12/2020
Target IP: 10.10.10.157
The box is a Linux machine that strictly filters special character on the web application. The victim machine uses Centreon - an application monitoring software, version 19.04 which is susceptible to CVE-2019-13024. Threat actor got the foothold by a misconfiguration on */monitoring* page that allows authentication bypass by using POST method. */monitoring* page then redirected the attacker to */centreon* which is protected by a login page. Foothold gained by abusing the centreon API to brute-force the admin account of the site, then spawn a reverse shell by using the vulnerability to execute code remotely. A hidden python compiled file on the target machine contains the SSH password of a system user – Shelby. Connecting to SSH service as Shelby to get the user root. Exploiting a vulnerability on Screen application version 4.5 (CVE-2017-5618) to get a shell under root privileges.
medium
User: 64855cc822f6b47031333a9102160aee
Root: 08e678f2da9a8f7edb8c2cc31e42c835
Nmap port scan result.
Nmap service version scan result.
! Discover service: SSH (22), HTTP (80)
The website on port 80, but it’s just Apache 2 Ubuntu default page.
Brute-forcing the directory of the website.
! Discover 2 inaccessible endpoints: /monitoring and /server-status
Examining /monitoring endpoint.
! A log-in form popped up when requesting to /*monitoring*
! Sending a POST method to */monitoring* instead of a GET, the page responded with code 301 Move Permanently.
<aside> 💡
-L option tells curl to follow redirects. If the server responds with a location header, curl will automatically make a GET request to that location.
</aside>