Surveillance — HackTheBox

4 min readApr 20, 2024

Surveillance is a medium-level machine from HackTheBox. It entails exploiting Remote Code Execution (RCE) in Craft CMS to establish an initial foothold, followed by exploitation of Zoneminder application for privilege escalation.

NMAP

PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

Port 80 (HTTP)

Browsing the URL, following website is shown

At the end of the page we can see this website using Craft CMS 4.4.14

This can be verified by going to the /admin endpoint

Foothold (matthew)

Searching the vulnerabilities in this version, it seems to vulnerable to RCE (CVE-2023–41892)

https://github.com/craftcms/cms/security/advisories/GHSA-4w8r-3xrw-v25g

I found the following POC to exploit this CVE. Running it we gain RCE on the host.

https://gist.github.com/gmh5225/8fad5f02c2cf0334249614eb80cbf4ce

Enumerating the filesystem, a database backup is found at /var/www/html/craft/storage/backups/

Looking into the DB backup file, we find hashed password for matthew user

Cracking the hash, we get the password

Looking at the /etc/passwd file, we can see that matthew is a user on the system

Using the credentials, we get logged in as matthew user via SSH

Privilege Escalation (zoneminder)

Searching for files owned by zoneminder user group, it is found that there’s another application at /usr/share/zoneminder

Looking at the open ports, we can confirm that this application is running internally on port 8080.

Forward this port to 8000 on our host using the SSH

ssh -L 8000:127.0.0.1:8080 matthew@surveillance.htb

Browsing the URL, we get the following login page

Searching on google, it is found that it is a CCTV monitoring application. However, it can also be vulnerable to CVEs. For that, first we need to find it’s version, which i did by following

Searching for vulnerabilities, it is found to be vulnerable to RCE CVE-2023–26035.

https://github.com/ZoneMinder/zoneminder/security/advisories/GHSA-72rg-h4vf-29gr

I used the following POC and get shell as zoneminder user

GitHub - rvizx/CVE-2023-26035: Unauthenticated RCE in ZoneMinder Snapshots - Poc Exploit

Unauthenticated RCE in ZoneMinder Snapshots - Poc Exploit - rvizx/CVE-2023-26035

github.com

Privilege Escalation (root)

Checking the sudo permission, we can run following command as any user

/usr/bin/zm[a-zA-Z]*.pl *

These are the commands that can be ran using sudo

After wasting alot of time and nudges from HTB discord, i found a way to abuse this. Basically, there’s a command injection the zmupdate.pl script. Looking through the source code, we can see that when updating the DB, it takes db credentials that are directly appended in the system command which is execute. This can be abused to get shell as root.

First, i created a bash file containing the reverse shell payload.

Then, execute the zmupdate.pl command as following to get a shell as root.

sudo /usr/bin/zmupdate.pl --version 1 --user='`/dev/shm/uwu.sh`'

Arigatou UwU