Foothold
1. sql injection in monitorsthree.htb/forgot_password.php to get admin password
2. Fuzz the site to get cacti.monitorsthree.htb
3. login with admin password
4. exploit CVE-2024-25641 to get RCE
5. check one of the config files to get cactiuser:cactiuser for mysql
6. get the hash of marcus and crack it with hashcat
hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
7. get local flag from marcus
2. Fuzz the site to get cacti.monitorsthree.htb
3. login with admin password
4. exploit CVE-2024-25641 to get RCE
5. check one of the config files to get cactiuser:cactiuser for mysql
6. get the hash of marcus and crack it with hashcat
hashcat -m 3200 hash /usr/share/wordlists/rockyou.txt
7. get local flag from marcus
PrivEsc
1. There’s a service running on port 8200
2. chisel our way in to find Duplicati service running
2. chisel our way in to find Duplicati service running
3. We also find Duplicati-server.sqlite which contains the server-passphrase and server-passphrase-salt
4. Look at http://localhost:8200/login/login.js to see how the server authenticates
5. It first requests for a nonce value, then encrypts
SHA256(nonce + SHA256(server-passphrase + server-passphrase-salt))
6. It then sends the encrypted value back for verification
7. backup root.txt and restore it /source/home/marcus/root.txt
4. Look at http://localhost:8200/login/login.js to see how the server authenticates
5. It first requests for a nonce value, then encrypts
SHA256(nonce + SHA256(server-passphrase + server-passphrase-salt))
6. It then sends the encrypted value back for verification
7. backup root.txt and restore it /source/home/marcus/root.txt