# Hack The Box - Wall

## Quick Summary

Hey guys, today Wall retired and here’s my write-up about it. It was an easy Linux machine with a web application vulnerable to RCE, WAF bypass to be able to exploit that vulnerability and a vulnerable suid binary. It’s a Linux machine and its ip is 10.10.10.157, I added it to /etc/hosts as wall.htb. Let’s jump right in !

## Nmap

As always we will start with nmap to scan for open ports and services:

We got http on port 80 and ssh on port 22. Let’s check the web service.

## Web Enumeration

The index page was just the default apache page:

So I ran gobuster and got these results:

The only interesting thing was /monitoring, however that path was protected by basic http authentication:

I didn’t have credentials, I tried bruteforcing them but it didn’t work so I spent sometime enumerating but I couldn’t find the credentials anywhere. Turns out that by changing the request method from GET to POST we can bypass the authentication:

The response was a redirection to /centreon:

Centreon is a network, system, applicative supervision and monitoring tool. -github

Bruteforcing the credentials through the login form will require writing a script because there’s a csrf token that changes every request, alternatively we can use the API.
According to the authentication part we can send a POST request to /api/index.php?action=authenticate with the credentials. In case of providing valid credentials it will respond with the authentication token, otherwise it will respond with a 403.
I used wfuzz with darkweb2017-top10000.txt from seclists:

password1 resulted in a 200 response so its the right password:

## RCE | WAF Bypass –> Shell as www-data

I checked the version of centreon and it was 19.04:

It was vulnerable to RCE (CVE-2019-13024, discovered by the author of the box) and there was an exploit for it:

But when I tried to run the exploit I didn’t get a shell:

So I started looking at the exploit code and tried to do it manually.
The vulnerability is in the poller configuration page (/main.get.php?p=60901) :

The script attempts to configure a poller and this is the payload that’s sent in the POST request:

nagios_bin is the vulnerable parameter:

I checked the configuration page and looked at the HTML source, nagios_bin is the monitoring engine binary, I tried to inject a command there:

When I tried to save the configuration I got a 403:

That’s because there’s a WAF blocking these attempts, I could bypass the WAF by replacing the spaces in the commands with \${IFS}. I saved the reverse shell payload in a file then I used wget to get the file contents and I piped it to bash.
a:

modified parameter:

## Screen 4.5.0 –> Root Shell –> User & Root Flags

There were two users on the box, shelby and sysmonitor. I couldn’t read the user flag as www-data:

I searched for suid binaries and saw screen-4.5.0, similar to the privesc in Flujab I used this exploit.
The exploit script didn’t work properly so I did it manually, I compiled the binaries on my box:
libhax.c:

rootshell.c:

Then I uploaded them to the box and did the rest of the exploit:

And we owned root !
That’s it , Feedback is appreciated !