BOOK THIS SPACE FOR AD
ARTICLE ADPit is a CTF Linux box with difficulty rated as a medium on Hack The Box platform. Let’s deep dive into breaking down this machine.
Pentesting Methodologies
Network Scanning
NmapEnumeration
Abusing HTTP services SNMP Enumeration Banner GrabbingExploitation
Unrestricted file upload Post EnumerationPrivilege Escalation
Abusing Writable ScriptNetwork Scanning
So let proceed with a nmap version scan and script scan.
nmap -sV -sC 10.129.95.189From the output below we can find that 3 ports are opened:
22 running ssh 80 running http 9090 running httpWe also find two additional information that is, a test page running on nginx port 80 and a domain certificate dms-pit.htb.
Enumeration
So, let’s start enumeration the web ports 80 and 9090. When accessing the IP through port 80 via a browser, we are landing on the page below:
Whereas when we access the IP through port 9090 via a browser, we are landing on a different page as shown below.
Since we don’t know the username and password, this is not very helpful at the moment. So let’s continue to enumerate. During the nmap scan, we also found another domain name, dms-pit.htb. let’s add this entry in our host file, /etc/hosts.
Once the DNS entry has been added into the host file, let’s access the DNS name in a browser to see what additional information we can have.
No luck. We go an error code 403 coming up. Maybe we will have more luck with a nmap UDP scan. So lets give it a try.
nmap –sU 10.129.95.189
The result shows that snmp port 161 is open on the target machine. SNMP is a protocol that is used to manage and monitor interconnected network devices. Let’s enumerate this protocol and see if we can get some valuable information.
nmap -sU -p161 -sV 10.129.95.189we can see that the snmp version being used here is version 1 and the community string used here is the default one, that is, public.
Let’s enumerate deeper using the information found above.
snmpwalk -v2c -c public 10.129.95.189 .
Two entries have strike our attention namely: /var/www/html/seeddmsSix/seeddms* and /usr/bin/monitor* . Maybe we can find more information at these location.
Other useful information found is some usernames, michelle, root and system uptime. These can be used later.
Now that we have collected a little information, let’s try to use that information. Let’s access the path that we found in the /html folder.
http://dms-pit.htb/seeddmsSix/seeddmswe are automatically redirected to the login page below.
Let’s try to login with some default username and password. The first one we try was michelle and michelle.
We have been able to login in with the username michelle and password michelle where we have enumerated the version for SeedDMS.
Exploitation
In the document information section, we can find valuable information like the name and version of the application. The application name is SeedDMS and it has just been upgraded to version 5.1.15. So let check if this application has some vulnerabilities which we can exploit.
Using searchsploit, we found that this application is vulnerable to remote code execution. Let’s mirror the exploit locally.
searchsploit seeddms searchsploit –m 47022cat 47022.txt
Once the exploit has been mirrored, we edit the file to have to check how this works. When reviewing the code, we conclude that RCE can be obtained by executing this PHP backdoor while uploading the documents.
So, let’s browse to add document, in our case we will upload a simple PHP webshell, in our case its 1.php.
Upload the 1.php and click on Add Document.
Once uploaded, we get a document id 35
Now let’s use curl with parameter cmd-pwd to know which working directory the id 35 is located.
curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=pwdAs you can see, it is located in /var/www/html/seeddms51x/data/1048576/35 .
Let’s continue to dig further to see what additional information we can have in the other directories. Inside the conf folder, there is a file called setting.xml, so let’s cat this file to see which configuration does it contain. Maybe we can find some resourceful details.
curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=ls+/var/www/html/seeddms51x curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=ls++/var/www/html/seeddms51x/conf curl http://dms-pit.htb/seeddms51x/data/1048576/35/1.php?cmd=cat+/var/www/html/seeddms51x/conf/setting.xml
Indeed. Inside the setting file, we have the database connection setting, where we can clearly see some credentials details for establishing a connection.
And since the centos page is accessible on port 9090, lets try to login with username michelle and password found in the setting file. Great. We have been able to login successfully.
While browsing the tabs on the left-hand side, we can see a terminal tab at the bottom. Clicking on that brings us to a terminal. And here while listing the files, we can find a user.txt file. At this stage, we have user-level access.
ls cat user.txtNow it’s time to perform a privilege escalation and to have root access. From post enumeration results we find earlier, it seems that the scripts run files check*sh which is found under /usr/local/monitoring.
Privilege Escalation
We will simply create a private key with ssh-keygen, then try transferring the private key inside the target machine to get root access shell
We try to upload our id_rsa.pub file into the compromised machine by editing checkshell.sh file to inject our private key inside /root/.ssh directory as authorized keys.
Now let’s run the snmpwalk command which shall execute the script located in /usr/bin/monitor
snmpwalk –v 1 -c public 10.129.95.189 1.3.6.1.4.1.8072.1.3.2
Once the script is executed, let’s login as root via ssh using the private key.
ssh –i id_rsa [email protected] cat root.txt
Finally, we have root access and capture the flags.
Author: Tirut Hawoldar is a Cyber Security Enthusiast and CTF player with 15 years of experience in IT Security and Infrastructure. Can be Contacted on LinkedIn