Pit
About the machine
Pit is an interesting machine as it uses the SNMP protocol for the foothold and the privilege escalation. On foothold, I used it to find SeedDMS where I uploaded a web shell to get Remote Code Execution, for the privilege escalation I abused an ACL to create a shell script to write an SSH key to the root user using an OID to execute a custom shell script.
Recon
nmap
Running nmap to scan all TCP ports, it found three ports open, 22 (SSH), 80 (HTTP) and 9090:
On port 9090 nmap found a domain name via the SSL certificate: dms-pit.htb. I added this and pit.htb to /etc/hosts.
HTTP - 80
Accessing the IP address it shows a default nginx page, based on it, chances are the host is running Red Hat or CentOS.
The dms-pit.htb domain only shows a 403 Forbidden page:
I used gobuster to find files and directories, but it didn't find anything, so I moved to port 9090.
cockpit - 9090
On port 9090 there's Cockpit running, which is a browser-based administration tool for Linux:
Searching for vulnerabilities on Cockpit I only found an Unauthenticated Server-Side Request Forgery, but I wasn't successful exploiting it.
After some time thinking, I took a look on an HTB post about the machine because they always put something relevant there:
That tip on "WALK" remembered me of snmpwalk which is a tool that can be used to enumerate SNMP.
SNMP - 161 UDP
nmap - UDP
Running a nmap scan on the UDP ports for SNMP it found the port 161 open:
onesixtyone
Using onesixtyone to find SNMP communities, it found just the public community:
snmpwalk
I used snmpwalk to scan all OIDs, it gave me a huge output, so I snipped some parts:
SNMP revealed some interesting info like the kernel version, a directory that I didn't find and the output of what seems a custom binary/script (/usr/bin/monitor) with a possible user michelle. Searching for how to execute scripts using SNMP, I found a blog showing how to do it, link in the references.
seeddms
Accessing the path I saw on SNMP, I was redirected to a login page:
I tried to log in using michelle:michelle as the credentials, and it worked, I got access to SeedDMS.
There's a note from the Administrator saying it upgraded the software to a newer version because of previous vulnerabilities:
The previous version (5.1.10) was vulnerable to Remote Command Execution through Unvalidated File Upload and I didn't find any CVEs for the current version, so I thought I should test it to see if it's really patched.
File upload
First, I need a directory to upload a PHP file, searching the application structure I found two folders named "Michelle" and "Jack":
On the folder "Michelle" it's possible to upload files:
After I uploaded the file I had to find the file which is located in seeddms51x/data/1048576/<id>/1.php where <id> it's the file ID after upload, in my case was 29:
Configuration files
I tried to get a reverse shell, but I couldn't, probably because of a firewall, so I started searching the file system to see if I could find something interesting. A few directories up, I found a conf directory which may be interesting:
Inside this directory there's an XML file, and inside this file I found a credential:
I tried to use this password to login as michelle using SSH, but the machine doesn't accept password authentication, so I went to cockpit on port 9090.
User
Using that password, I got access as michelle:
Inside cockpit, it's possible to add SSH keys to the users, I generated one using ssh-keygen and added it:
After that, I logged in using SSH and got the user flag:
Privilege escalation
Searching for the script I saw on SNMP, I found it's a bash script that execute every file on /usr/local/monitoring/ which starts with "check" and ends with "sh":
Running linpeas I also found there's an ACL in this directory which allows michelle to write and execute files on that directory:
I created a script to write an SSH key to the root user, triggered the script using snmpwalk with the OID to execute it and got the root flag:
References
Last updated
Was this helpful?