In this post, I would like to share a walkthrough of the MonitorsTwo Machine from Hack the Box
This room will be considered an Easy machine on Hack the Box
What will you gain from the MonitorsTwo machine?
For the user flag, you will need to abuse the vulnerability that is related to cacti version 1.2.22 which i managed to use Metasploit and Python script that I found while researching. While enumerating inside the docker environment, we managed to retrieve hashes from the MySQL database which we were able to crack by using hashcat
As for the root flag, you need to analyze the mail file content which provides a few vulnerabilities that we can use to obtain a root shell. By taking advantage of the CVE-2021-41091 vulnerability, we should be able to escalate to Root Privileges Access
Information Gathering on MonitorsTwo Machine
Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN
┌─[darknite@parrot]─[~/Document/htb/MonitorsTwo]
└──╼ $nmap -sC -sV 10.10.11.211 -oA initial
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-30 01:03 EDT
Nmap scan report for 10.10.11.211
Host is up (0.24s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
| 256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
146/tcp filtered iso-tp0
3918/tcp filtered pktcablemmcops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.76 seconds
Let’s access the website interface
I noticed that cacti are version 1.2.22
After a while, I noticed there was a script from Metasploit. As a result, let’s run Metasploit on our attacker’s machine
Step 1: Metasploit method
Finally, we managed to obtain a shell using Metasploit
Step 2: Exploitation using Python script
Let’s start our nc listener
From my research, i managed to find a Python script which can be found here that we can use to obtain a reverse shell connection on the victim’s machine
We should be running the command as shown above for it to work
Step 3: RCE exploitation using Burpsuite
We should be entering the parameter that we found inside one of the resources previously
Therefore, let’s send our reverse shell payload via burpsuite so that we can retrieve our reverse shell connection back to us.
Boom! We managed to retrieve a reverse shell connection back to us. However, it’s a docker environment from what I can see on the hostname
From one of the files, we managed to obtain the SQL command which contained the username and password.
The screenshot above shows the database that available to us
At last, we managed to see the table content but it looked a little messy
Finally, we managed to see the username and hashes
We should copy-paste the hashes on our attacker’s machine so that we able to retrieve credentials
Boom! We found a password for one of the usernames.
Before we proceed with accessing the machine via SSH service, we should enumerate a little deeper into the docker environment
From the linpeas output, we managed to note one Binary that caught my attention straight away.
On the docker side, we can change the root privileges’ access
We can read the user flag by typing the “cat user.txt” command
Escalate to Root Privileges Access
There is a mail file that we can read and analyze the content
marcus@monitorstwo:/var/mail$ cat marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:/var/mail$
The screenshot above shows the content of the mail which highlighted a few vulnerabilities that we can abuse.
Let’s look into all of the mounted files that we can use in the latter stage.
However, there is one file that caught my attention again.
We should create the SUID binary of bash to escalate to root access by entering the command above.
From the look of it, the bash has been assigned as SUID Binary
We should be able to access the root shell by entering the command above.
Boom! We have successfully accessed the root shell
We can read the root flag by typing the “cat root.txt” command
No responses yet