In this post, I would like to share a walkthrough of the MonitorsTwo Machine from Hack the Box

This room will be considered an Easy machine on Hack the Box

What will you gain from the MonitorsTwo machine?

For the user flag, you will need to abuse the vulnerability that is related to cacti version 1.2.22 which i managed to use Metasploit and Python script that I found while researching. While enumerating inside the docker environment, we managed to retrieve hashes from the MySQL database which we were able to crack by using hashcat

As for the root flag, you need to analyze the mail file content which provides a few vulnerabilities that we can use to obtain a root shell. By taking advantage of the CVE-2021-41091 vulnerability, we should be able to escalate to Root Privileges Access

Information Gathering on MonitorsTwo Machine

Once we have started the VPN connection which requires a download from Hackthebox, we can start the information gathering on the machine by executing the command nmap -sC -sV -p- <IP Address> -PN

┌─[darknite@parrot]─[~/Document/htb/MonitorsTwo]
└──╼ $nmap -sC -sV 10.10.11.211 -oA initial  
Starting Nmap 7.92 ( https://nmap.org ) at 2023-04-30 01:03 EDT
Nmap scan report for 10.10.11.211
Host is up (0.24s latency).
Not shown: 996 closed tcp ports (conn-refused)
PORT     STATE    SERVICE        VERSION
22/tcp   open     ssh            OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp   open     http           nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
146/tcp  filtered iso-tp0
3918/tcp filtered pktcablemmcops
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 128.76 seconds

Let’s access the website interface

I noticed that cacti are version 1.2.22

After a while, I noticed there was a script from Metasploit. As a result, let’s run Metasploit on our attacker’s machine

Step 1: Metasploit method

Finally, we managed to obtain a shell using Metasploit

Step 2: Exploitation using Python script

Let’s start our nc listener

From my research, i managed to find a Python script which can be found here that we can use to obtain a reverse shell connection on the victim’s machine

We should be running the command as shown above for it to work

Step 3: RCE exploitation using Burpsuite

We should be entering the parameter that we found inside one of the resources previously

Therefore, let’s send our reverse shell payload via burpsuite so that we can retrieve our reverse shell connection back to us.

Boom! We managed to retrieve a reverse shell connection back to us. However, it’s a docker environment from what I can see on the hostname

From one of the files, we managed to obtain the SQL command which contained the username and password.

The screenshot above shows the database that available to us

At last, we managed to see the table content but it looked a little messy

Finally, we managed to see the username and hashes

We should copy-paste the hashes on our attacker’s machine so that we able to retrieve credentials

Boom! We found a password for one of the usernames.

Before we proceed with accessing the machine via SSH service, we should enumerate a little deeper into the docker environment

From the linpeas output, we managed to note one Binary that caught my attention straight away.

On the docker side, we can change the root privileges’ access

We can read the user flag by typing the “cat user.txt” command

Escalate to Root Privileges Access

There is a mail file that we can read and analyze the content

marcus@monitorstwo:/var/mail$ cat marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:/var/mail$ 

The screenshot above shows the content of the mail which highlighted a few vulnerabilities that we can abuse.

Let’s look into all of the mounted files that we can use in the latter stage.

However, there is one file that caught my attention again.

We should create the SUID binary of bash to escalate to root access by entering the command above.

From the look of it, the bash has been assigned as SUID Binary

We should be able to access the root shell by entering the command above.

Boom! We have successfully accessed the root shell

We can read the root flag by typing the “cat root.txt” command

Extra Information

Categories:

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *