Hack The Box | MonitorsTwo Write Up
- 2 minsMonitors Two - are we going to need two monitors? Or two shells?
Recon
Recon was done through nmap command - port 80 and 22 were found to be open.
So… Let’s see what is deal with the port 80.
Wild Cacti was found and the classical admin:admin was tested without any success. The next shot was assess the version - if it has a known exploit (which happens to be true). With a quick Google search, the following CVE showed up - https://github.com/FredBrave/CVE-2022-46169-CACTI-1.2.22
Next action was to test the exploit (which was an success!!)
A shell as www-data was granted, after some non-sucessful enumeration on the host - why not test a Linux Privilege Escalation script. LinPeas was the choosen one. By reviewing the output, a script was flagged - entry_point.sh, which has a connection to a database.
After connecting to the DB:
Hashes? Hum, worth it to call John (for both of them), but only one was picked up by John:
Ok, after this, why not trying login with our friend Marcus? Voilá, it worked and now the user path is concluded.
With Marcus shell and www-data shell, we have two shells. Two monitors??
With the user shell, Linpeas.sh was again executed and docker was really in the spotlight. After some google an interesting Docker engine (Moby) vulnerability came to my attention: Moby Docker Engine PrivEsc (CVE-2021-41091).
CVE-2021-41091 is a flaw in Moby (Docker Engine) that allows unprivileged Linux users to traverse and execute programs within the data directory (usually located at /var/lib/docker) due to improperly restricted permissions. This vulnerability is present when containers contain executable programs with extended permissions, such as setuid. Unprivileged Linux users can then discover and execute those programs, as well as modify files if the UID of the user on the host matches the file owner or group inside the container.
Let’s try this then. First on the initial shell: 
And then, on the second shell (Marcus): 
Another crazyyyy rideeeeeeeeeeeee :)