🖥️HTB MonitorTwo

Introduction

A friend of mine as me about my progression on one day one machine. Suddenly he asks me to start doing Hack the Box. So yeah, here we start.

Current: Active Machine (23 June 2023)

Step 1 – Enumeration

As usual, let enumerate this machine. Using favourite command all time.

After a few seconds, the result come. Just normal port without any others. Let move into port 80 since we don’t have yet credentials for port 22.

Step 2 – Exploitation

Once we move into webserver, it appears login page with version 1.2.22.

What come in my mind is to check any source code that might be useful and looking for vulnerabilities for this version.

Luckily, I found that, cacti project v1.2.22 are vulnerable without authenticate. That mean, no credential are needed.

Download the POC and let try execute with correct information.

We manage to exploit this machine and accessed as www-data. Next, let do some enumeration. This time, I will export my LinPeas to find any vulnerabilities or you might run this script

find / -perm -u=s -type f 2>/dev/null

The result show some interesting and as I know, capsh can alter suid. Checking into gtfobin,

Let proof this by running the script

/sbin/capss –gid=0 –uid=0 –

Proof that we now are root. But where the flag?.

Step 3 – User Access

Since we know root, I found one .sh file in parents /.

Some snippets on entrypoint.sh

From my overview, this shell run whenever it connected to host. That means, when we first startup this website, at default, it will be root:root or admin:admin. Then once login, the user need to change the password.

We can manipulate the scripts since we are root now, let see what user and their password by doing

mysql --host=db --user=root --password=root cacti -e "SELECT * FROM user_auth”

We got the username and hash. Crack the hash will get real password.

Step 4 – Privilege Escalation

Once we manage to crack the hash, let login into ssh since we have user and password.

From here we got the user flag. Next let find the way to escalate the root. As usual I will use LinPeas to find the vulnerabilities.

Docker version quite old. Let check to confirm.

This security bulletin show that the docker version are affected by CVE-2021-41092 .Let find exploitation script to ease our work :D

From what summary say, that mean, we can change user from Marcus to root. Before that, what is our docker here? Remember first 2 step, where we found login page and manage to get www-data and also the root, that is docker/container for this machine. On docker machine, we need to do something where set the bin/bash into u+s

chmod us+s /bin/bash

On host machine, download the POC and run into it the proof the vulnerability

Run the exploit shell and wait until it exit.

Follow the instructions given, change directory to directory given and run /bin/bash -p to execute shell.

And we manage to get root. If you facing problem like shell not spawn after execute the command, it might be happen that, you don’t change bin/bash permissions on docker machine.

Thank for reading.