didn't work, so I used the one I found earlier (BestAdministrator@2020!) and they worked:
After poking around, I didn't find anything interesting, so I went to Google, searching for the version the application is running.
SQL Injection
At the time, I only found an issue on GitHub about a SQL injection due to input validation when editing colors on /cacti/color.php:
Because the application accept stacked queries it's possible to get remote code execution by replacing path_php_binary with a reverse shell payload, and then triggering it going to host.php?action=reindex, I used the following payload:
After doing the machine I created an exploit for this vulnerability and submitted it to exploit-db.com. Link in the References.
Privilege escalation to marcus
Doing some basic manual enumeration I didn't find anything uncommon besides a .backup folder on marcus home folder which I can access, but I cannot list its contents and note.txt which I can't read as well:
Because curl and wget aren't present on the machine, I used netcat to run linpeas on the machine:
Unit file
One thing that sticks out it's the unit configuration file cacti-backup.service:
This unit shows a shell script on the .backup I found earlier:
Inside the script, I found a password valid for marcus:
With these credentials I can just SSH into the machine and get the user flag:
Container
Reading the note.txt file on marcus home folder, it talks about a docker image:
marcus isn't on the docker group, so it isn't possible to create a docker container:
Looking the open ports, the port 8443 is open:
I used SSH to forward it to my host using:
Accessing the port on my machine gave an SSL error, so I used https to access it and got a 404 Not Found page:
This tomcat version doesn't have any public vulnerabilities at the time I'm writing this write-up.
OFBiz
Fuzzing for files using gobuster it found a bunch of entries, every entry returning 302 to an Apache OFBiz login page:
The version 17.12.01 present on the machine is vulnerable to an insecure java deserialization on an unauthenticated XML-RPC endpoint /webtools/control/xmlrpc.
Insecure deserialization
Searching for exploits for this vulnerability, I wasn't successful at running any of the ones I found, so I used the metasploit version.
These are the options I set:
I proxied the exploit through Burp, and I also set the ForceExploit option to true because the exploit was failing.
Before moving on, let's look what the exploit does (we don't learn anything by just running the exploit).
The first thing it does it check if the target is vulnerable sending a POST request with XML content, based on the response it evaluates if the target is vulnerable or not:
In my case the application was always returning Failed to read XML-RPX request... (couldn't figure out why) causing the exploit to fail, but setting the ForceExploit option to true "solved" the problem:
The next step, it sends the malicious request with the payload encoded in base64 if using unix_cmd as the target:
Privilege escalation to root
Docker escape
After the exploit I landed in a docker container as root, there are two .deb Linux headers on the / directory, but there's nothing much to do with them:
Running deepce it says there are two possible dangerous capabilities:
Capabilities
The cap_sys_module capability allows the container to insert/remove kernel modules. So it's possible to insert a malicious module to get a reverse shell.
I followed the pentester academy tutorial to abuse this capability, link in the References.
I modified the module to put my IP and port, and upload it and a Makefile to the target. After compiling the module, I opened a port and used insmod to install the .ko file and I got a reverse shell as root on the host:
References
Last updated
Was this helpful?