This box is one of my favourite one as it contains a lot of CVE related vulnerabilities. CVE means that it is related to Real World vulnerabilities. So let's get started.
Nmap scan results
Its always good to scan all the ports. I will be adding monitors.htb to /etc/hosts file.
Enumerating Wordpress
I will be using wpscan tool which can help us identify potential vulnerable plugins and probable users.
The tool didn't gave us any vulnerable plugins, so I will manually try to browse the plugin directory. The directory is located at /wp-content/plugins/
We can FUZZ the url parameter from this wordlist over here or we can try to manually FUZZ it. First thing to look for is Apache log poisoining followed by old school tricks. That didn't gave us anything. So next thing to look for is apache2.conf file. Also another thing to look for is wp-config.php which might contain potential usernames and passwords.
There's also virtual hosting present. We can add cacti-admin.monitors.htb into our /etc/hosts file.
We have credentials, maybe we can try default usernames like admin, administrator, guest, etc. I tried admin : BestAdministrator@2020! and got access to it. (Lucky af)
Exploiting Cacti (SQLi/ Remote Code Execution)
The version of cacti used is 1.2.12. So let's search for any known vulnerabilities on google.
Read what the misconfiguration is and download the exploit. We need to provide credentials to exploit this vulnerability.
Docker Enumeration (Scanning for hosts)
After getting the shell, I got stuck for a very long time. Then I decided to proceed with docker enumeration. (I checked it using ifconfig command)
So to search for other hosts present on docker interface, I grabbed the static nmap binary from my machine using netcat. (As curl and wget not installed on the system)
Now we can use nmap to scan for ports as well but I like this script which is comparitively fast and easy.
Forwarding the ports to our local machine using chisel
Now I will be forwarding these ports to my local machine using chisel. You can get chisel from here.
Apache OFBiz is an open source enterprise resource planning system. It provides a suite of enterprise applications that integrate and automate many of the business processes of an enterprise. OFBiz is an Apache Software Foundation top level project.
We can look for known vulnerabilities out there on google. The version we are running is 17.12.01. Got using ps aux (which lists the running processes)
This one looks satisfying. To exploit this vulnerability, we need to send malicious serialized data to /webtools/control/xmlrpc.
Intercept the request in Burp and change the request method to POST. Also change the Content-Type header to application/xml
Now to generate the serialized data, I will be using ysoserial.jar. Download the jar file from here. Use this website to generate reverse shell payloads for Java deserialization.
Copy the payload and paste it in Burp. Make sure you are listening on port you specified.
#!/bin/bash
ip=$1
if [[ $# -eq 0 ]];then
echo "[-] Supply IP Address"
exit 0
fi
for i in `seq 1 65535`;do
echo 1 > /dev/tcp/$ip/$i
if [[ $? -eq 0 ]];then
echo "[+] Port open: $i"
fi
done
