In this post, I would like to share a walkthrough of the Cerberus Machine from Hack the Box

This room will be considered a Hard machine on Hack the Box

What will you gain from the Cerberus machine?

For the user flag, you will need to access the icingaweb2 instance which we might exploit two CVEs in Icinga application. We can execute a file read from which we managed to retrieve credentials. While inside the Linux operating system, we need to exploit Firejail which we should be able to obtain another VM. From SSSD host configuration file, we managed to get cred for a user which we can do some port forwarding with chisel tool. We should be able to access another VM via WinRM.

As for the root flag, you only need to execute another port forwarding with chisel tool which we can exploit the machine via SAML vulnerability in ManageEngine’s ADSelfService Plus via Metasploit tool

Information Gathering on Cerberus Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

└──╼ $nmap -sC -sV -oA initial -Pn
Starting Nmap 7.92 ( ) at 2023-03-21 20:17 EDT
Nmap scan report for
Host is up (0.16s latency).
Not shown: 999 filtered tcp ports (no-response)
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-open-proxy: Proxy might be redirecting requests

Service detection performed. Please report any incorrect results at .
Nmap done: 1 IP address (1 host up) scanned in 38.24 seconds

Let’s access the website interface

However, the website has redirected us to a login page. After i do some research, I notice that Icinga is a resilient, open-source monitoring and metric solution system the source code can be found here

Therefore, let’s inspect the packet via burpsuite

Source: icinga2/third-party at master · Icinga/icinga2 (

The exploit: Path Traversal Vulnerabilities in Icinga Web | Sonar (

Path Injection

After i research more on Icinga, i managed to find a vulnerability in path injection which was pinned as CVE-2022-24716. The vulnerability will allow the attacker to take advantage of the vulnerability and disclose any available file which resides on the server. Another impact that can be exploited with CVE-2022-24616 is the execution of arbitrary PHP code that comes from the administration interface

Therefore, let’s test the Path Traversal which works like charms as shown above.

From the information we found on the website before, we managed to find a username and roles of the machine.

We also found the password for the website itself.

Boom! We managed to access Icinga’s Dashboard as shown in the screenshot above.

We should create SSH pem on our attacker’s machine

On the application section, we can change the Module Path to /dev/ directory

We can create a new resource in which we will enter the SSH private key on the requested column.

At last, it works as it supposed to be.

Let’s start our nc listener

Therefore, let’s insert with the simple PHP shell such as

<?php system($_REQUEST[‘cmd’]);?>

Finally, we. managed to execute the command injection to be working on the application

Boom! The response has hung and it’s a piece of good news we should be getting the reverse shell on our end

At last, we managed to obtain the reverse shell as we expected.

After a while, i managed to find another method to obtain the reverse shell but it can be considered a cheat for some people because we didn’t learn anything from that

We can use the Python script as executing the command above so that we can catch the reverse shell this way. The Python script can be downloaded here

Sadly, the db resides within the /var/lib/sss and can be accessed because the permission is denied


I notice that there’s a firejail binary that is not a normal binary for a Linux machine

However, we managed to find a firejail version that might be vulnerable to any attack

Therefore, let’s upload on the victim’s machine

We should be giving execution permission to the file

Let’s execute the file with the command above. As a result, we are given a command as “firejail –join=3334” which the number can change every time you execute the firejoin command.

After that, we should be able to change to root by typing the “su –” command

At last, we can finally open the file that previously we cannot access at all.

We managed to obtain hashes from the cachedPassword

After a while, we managed to crack the password

On our attacker’s machine:

On the victim’s machine:

As a result, let’s execute the evil-winrm

We can read the user flag by typing the “type user.txt” command

Escalate to Root Privileges Access

There’s winpeas enumeration on the Windows12 operating system

From the winpeas output, we are aware of the ManageEngine ADSelfService Plus has been installed in the machine

There is ManageEngine with ADSelfService Plus install on the Program Files


Therefore, let’s upload the chisel to the victim’s machine

The command above shows the proxy connection on the machine


Sadly, we are unable to connect to the browser.

We should whitelist the domain on our /etc/hosts file

At last, we managed to see the website interface

Once we have successfully accessed the dashboard.

We managed to see the entityID would be http://dc.cerberus.coal/adfs/services/trust/

The configuration would be something as shown above.

Finally, we managed to get bypass the ManageEngine protection

We can read the root flag by typing the “type root.txt” command