HackTheBox Writeup — Wall

Hello Guys , I am Faisal Husaini. My username on HTB is “kNgF” . Also join me on discord.

The IP of this box is

Running masscan on it , we get

We get 2 open ports , running them against NMAP

We see that Port 22 running OpenSSH and Port 80 running Apache httpd services

So we now run the IP of the box in the browser and see

We get Apache2 Default Page , from the Gobuster scan results , we get

We get few results , one of them /monitoring which we will try to access

We get a basic auth prompt , I tried common username password combinations , bruteforcing , both of them didnt helped so I now intercept the request in Burp Suite

We see that we are doing a GET Request here , so we try to tampering the request and change the request method to POST

We see that a URL redirection and also before that we see /centreon page on the response , so we try to access the page

We see its a Centreon Login page , so we ran Gobuster on it and got few results

We try to access the /api and see that

We get an “Unauthorized” message , so we now try a way to authenticate the API

So we now search about Authentication on Centreon docs

Here it states that we need to use the authentication through API using /api/index.php?action=authenticate along with the username and password parameters and also use the POST method

So we now use Hydra for bruteforcing the API Authentication

Here we see that we got a successful authentication with password1 as the password for admin account , so we try to login using these creds

Now we click on the Connect button

We get successfully connected and also presented on the dashboard of Centreon

After crawling a little bit , we see something useful at Configurations Commands

Clicking on the Add button

Now we use our wget command to get a reverse shell php to be uploaded on the server so that we could trigger it and get reverse shell, we do this on the on the Command Line field area

Here we gave our command and enabled the shell option , and as soon as we click on the Blue Play button , we get prompted

We get a Status OK message , and to confirm that , we get check our http.server status which was holding our php reverse shell

Now we can access or trigger the reverse shell by trying to access it on the browser at

As soon as we try to access the php file , we get a blank holded screen , looking back to our netcat listener

We get our reverse shell successfully as www-data user

Now we move onto getting a perfect tty shell

Lets move onto privilege escalation part

Running the LinEnum.sh script and checking something useful

There was an odd binary which has SUID enabled , looking in google regarding its exploit

We see a Local Priv Esc exploit in Exploit-DB , so we import that to our box and then move it to the remote box

So we uploaded the exploit script and gave it executable permission and now we are ready to run the script

Hacker | Bug Hunter | Python Coder | Gamer | Reverse Engineering Lover

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store