HackTheBox Writeup — MonitorsTwo
Hello everyone, this is my first writeup on Hackthebox machine called MonitorsTwo
So if there are errors in writing or other errors I apologize, criticism and suggestions are very welcome. Now let’s beginnn! shall we
First I do port scanning as usual using Nmap.
nmap -p- -sC -sTV --min-rate 5000 10.10.11.211
There are only 2 ports that open which are ssh and HTTP. Let’s jump into the HTTP page.
I’ve tried several default credentials like admin:admin or etc, but it didn’t work. Thus, I searched for the vulnerability on Google using the information that I got from the login page.
Hmm, it seems that the machine has a vulnerability CVE-2022–46169. Now let’s find the exploit.
I found the exploit on GitHub. The exploit was very simple, just clone the exploit and run it as it tells on the POC.
Listen to port 8888
nc -nvlp 8888
And run the exploit
I got the shell as www-data, let’s do the enumeration to gain access using Linpeas.
Found the interesting binary here, let’s take a look on gtfobins.
run the command on the target machine.
capsh --gid=0 --uid=0 --
Got the root shell, but here I noticed that I still can’t get the flag on the root directory or even the home directory, now let’s do the enumeration on the database.
mysql --host=db --user=root --password=root cacti -e "select * from user_auth;"
found 3 users, let’s crack the password using john.
use the password to login to ssh as user Marcus.
Got the user flag.
Privilege Escalation
Now for the privilege escalation run chmod u+s /bin/bash
on the previous shell.
back to ssh shell and run findmnt.
and run /var/lib/docker/overlay2/c41d5854e43bd996e128d647cb526b73d04c9ad6325201c85f73fdba372cb2f1/merged/bin/bash -p
Got the root flag. Finally, we solved the machine.