Cerberus
Last updated
Was this helpful?
Last updated
Was this helpful?
bCerberus, a hard windows machine, mixture of linux and windows, involved exploiting icinga2 through two CVEs, arbitrary file disclosure (CVE-2022–24716) and Authenticated RCE (CVE-2022–24715) giving a shell as www-data , escalating privileges on linux system through firejail (CVE-2022–31214), being a root user, domain user’s cached hash was recovered from sssd which is then used to get a shell on the windows machine as matthew, scanning the DC, there was ADSelfService running vulnerable to un-authenticated RCE (CVE 2022 4796) giving a shell as SYSTEM user
as usual we will start by scanning the open ports and running services
cerberus is a windows machine but for some reason the nmap scan tells that this is a linux machine (ubuntu) running an apache web server at port 8080 so this is confusing
The default initial TTL value for Linux/Unix is 64, and TTL value for Windows is 128
let's do a ping to the machine ip address 10.10.11.205
so the ttl shows that the target machine is a windows machine
let's use wireshark to and curl the apache web server and take a look at the TTL
first run wireshark
and select the vpn interface
and then after it starts listening for packets curl the machine ip
let's explain what this means :
initially the default linux TTL value is 64 but when the packet's sent to the linux machine hits a hop (router) the TTL value is decremented by 1
and in this case the TTL value is decremented by 2 because it hits first the hackthebox vpn hop and then hits the windows host operating system
so that confirms that there is a virtual machine running in the windows host operating system
add icinga.cerberus.local to the hosts file
now browse to this link http://icinga.cerberus.local:8080/icingaweb2 which is given in nmap scan
trying the default icinga web 2 credentials didn't work and looking at the source doesn't give any information on the version
so i tried to find public exploits and find two exploits that are interesting the first one is CVE-2022-24715 which impacts an RCE but requires credentials and the second one is CVE-2022-24716 which impacts a file disclosure vulnerability
so we will use the file disclosure vulnerability to leak interesting informations
download the exploit from this link : https://github.com/JacobEbben/CVE-2022-24716
we don't know where is the configuration files located to leak them so what we have to do is go to the official icinga documentation page https://icinga.com/docs/icinga-web/2.6/ and search for configuration and we get this which gives us all the configuration file names and also the path to them which is /etc/icingaweb2/<configuration_file_name>
and we have leaked the administrator credentials, we can now log in
now since we have the credentials we can utilize the other CVE to get Remote Code Execution (RCE)
we need to generate a pem file first
and boom we've got a shell
this is the ubuntu version of ubuntu
upgrade dumb shell :
listing all suid binaries
https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25
click on this link and copy the python exploit code and then paste it inside a python file, i named it firejail_exploit.py you can name it whatever you want
now try using the prevoius CVE to get another shell as www-data in another terminal
when you get a shell it very important to upgrade the shell in order for this to work
after we upgrade the shell run the command
and then
if we take a look at the /etc/hosts we will find the ip address of the domain controller
let's take a look at running processes using the command
we find that the sssd process is running. SSSD allows the Linux box to communicate with a domain, typically an LDAP (Lightweight Directory Access Protocol) server or an Active Directory domain.
i've been searching in hacktricks for linux active directory exploits or ways to get valuable informations about the active directory and i've found this
taking a look at the content existings in the /var/lib/sss/secrets/secrets.db using strings we don't find anything
.secret.mkey file doesn't exist so i changed directory to the parent and i have found a couple of interesting db files
the one contains cache looks more interesting
to search through it we will use the command strings
scrolling down in the results we find a long string that looks like a hash in someway
and i have used an online service that identifies the hash type and also tries to crack it agains a database https://hashes.com/en/tools/hash_identifier
and it found the hash value which is => 147258369
and the username is matthew
we have username and password of a user in the windows machine
first let's check if the winrm port 5985 is open and then we will do a reverse tunneling using chisel to connect to the windows machine from our attack machine since evil-winrm is not installed on the compromised linux machine
This command attempts to open a TCP connection to the specified IP address and port number (172.16.22.1 on port 5985) using the /dev/tcp special file in Unix-like systems.
if the TCP connection attempt is successful (i.e., if the port is open and accepting connections), the exit status ($?) will be 0, and echo 0 will print 0. If the connection attempt fails (i.e., the port is closed or unreachable), the exit status will be 1, and echo 1 will print 1.
now let's use chisle to do a reverse tunnel so we can use evil-winrm from our attack machine and connect to the windows machine at the ip address 172.16.22.1
first we will open a file share so we can transfer the chisle binary to the compromised linux machine
using wget -r to download all the directories and subdirectories files
10.10.14.177 : my kali linux attack box ip address
and we can now connect to the windows machine using the credentials found on the sssd cache and the reverse tunnel by chisel
you can find the user flag at /Users/Matthew/Desktop
