Linkedin

📹Surveillance HTB Walkthrough

Welcome to the world of cybersecurity challenges! In this walkthrough, we'll delve into "Surveillance," a medium-level machine on HackTheBox.

Surveillance HTB Walkthrough

Reconnaissance

Scanning

First, I scan the network using nmap:

nmap -A -o nmap_scan 10.10.11.245

I find two open ports:

22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)

Website Enumeration

Subsequently, I append the following line to /etc/hosts:

10.10.11.245    surveillance.htb

Upon browsing the website, I see it's running CraftCMS 4.4.14.

Exploitation

Website Exploitation

I find an Remote Code Execution (RCE) vulnerability: Exploit-DB 51918.

Privilege Escalation

Horizontal privilege escalation

First, I identify two users:

matthew:x:1000:1000:,,,:/home/matthew:/bin/bash
zoneminder:x:1001:1001:,,,:/home/zoneminder:/bin/bash

After digging further, I find a backup file containing an SQL query that adds a user named Matthew.

I crack the hash using crackstation.com

connect with it to SSH

Now, let’s see what is zoneminder

ZoneMinder is an open-source video surveillance software suite that is designed to monitor, record, and manage multiple IP cameras, webcams, and other video sources. It is commonly used for security surveillance purposes in homes, businesses, and other environments where video monitoring is required.

I found that there is a website running locally on port 8080

Here is it

By using the zmc command, I was able to determine the version.

Further investigation uncovers a known exploit for RCE: CVE-2023-26035 related to zoneminder 1.36.32

  1. I use socat to make the website externally accessible:

socat TCP-LISTEN:8000,fork TCP:localhost:8080

  1. running the exploit

Vertical privilege escalation

Now, time to escalate privileges to root, I find that zoneminder has sudo access.

Digging deeper, I find that zmupdate.pl executes a mysql command based on user input without validation.

testing ….

sudo zmupdate.pl --version 1.12 -u ';whoami;' -p admin

It work, let's get a shell.

BOOM! We are ROOT

PreviousWifineticTwo HTB Walkthrough

Last updated