Post

HTB Linux Easy: MonitorsTwo

MonitorsTwo is an Easy rated Linux machine on HTB.

Posted
By Gregory Allegoet
1 min read
HTB Linux Easy: MonitorsTwo

Nmap

Pasted image 20240715105628.png

Initial Foothold

Website Enumeration

Visiting the website reveals a vulnerable version of cacti (CVE-2022-46169) Pasted image 20240715105623.png

Exploiting the vulnerability

Setup a nc listener and run the Python exploit: Pasted image 20240715105619.png Pasted image 20240715105614.png

Privilege Escalation

Escaping the docker container

Priv esc (sticky bit on /sbin/capsh) Pasted image 20240715105601.png

Become the root user of the docker container. Pasted image 20240715105607.png

DB credentials in entrypoint.sh. Pasted image 20240715105557.png

Using the SQL credentials we find password hashes in the user_auth table. Pasted image 20240715105553.png

We cracked the hash for the marcus user: (funkymonkey). Pasted image 20240715105550.png

We can now SSH into the box: Pasted image 20240715105544.png

Getting root

Running Linpeas: Pasted image 20240715105539.png

Root owned mail? Let’s check it out: Pasted image 20240715105535.png

We can use the last CVE since docker is not up to date: Pasted image 20240715105531.png

Step 1: is to assign a sticky bit to /bin/bash in the docker environment. Pasted image 20240715105526.png

Step 2: we execute the exploit. Pasted image 20240715105522.png

User.txt

Pasted image 20240715105516.png

Root.txt

Pasted image 20240715105512.png

PWNED

Pasted image 20240715105507.png

Sources:

CTF, HTB
Linux Easy
This post is licensed under CC BY 4.0 by the author.